Skip to content

Ruby on UBI via OpenSSL does not observe OPENSSL_CERT_DIR

Summary

gitlab-org/build/CNG!515 (comment 403427519)

@jplum: These changes appear to be working, but in the process of checking everything out, we discovered what might be a bug in how Ruby on UBI (via OpenSSL) is handling things:

require 'openssl'
require 'open-uri'

OpenSSL::X509::DEFAULT_CERT_FILE
OpenSSL::X509::DEFAULT_CERT_DIR
Dir.glob("#{OpenSSL::X509::DEFAULT_CERT_DIR}/*")

URI.open('https://certcheck.pitc.apps.ge.com/imagenew.png')
irb(main):001:0> require 'openssl'
=> false
irb(main):002:0> require 'open-uri'
=> false
irb(main):003:0> 
irb(main):004:0> 
irb(main):005:0> OpenSSL::X509::DEFAULT_CERT_FILE
=> "/etc/pki/tls/cert.pem"
irb(main):006:0> OpenSSL::X509::DEFAULT_CERT_DIR
=> "/etc/pki/tls/certs"
irb(main):007:0> Dir.glob("#{OpenSSL::X509::DEFAULT_CERT_DIR}/*")
=> ["/etc/pki/tls/certs/ca-bundle.trust.crt", "/etc/pki/tls/certs/ca-bundle.crt"]
irb(main):008:0> 
irb(main):009:0> URI.open('https://certcheck.pitc.apps.ge.com/imagenew.png')
Traceback (most recent call last):
        1: from (irb):9
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get lo

Steps to reproduce

  1. Apply configuration listed below
  2. Deploy helm chart
  3. Exec into task-runner
  4. Run the following via irb: 
    require 'openssl'
require 'open-uri'

OpenSSL::X509::DEFAULT_CERT_FILE
OpenSSL::X509::DEFAULT_CERT_DIR
Dir.glob("#{OpenSSL::X509::DEFAULT_CERT_DIR}/*")

URI.open('https://certcheck.pitc.apps.ge.com/imagenew.png')

Configuration used

(Please provide a sanitized version of the configuration used wrapped in a code block (```yaml))

(Paste sanitized configuration here)

Current behavior

Receiving 'certificate verify failed (unable to get local issuer certificate).'

Expected behavior

Receive no SSL errors.

(What you're expecting to happen)

Versions

  • Chart: f9e48a1c70a3a27a0c63842233c5d46e10e41578
  • Platform:
    • Cloud: GKE
  • Kubernetes: (kubectl version)
    • Client: 1.17.3
    • Server: 1.14.10-gke.42
  • Helm: (helm version)
    • Client: v3.1.2
    • Server: N/A

Relevant logs

(Please provide any relevate log snippets you have collected, using code blocks (```) to format)

irb(main):001:0> require 'openssl'
=> false
irb(main):002:0> require 'open-uri'
=> false
irb(main):003:0> 
irb(main):004:0> 
irb(main):005:0> OpenSSL::X509::DEFAULT_CERT_FILE
=> "/etc/pki/tls/cert.pem"
irb(main):006:0> OpenSSL::X509::DEFAULT_CERT_DIR
=> "/etc/pki/tls/certs"
irb(main):007:0> Dir.glob("#{OpenSSL::X509::DEFAULT_CERT_DIR}/*")
=> ["/etc/pki/tls/certs/ca-bundle.trust.crt", "/etc/pki/tls/certs/ca-bundle.crt"]
irb(main):008:0> 
irb(main):009:0> URI.open('https://certcheck.pitc.apps.ge.com/imagenew.png')
Traceback (most recent call last):
        1: from (irb):9
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate))