Gist Liquid Tag causes SSL error when using jekyll serve or jekyll build

[cdvillard]

I was directed here from Jekyll, but for the sake of clarity and saving a click, I've pasted the original text here.

I preface this with the fact that I'm not a Rubyist, and I'm just getting back on Windows, so I seem a little green, it's because I am.

I'm currently working on Windows 10, trying to build a site using the Poole theme, Jekyll 3.1.0 and Ruby ruby 2.2.3p173 x64. I seemed to keep running up against Liquid errors. I managed to fix a few common ones after installing jekyll-gist and jekyll-paginate, but then I hit this wall:

$ jekyll serve --trace
Configuration file: C:/Users/cdvillard/Projects/cvillard/new-site/poole/_config.yml
            Source: C:/Users/cdvillard/Projects/cvillard/new-site/poole
       Destination: C:/Users/cdvillard/Projects/cvillard/new-site/poole/_site
 Incremental build: disabled. Enable with --incremental
Generating...
Liquid Exception: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed in C:/Users/cdvillard/Projects/cvillard/new-site/poole/_posts/2014-01-01-example-content.md
C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
    from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:88:in `block in timeout'
    from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:98:in `call'
    from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:98:in `timeout'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:852:in `start'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:583:in `start'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-gist-1.4.0/lib/jekyll-gist/gist_tag.rb:79:in `fetch_raw_code'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-gist-1.4.0/lib/jekyll-gist/gist_tag.rb:56:in `gist_noscript_tag'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-gist-1.4.0/lib/jekyll-gist/gist_tag.rb:23:in `render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/block.rb:151:in `render_token'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/profiler/hooks.rb:5:in `block in render_token_with_profiling'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/profiler.rb:80:in `profile_token_render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/profiler/hooks.rb:4:in `render_token_with_profiling'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/block.rb:135:in `block in render_all'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/block.rb:122:in `each'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/block.rb:122:in `render_all'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/block.rb:108:in `render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/template.rb:210:in `block in render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/template.rb:262:in `with_profiling'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/template.rb:209:in `render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/template.rb:222:in `render!'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/liquid_renderer/file.rb:28:in `block (2 levels) in render!'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/liquid_renderer/file.rb:36:in `measure_bytes'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/liquid_renderer/file.rb:27:in `block in render!'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/liquid_renderer/file.rb:43:in `measure_time'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/liquid_renderer/file.rb:26:in `render!'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/renderer.rb:106:in `render_liquid'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/renderer.rb:61:in `run'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:171:in `block (2 levels) in render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:169:in `each'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:169:in `block in render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:168:in `each'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:168:in `render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:59:in `process'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/command.rb:26:in `process_site'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/commands/build.rb:60:in `build'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/commands/build.rb:33:in `process'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/commands/serve.rb:34:in `block (2 levels) in init_with_program'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary/command.rb:220:in `call'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary/command.rb:220:in `block in execute'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary/command.rb:220:in `each'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary/command.rb:220:in `execute'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary/program.rb:42:in `go'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary.rb:19:in `program'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/bin/jekyll:13:in `<top (required)>'
    from C:/Ruby22-x64/bin/jekyll:23:in `load'
    from C:/Ruby22-x64/bin/In the jekyll:23:in `<main>'

I haven't followed the trace just yet, but what I have done until this point is researched. I've tried several methods including Nichol's and Lavena's. I also know that if I remove the gist tag, it serves the site without complaint. Does anyone have ANY clue what could be causing this?

In the original issue, it was suggested that I enforce Net::HTTP#ssl_version to ':TLSv1_2'. I'm not sure how to.

[parkr]

Original post: jekyll/jekyll#4413

This means that Ruby couldn't verify the certificate of gist.githubusercontent.com: certificate verify failed (OpenSSL::SSL::SSLError). Do you get this every time? Perhaps this was part of the outage yesterday.

SSLv3 is old, so TLSv1_2 would be better. If you google "ruby net http set ssl version", you could probably figure out how it's done. You'd likely modify the Net::HTTP.start call with some new option.

