Page 1 of 2
Upgrade fail because of ruby SSL error
Posted: Tue Jul 10, 2018 7:15 am
by Cpt.Ackbar
Hello,
I am running log servers in 3 locations. 2 log servers in US, 2 log servers in AWS (Frankfurt) and 2 log servers in China. I successfully upgraded to 2.0.4 at US and at AWS but at China. Previous version was 2.0.2.
I am getting this error:
Code: Select all
Nothing to do
Error Bundler::Fetcher::CertificateFailureError, retrying 1/10
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
I have done a search and I know that it points at problems with ca-certificates. But I do not understand why it worked on other two and not here. I am also using proxy (http). Running OS is CentOS 6.9
Could you please advice me which changes I should make? I presume that I have to do something with certificates of switch to http instead of https for ruby. In that case can you advice me how?
In case you need any additional information please let me know.
Thanks a lot.
Re: Upgrade fail because of ruby SSL error
Posted: Tue Jul 10, 2018 11:34 am
by cdienger
Running the following will show you the certs any CAs:
openssl s_client -showcerts -connect rubygems.org:443 < /dev/null
assuming that the man-in-the-middle is an actual trusted source, you can extract the CAs(the stuff including and between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) and save them to text files in/tmp/nagioslogserver/subcomponents/logstash/logstash-2.4.1/vendor/jruby/lib/ruby/shared (decompress the logstash-2.4.1.tar.gz file included in the install, add the CAs, and then compress it again).
Please note that I do not have a machine in China to test with, but believe the above should work. Let me know if you run into any problems.
Re: Upgrade fail because of ruby SSL error
Posted: Thu Jul 12, 2018 3:09 am
by Cpt.Ackbar
I am getting this:
Code: Select all
[root@NAGIOSLOG1 ~]# openssl s_client -showcerts -connect rubygems.org:443 < /dev/null
CONNECTED(00000003)
139882602829640:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root@KUNGNAGIOSLOG1 mplisek]#
Re: Upgrade fail because of ruby SSL error
Posted: Thu Jul 12, 2018 12:53 pm
by cdienger
Looks like it may be completely blocked. Try this instead:
1. Decompress logstash-2.4.1.tar.gz
2. Open /tmp/nagioslogserver/subcomponents/logstash/logstash-2.4.1/Gemfile
3. Change the line:
source "
https://rubygems.org"
to:
source "
http://rubygems.org"
4. Save changes
5. Compress logstash-2.4.1 back to logstash-2.4.1.tar.gz
For step 3 you can also setting the source to "
https://gems.ruby-china.org/"
Re: Upgrade fail because of ruby SSL error
Posted: Mon Jul 16, 2018 3:52 am
by Cpt.Ackbar
I applied your steps and error stands still
Code: Select all
Error Bundler::Fetcher::CertificateFailureError, retrying 1/10
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
I have changed address to http and also tried china version but error is still the same. I think there has to be change of address somewhere else. Do you know where?
Thanks
Re: Upgrade fail because of ruby SSL error
Posted: Mon Jul 16, 2018 12:47 pm
by jomann
You can try updating your
~/.gemrc file (you may have to make it) and put in the following:
Re: Upgrade fail because of ruby SSL error
Posted: Mon Jul 16, 2018 12:51 pm
by cdienger
I've attached a list of potential Gemfiles. I would try changing Gemfile.jruby-1.9.lock first however. Also check to see if there is a proxy configured on the filesystem that can be disabled:
https://support.nagios.com/kb/article.php?id=147
Re: Upgrade fail because of ruby SSL error
Posted: Thu Jul 19, 2018 6:12 am
by Cpt.Ackbar
@jomann: I have tried to implement ~/.gemrc file. Error has changed:
Code: Select all
Error Psych::SyntaxError, retrying 1/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 2/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 3/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 4/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 5/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 6/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 7/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 8/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 9/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Error Psych::SyntaxError, retrying 10/10
(<unknown>): sequence entries are not allowed here at line 1 column 11
Too many retries, aborting, caused by Psych::SyntaxError
ERROR: Updated Aborted, message: (<unknown>): sequence entries are not allowed here at line 1 column 11
:
Have you forgot to attach the list? Or am I missing something? To proxy - I have zscaler proxy implemented on XI, LOGs and NA and on all machines it works without any issue (yum, wget, etc.)
Re: Upgrade fail because of ruby SSL error
Posted: Thu Jul 19, 2018 10:54 am
by cdienger
I did. Here is the list!
Re: Upgrade fail because of ruby SSL error
Posted: Thu Aug 09, 2018 3:11 am
by Cpt.Ackbar
Like I mentioned in previous post I have tried to create gemrc file but I get syntax error. Could you please advice what could be wrong.
I have not tried to edit files from the list. Could you please provide me some script how to modify these files?
I am attaching gemrrc file to check (I have added .txt to be able to post it to forum).