Upgrade fail because of ruby SSL error

[Cpt.Ackbar]

Hello,

I am running log servers in 3 locations. 2 log servers in US, 2 log servers in AWS (Frankfurt) and 2 log servers in China. I successfully upgraded to 2.0.4 at US and at AWS but at China. Previous version was 2.0.2.

I am getting this error:

Code: Select all

Nothing to do
Error Bundler::Fetcher::CertificateFailureError, retrying 1/10
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

I have done a search and I know that it points at problems with ca-certificates. But I do not understand why it worked on other two and not here. I am also using proxy (http). Running OS is CentOS 6.9

Could you please advice me which changes I should make? I presume that I have to do something with certificates of switch to http instead of https for ruby. In that case can you advice me how?

In case you need any additional information please let me know.

Thanks a lot.

[cdienger]

Running the following will show you the certs any CAs:

openssl s_client -showcerts -connect rubygems.org:443 < /dev/null

assuming that the man-in-the-middle is an actual trusted source, you can extract the CAs(the stuff including and between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) and save them to text files in/tmp/nagioslogserver/subcomponents/logstash/logstash-2.4.1/vendor/jruby/lib/ruby/shared (decompress the logstash-2.4.1.tar.gz file included in the install, add the CAs, and then compress it again).

Please note that I do not have a machine in China to test with, but believe the above should work. Let me know if you run into any problems.

[Cpt.Ackbar]

I am getting this:

Code: Select all

[root@NAGIOSLOG1 ~]# openssl s_client -showcerts -connect rubygems.org:443 < /dev/null
CONNECTED(00000003)
139882602829640:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root@KUNGNAGIOSLOG1 mplisek]#

[cdienger]

Looks like it may be completely blocked. Try this instead:

1. Decompress logstash-2.4.1.tar.gz
2. Open /tmp/nagioslogserver/subcomponents/logstash/logstash-2.4.1/Gemfile
3. Change the line:

source "https://rubygems.org"

to:

source "http://rubygems.org"

4. Save changes
5. Compress logstash-2.4.1 back to logstash-2.4.1.tar.gz

For step 3 you can also setting the source to "https://gems.ruby-china.org/"

[Cpt.Ackbar]

I applied your steps and error stands still

Code: Select all

Error Bundler::Fetcher::CertificateFailureError, retrying 1/10
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

I have changed address to http and also tried china version but error is still the same. I think there has to be change of address somewhere else. Do you know where?

Thanks

[jomann]

You can try updating your ~/.gemrc file (you may have to make it) and put in the following:

Code: Select all

:sources: - http://rubygems.org

[cdienger]

I've attached a list of potential Gemfiles. I would try changing Gemfile.jruby-1.9.lock first however. Also check to see if there is a proxy configured on the filesystem that can be disabled: https://support.nagios.com/kb/article.php?id=147

[Cpt.Ackbar]

@jomann: I have tried to implement ~/.gemrc file. Error has changed:

Code: Select all

Error Psych::SyntaxError, retrying 1/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 2/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 3/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 4/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 5/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 6/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 7/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 8/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 9/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 10/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Too many retries, aborting, caused by Psych::SyntaxError
ERROR: Updated Aborted, message: (<unknown>): sequence entries are not allowed here at line 1 column 11

@cdienger:
Have you forgot to attach the list? Or am I missing something? To proxy - I have zscaler proxy implemented on XI, LOGs and NA and on all machines it works without any issue (yum, wget, etc.)

[cdienger]

I did. Here is the list!

[Cpt.Ackbar]

Like I mentioned in previous post I have tried to create gemrc file but I get syntax error. Could you please advice what could be wrong.

I have not tried to edit files from the list. Could you please provide me some script how to modify these files?

I am attaching gemrrc file to check (I have added .txt to be able to post it to forum).