Home > Net >  Rails SSL certificate error on valid certificate
Rails SSL certificate error on valid certificate

Time:10-05

I have small Rails app that performs various checks on our platform and sends me an email in case of an issue. Everything was running fine until today i started getting alerts about the following error:

SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)

Now the problem is the certificate in question is valid, it gets automatically renewed (Let's encrypt) and this code has been untouched for a couple of years and never had any issues before and suddenly this started to happen.

The code that throws the exception:

def get_request url
  uri = URI.parse(url)
  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = true

  #more than 10 seconds this is too slow
  http.open_timeout = 10
  http.read_timeout = 10

  request = Net::HTTP::Get.new(uri.request_uri)
  response = http.request(request)

  if response.code.to_i == 200
    return true
  else
    puts "Failed to GET #{url}: #{response.code.to_i}"
    return false
  end
end

If i open the site in the browser, it shows the secure connection without issues and shows that is using a valid certificate, furthermore if i check with certbot i get the following: Expiry Date: 2021-11-22 17:48:58 00:00 (VALID: 52 days) so clearly the certificate is valid, why suddenly rails is throwing a tantrum about it?

Note that i have restarted Nginx just in case, that didn't help.

Additional info: Ubuntu 16.04.5, OpenSSL 1.0.2g 1 Mar 2016, Rails 4.2, Ruby 2.6.5

EDIT:

This error also happens with a different url, which also has a valid certificate.

EDIT 2:

I've isolated the problem, it is related to Let's Encrypt DST Root CA X3 that has expired. A lot of people are dealing with this issue, i'll report my solution once i find one.

CodePudding user response:

So after reading through this long thread of the Let's Encrypt community, the solution for my case ended up being to remove the DST Root CA X3 certificate:

sudo rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
sudo update-ca-certificates

After that no more errors from openssl.

  • Related