Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.graphql.pro/. #3632

Closed
ce0la opened this issue Oct 4, 2021 · 5 comments
Closed

Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.graphql.pro/. #3632

ce0la opened this issue Oct 4, 2021 · 5 comments

Comments

@ce0la
Copy link

ce0la commented Oct 4, 2021

Describe the bug

bundle install is failing with Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.graphql.pro/.

Versions

graphql version: 1.9.0
rails (or other framework): 4.0.13
ruby version: 2.2.10 (Docker image ruby:2.2.10)
OS version: Debian 8

Steps to reproduce

Create a Gemfile containing below code and run bundle install:

gem "graphql", "~> 1.9.0"
source "https://gems.graphql.pro/" do
  gem "graphql-pro"
end

Expected behavior

Install the bundles contained in Gemfile and create a Gemfile.lock file

Actual behavior

Got this error:

 => ERROR [10/10] RUN bundle install                                                                                                                                                       9.8s 
------                                                                                                                                                                                          
 > [10/10] RUN bundle install:                                                                                                                                                                  
#14 7.830 Fetching source index from https://gems.graphql.pro/                                                                                                                                  
#14 8.284                                                                                                                                                                                       
#14 8.284 Retrying fetcher due to error (2/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.graphql.pro/.                                    
#14 8.284 There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
#14 8.725 Retrying fetcher due to error (3/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.graphql.pro/.
#14 8.725 There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
#14 9.252 Retrying fetcher due to error (4/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.graphql.pro/.
#14 9.252 There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
#14 9.715 Could not verify the SSL certificate for https://gems.graphql.pro/.
#14 9.715 There is a chance you are experiencing a man-in-the-middle attack, but most
#14 9.715 likely your system doesn't have the CA certificates needed for verification. For
#14 9.715 information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect
#14 9.715 without using SSL, edit your Gemfile sources and change 'https' to 'http'.

Additional context

Please note that changing Gemfile sources to http does not fix it for me and I do not even want to do that for obvious security reasons.
@rmosolgo
Copy link
Owner

rmosolgo commented Oct 5, 2021

Hi! Sorry about the trouble. This is due to the Let's Encrypt certificate expiration:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

The fix is to update the server, for example, a few approaches are described here: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-expired-certificate/

Alternatively, if you have an environment that doesn't hit this error, you can use bundle cache to download gems locally and version them along with application code. That way, you won't have to download libraries from the Debian environment described above.

I don't know of anything further I can do on my end to address this, do either of those help?

@ce0la
Copy link
Author

ce0la commented Oct 7, 2021

Yes, I was able to use this and it helped. Thank you very much, @rmosolgo! You are awesomeee!

In case anyone wants to do this, I originally was able to do an easy, quick fix for my development environment using multistage docker to resolve the problem:

FROM ruby:2.6.8 AS base

RUN apt-get update -qq && apt-get install -y build-essential libmariadb-dev libpq-dev nodejs

WORKDIR /build

COPY Gemfile /build/Gemfile 
COPY Gemfile.lock /build/Gemfile.lock

RUN sed -i -e 's/"2.2.10"/"2.6.8"/g' Gemfile*

RUN gem install bundler
RUN bundle config gems.graphql.pro username:password
RUN bundle install

FROM ruby:2.2.10 AS main

WORKDIR /app

COPY --from=base /usr/local/bundle/ /usr/local/bundle/

COPY . /app

CMD [...]

However, @rmosolgo's suggestion helped me translate this fix to a Gitlab CI pipeline:

build-dependencies:
  stage: build
  image: "ruby:2.6.8"
  script:
    - sed -i -e 's/"2.2.10"/"2.6.8"/g' Gemfile*
    - gem install bundler
    - bundle install --path vendor/cache
  artifacts:
    paths:
      - vendor/cache
[...]
test:
  stage: test
  image: "ruby:2.2.10"
  dependencies: # import artefact from earlier stage
    - build-dependencies
  script:
    - bundle install --local
    - bundle exec rake db:create
    - bundle exec rake db:migrate
    - bundle exec rspec

I hope this helps someone.

@ce0la ce0la closed this as completed Oct 7, 2021
@brokrete-oleksii
Copy link

We've got the same error on the fresh Ubuntu 22:

Could not verify the SSL certificate for https://gems.graphql.pro/. There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

On Mac and in Docker it works. Just Ubuntu. Looks as your certificate is incompatible with OpenSSL 3.0.2.

Could you help to resolve this, please?

@rmosolgo
Copy link
Owner

👍 Thanks for the heads up. It looks like Apache recently released a patch for this. I've just tested an upgrade and it looks good, so I'll release it to production soon and follow up soon.

@rmosolgo
Copy link
Owner

@brokrete-oleksii, the gem server is now running the latest Apache, so you should be good to go with OpenSSL 3.0. If you run into any more trouble with it, please open a new issue 🍻

@Draiken Draiken mentioned this issue Dec 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rmosolgo @ce0la @brokrete-oleksii