[cdvillard]

Thanks for the follow-up, @parkr. The outage as a cause would have been a legitimate theory, but this was occurring post-outage, at 2:00 AM EST. It still occurs, and only serves the site after removing the gist tag syntax from content. I'll make a fork and try modifying the Net::HTTP.start call next chance I get; I'm in class at the moment.

[parkr]

I'll make a fork and try modifying the Net::HTTP.start call next chance I get; I'm in class at the moment.

Sounds good.

[cdvillard]

I finally got some time to sit down this today, but I'm having no luck figuring this out. Google has given me a few solutions that I'm sure can be implemented, but I'm unsure as to where to implement it in this case.

[sethxd]

I'm having the same issue, any luck with a solution to this?

[parkr]

@sethxd Did you try re-installing Ruby with an upgraded version of OpenSSL? It's possible the version you're both using is broken. This works fine for me.

[cdvillard]

I simply decided to avoid the issue until after I launched. I'll give your
suggestion a try when I next have a chance.

On Wed, Mar 16, 2016 at 4:59 PM, Parker Moore notifications@github.com
wrote:

@sethxd https://github.com/sethxd Did you try re-installing Ruby with
an upgraded version of OpenSSL? It's possible the version you're both using
is broken. This works fine for me.

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#30 (comment)

[spiffycoffee]

There's definitely a regression in the OpenSSL stdlib component in the ruby's installed by RubyInstaller for Windows, and unfortunately it doesn't look like there's an easy fix.

This is the version in question:

$ ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.1l 15 Jan 2015

(that's an 'L' after 1.0.1)

It seems that every version of 2.2.X, as well as 2.1.7 & 2.1.6 is using this version of OpenSSL. All of them have this issue. (My Vagrant box doesn't have this issue, it has 1.0.1f)

I also tried patching the Net::HTTP.start call to use TLSv1_2 as well as a few of the other options. But, it didn't have any effect. It would always try to connect through SSLv3. (I intentionally broke other things, I know my code was getting picked up :) )

Since the issue is probably with the stdlib OpenSSL, I don't know what our options are. Can we rebuild that library with new code or replace it with a gem or something? I'm also new to ruby. Any suggestions @parkr?

The alternatives I'm considering:

1. Use RubyInstaller 2.1.5. It's an older version of ruby, and you will have to do the certificate fix mentioned here , but it works.
2. Just use Vagrant
3. Buying a Macbook (j/k, well maybe...)

[parkr]

@spiffycoffee Nice sleuthing! 🔍 I'd recommend asking RubyInstaller to patch. If they release a new version with a later version of OpenSSL, then all would be fixed, no?

[spiffycoffee]

@parkr Duh, that would be obvious thing to do. Thanks! I will take it up with them.

[VirtuaCreative]

Same problem here!

[jekyllbot]

This issue has been automatically marked as stale because it has not been commented on for at least
three months.

The resources of the Jekyll team are limited, and so we are asking for your help.

If you can still reproduce this error on the

3.1-stable

or

master

branch,
please reply with all of the information you have about it in order to keep the issue open.

If this is a feature request, please consider building it first as a plugin. Jekyll 3 introduced
hooks which provide convenient access points throughout
the Jekyll build pipeline whereby most needs can be fulfilled. If this is something that cannot be
built as a plugin, then please provide more information about why in order to keep this issue open.

Thank you for all your contributions.

[TWiStErRob]

Just downloaded the latest of everything and this still happens.

@parkr's #30 (comment) tip to modify gist_tag works, but only when disabled:

Net::HTTP.start(uri.host, uri.port,
    use_ssl: uri.scheme == 'https',
+   verify_mode: OpenSSL::SSL::VERIFY_NONE,,
+   #ssl_version: "TLSv1_2",
+   #ciphers: 'TLSv1.2:!aNULL:!eNULL',
+   #ssl_options: OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 | OpenSSL::SSL::OP_NO_COMPRESSION,
    read_timeout: 3, open_timeout: 3) do |http|

(the commented lines have no apparent effect even when enabled instaed of having NONE)

Finally only set SSL_CERT_FILE=...cacert.pem worked.

[IanLee1521]

I also just started seeing this today. Was there another outage that might be effecting things?

$ bundle exec jekyll serve

Was working for me just a couple days ago in the same project when building locally. (jekyll 3.0.3)