pact-foundation/pact_broker-client

Old ca-bundle.crt causes problems after DST Root CA X3 certificate expiration

cgrim-cz opened this issue · 3 comments

cgrim-cz commented

PactBroker client has bundled Ruby version 2.2 with old ca-bundle.crt. It is located in pact-ruby-standalone/[version]/lib/ruby/lib.
We started to have problems after yesterday's expiration of DST Root CA X3 certificate from Let's Encrypt because the new ISRG Root X1 certificate is not in the bundle.
So we replaced the bundle file with the latest one and PactBroker client is working again.

It would be good to update bundled Ruby version or at least that ca-bundle.crt file in client releases.

And here is a trace for completeness:

$ pact-broker can-i-deploy --broker-base-url https://pactbroker.ourcompany.com:443 --pacticipant iam-app --version 2262783ffef49580f6d31ca3b941cd330c37432b --verbose

opening connection to pactbroker.ourcompany.com:443...
opened
starting SSL for pactbroker.ourcompany.com:443...
SSL established
Conn close because of connect error SSL_connect returned=1 errno=0 state=error: certificate verify failed
Error making request - OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed /usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/vendor/ruby/2.2.0/gems/pact_broker-client-1.52.0/lib/pact_broker/client/matrix.rb:15:in `get', attempt 1 of 3
opening connection to pactbroker.ourcompany.com:443...
opened
starting SSL for pactbroker.ourcompany.com:443...
SSL established
Conn close because of connect error SSL_connect returned=1 errno=0 state=error: certificate verify failed
Error making request - OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed /usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/vendor/ruby/2.2.0/gems/pact_broker-client-1.52.0/lib/pact_broker/client/matrix.rb:15:in `get', attempt 2 of 3
opening connection to pactbroker.ourcompany.com:443...
opened
starting SSL for pactbroker.ourcompany.com:443...
SSL established
Conn close because of connect error SSL_connect returned=1 errno=0 state=error: certificate verify failed
Error making request - OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed /usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/vendor/ruby/2.2.0/gems/pact_broker-client-1.52.0/lib/pact_broker/client/matrix.rb:15:in `get', attempt 3 of 3
Error retrieving matrix. OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 state=error: certificate verify failed
/usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/ruby/lib/ruby/2.2.0/net/http.rb:923:in `connect'
/usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/ruby/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
/usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/ruby/lib/ruby/2.2.0/timeout.rb:74:in `timeout'
/usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/ruby/lib/ruby/2.2.0/net/http.rb:923:in `connect'
/usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/ruby/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
/usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/ruby/lib/ruby/2.2.0/net/http.rb:852:in `start'
/usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/ruby/lib/ruby/2.2.0/net/http.rb:1375:in `request'
/usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/vendor/ruby/2.2.0/gems/httparty-0.18.1/lib/httparty/request.rb:145:in `perform'
/usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/vendor/ruby/2.2.0/gems/httparty-0.18.1/lib/httparty.rb:594:in `perform_request'
/usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/vendor/ruby/2.2.0/gems/httparty-0.18.1/lib/httparty.rb:508:in `get'
/usr/local/Cellar/pact-ruby-standalone/1.88.72/lib/vendor/ruby/2.2.0/gems/pact_broker-client-1.52.0/lib/pact_broker/client/matrix.rb:15:in `get'
bethesque commented

See pact-foundation/pact-ruby-standalone#69

Upgrade and set PACT_DISABLE_SSL_VERIFICATION=true until we can get the bundled certs upgraded.

bethesque commented

I think this was raised in the wrong repo, as this is the docker image repo, and the issue was in regards to the pact-ruby-standalone. Closing as the pact-ruby-standalone cert has been updated.