Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GRN2-397: fix(httpclient): updates certificate authorities #2930

Merged
merged 1 commit into from
Oct 1, 2021

Conversation

faust64
Copy link
Contributor

@faust64 faust64 commented Sep 30, 2021

Description

As reported here: nahi/httpclient#445
The httpclient gem comes with quite an old list of trusted certificate authorities.

As of today, we are seeing Greenlight failing to query some OIDC server, complaining about our LetsEncrypt certificate being invalid -- while a curl, from our Greenlight container, suggests there is no such issue with our certificate.

Thanks to @maxbes that figured it out.
Here's a patch that might help.

Obviously, it would be better to fix the httpclient library directly ( see nahi/httpclient#446 )
In doubt, I'm leaving this one too. Best case, httpclient would have been updated soon. Otherwise, we know of another way ...

Testing Steps

Nothing specific / no change in Ruby code. Just make sure the image starts.

Screenshots (if appropriate):

N/A

@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@jfederico
Copy link
Member

Thanks @faust64 the patch seems to be not only adequate, but the only resort right now.

@jfederico jfederico changed the title fix(httpclient): updates certificate authorities GRN2-397: fix(httpclient): updates certificate authorities Oct 1, 2021
@jfederico jfederico merged commit 1b58c67 into bigbluebutton:master Oct 1, 2021
@faust64 faust64 deleted the fix-httpclient-ca branch October 1, 2021 19:23
@lookas1
Copy link

lookas1 commented Oct 2, 2021

Can the similar fix be applied for 2.5.0? I can't seem to find httpclient in gems on my running image.

@maxbes
Copy link

maxbes commented Oct 3, 2021

2.5.0 fails for a different reason: OpenSSL is too old to handle multiple chains correctly

this should fix it:

rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
update-ca-certificates #ignore warnings

wbonis pushed a commit to styliteag/greenlight that referenced this pull request Dec 15, 2021
thifranc pushed a commit to thifranc/greenlight that referenced this pull request Dec 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants