0

I've installed JRuby's latest version (9.1.13.0) with RVM's latest version (1.29.3) on CentOS 7.4

Everything works fine but HTTPS and SSL connections failed with below error:

OpenSSL::SSL::SSLError: certificate verify failed
    from org/jruby/ext/openssl/SSLSocket.java:228:in `connect_nonblock'
    from /usr/local/rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:938:in `connect'
    from /usr/local/rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:868:in `do_start'
    from /usr/local/rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:857:in `start'
    from /usr/local/rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/open-uri.rb:319:in `open_http'
    from /usr/local/rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/open-uri.rb:737:in `buffer_open'
    from /usr/local/rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/open-uri.rb:212:in `block in open_loop'
    from org/jruby/RubyKernel.java:1114:in `catch'
    from /usr/local/rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/open-uri.rb:210:in `open_loop'
    from /usr/local/rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/open-uri.rb:151:in `open_uri'
    from /usr/local/rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/open-uri.rb:717:in `open'
    from /usr/local/rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/open-uri.rb:35:in `open'

I've tried reinstalling OpenSSL and ca-certificates and RVM and JRuby. Also, I've tried to replace the cert file with a manually downloaded file, but nothing worked.

Update: I've tested my problem with doctor.rb:

export SSL_CERT_DIR='/etc/pki/tls/certs/' ; ruby doctor.rb www.google.com:443

and got:

/usr/local/rvm/rubies/jruby-9.1.13.0/bin/jruby (2.3.3) JRuby-OpenSSL
0.9.21: /etc/ssl SSL_CERT_DIR="/etc/pki/tls/certs/" SSL_CERT_FILE="/etc/pki/tls/certs/ca-bundle.crt"

HEAD https://www.google.com:443 OpenSSL::SSL::SSLError: certificate
verify failed

The server presented a certificate that could not be verified:  
subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA   issuer:
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority   error code
20: unable to get local issuer certificate

Update 2: The interesting point is that test of SSL connectivity for other servers like www.facebook.com and www.apple.com works OK!

tmr08c
  • 77
  • 1
  • 8
Mehdi Hosseinzadeh
  • 1,160
  • 11
  • 25
  • @CyRossignol That problem is about certificate's itself problem. My question is CA's cert problem with OpenSSL – Mehdi Hosseinzadeh Sep 24 '17 at 15:18
  • Apologies for misunderstanding. This error you describe can be caused by several factors, but the question needs more detail. [The duplicate I linked](https://stackoverflow.com/questions/36966650/ruby-nethttp-responds-with-opensslsslsslerror-certificate-verify-failed) suggests several ways to try diagnosing the problem which can help narrow the issue. – Cy Rossignol Sep 24 '17 at 15:32
  • Thanks to your hint. Added response of doctor.rb. Just confused :( – Mehdi Hosseinzadeh Sep 24 '17 at 15:52
  • Unfortunately, the output of *doctor.rb* doesn't really help clarify the issue. There's still not really enough information to provide a definitive answer without shooting in the dark because this is a complex problem with many potential causes. Please try some suggestions from [this question](https://stackoverflow.com/questions/8101377/certificate-verify-failed-openssl-error-when-using-ruby-1-9-3) and let me know if any work for your case. – Cy Rossignol Sep 24 '17 at 23:39
  • Other servers works ok. Problem is with GeoTrust and Google – Mehdi Hosseinzadeh Sep 25 '17 at 04:11
  • Sorry, didn't get a notification for your comment. Did you manage to solve this? – Cy Rossignol Oct 03 '17 at 01:35
  • It's possible that it is related to [this issue](https://github.com/jruby/jruby-openssl/issues/141) on `jruby-openssl`. – tmr08c Oct 03 '17 at 17:20
  • @CyRossignol I've disabled ssl verification process in my production server because of downtime. I should check it out again in the future. – Mehdi Hosseinzadeh Oct 10 '17 at 11:09

1 Answers1

1

Jruby uses its own implementation of OpenSSL

I believe you have the same isse as : https://github.com/jruby/jruby-openssl/issues/141#issuecomment-332788620

I had a similar issue on CentOS also.

I worked around it by using my browser (firefox) and saving the "certificate chain" to a ".pem" file.

Then set the env variable :

SSL_CERT_FILE=/tmp/certificate_chain.pem

There are multiple reported bugs on Jruby / openSSL / centOs.

CentOS ca-certificate structure differs from other distro, and seems to be problematic with JRuby + openSSL.

Filip
  • 906
  • 3
  • 11
  • 33