Bundler::Fetcher::CertificateFailureError for OpenSSL 1.0.1

[Draiken]

Describe the bug

We cannot verify the SSL certificate for OpenSSL 1.0.1
#3632 reported the same issue but for OpenSSL 3, but now that means we cannot get this for older versions.

The solution would be to start using OpenSSL 3, but not all Ruby versions support it. Relevant Ruby bug
Even if we manually install the openssl:3 gem (which is not yet fully supported either)

Now, I don't know enough about SSL and Apache to know if there's a possibility to support both versions or not. Regardless, I had to open this issue to raise this up, since it's a catch 22 issue. We can't use v3 due to Ruby, and we can't use v1.0.1 due to this gem.

Steps to reproduce

As an example, you can use rvm to install openssl 1.0.1

rvm pkg install openssl
rvm install 3.0.3 --with-openssl-dir=~/.rvm/usr
gem install graphql-pro --source=https://gems.graphql.pro/

ERROR:  SSL verification error at depth 2: unable to get local issuer certificate (20)
ERROR:  You must add /O=Digital Signature Trust Co./CN=DST Root CA X3 to your local trusted store
ERROR:  SSL verification error at depth 2: unable to get local issuer certificate (20)
ERROR:  You must add /O=Digital Signature Trust Co./CN=DST Root CA X3 to your local trusted store
ERROR:  SSL verification error at depth 2: unable to get local issuer certificate (20)
ERROR:  You must add /O=Digital Signature Trust Co./CN=DST Root CA X3 to your local trusted store
ERROR:  Could not find a valid gem 'graphql-pro' (>= 0), here is why:
          Unable to download data from https://gems.graphql.pro/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate) (https://gems.graphql.pro/specs.4.8.gz)
ERROR:  SSL verification error at depth 2: unable to get local issuer certificate (20)
ERROR:  You must add /O=Digital Signature Trust Co./CN=DST Root CA X3 to your local trusted store
ERROR:  Possible alternatives: shopify-graphql_proxy, graphql-rb, graphql, graphql-api, graphql-dsl, graphql-map, graphql_grpc, graphqlify, graphqlmd, graphqr

Expected behavior

The gem is installed

Actual behavior

The gem cannot be installed due to openssl version issues

Additional context

Another easy way to test this is to check with the openssl binary

openssl s_client -connect gems.graphql.pro:443

# 1.0.1
$HOME/.rvm/usr/bin/openssl s_client -connect gems.graphql.pro:443

[rmosolgo]

Hi! Thanks for reporting this issue, and sorry for the trouble. Are you on Ubuntu 22 as described in the Ruby bug, or are you using a different OS?

[Draiken]

@rmosolgo I am right now using Arch Linux, which has already updated OpenSSL to v3

I tried manually installing the openssl gem (downloading the package and installing) and it does allow me to then install the GraphQL gem. However, I can't even start my project because the gem is not really part of the bundle. Perhaps I could get this to work if I add gem "openssl", "~> 3" to my Gemfile, but again, this would break if Ruby got compiled with openssl v1.1.

It feels like all options are bad at this point.

[rmosolgo]

Yeah, sorry about the trouble... I'm really not sure the best approach either, and this is the first I've heard of this problem :S

One thing that stands out is that OpenSSL v1.0.1 is no longer supported (doc) -- instead, v1.1.1 is the oldest LTS release. Would it be possible to use OpenSSL v1.1.1 instead? Maybe that one would work better with the gem server.

[Draiken]

You are absolutely right. I installed v1.1.1 and recompiled ruby with --with-openssl-dir=<openssl-1.1.1-dir> which seems to have made it work.

The fix of installing openssl through rvm is outdated and installs 1.0.1 which seems to be incompatible.

Thanks for the help