Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL::SSL::SSLError while using LetsEncrypt ssl certificates #333

Closed
3 of 5 tasks
MishaTsypkin opened this issue Oct 1, 2021 · 10 comments
Closed
3 of 5 tasks

OpenSSL::SSL::SSLError while using LetsEncrypt ssl certificates #333

MishaTsypkin opened this issue Oct 1, 2021 · 10 comments
Labels
bug Indicates an unexpected problem or unintended behavior

Comments

@MishaTsypkin
Copy link

Software versions

  • OS: Ubuntu 20.04
  • Consumer Pact library:9.16.2
  • Provider Pact library: 2.74.1
  • Node Version: v12.15.0

Issue Checklist

Please confirm the following:

  • I have upgraded to the latest
  • I have read the FAQs in the Readme
  • I have triple checked, that there are no unhandled promises in my code and have read the section on intermittent test failures
  • I have set my log level to debug and attached a log file showing the complete request/response cycle
  • For bonus points and virtual high fives, I have created a reproducable git repository (see below) to illustrate the problem

Expected behavior

The client should establish an HTTPS connection to the Pact Broker

Actual behavior

Client fails to verify SSL certificates

Steps to reproduce

  1. Run a pact broker with LetsEncrypt SSL certificates
  2. Use @pact-foundation/pact library to establish an HTTPS connection with Pact broker.

Details

It seems that pact is using Ruby HTTP client under the hood, which is reported for having outdated SSL certificate files bundled inside the library.
In the httpclient issue, it is recommended to monkey patch HTTP client library to use system default SSL certificates.
@MishaTsypkin MishaTsypkin added the bug Indicates an unexpected problem or unintended behavior label Oct 1, 2021
@mefellows
Copy link
Member

mefellows commented Oct 1, 2021
edited
Loading

Please update, we released a version (v9.16.3) earlier this evening to fix this bug - can you please confirm if it fixes your problem?

@MishaTsypkin
Copy link
Author

MishaTsypkin commented Oct 1, 2021
edited
Loading

v9.16.3, it is still failing for my case:

    "@pact-foundation/pact": "9.16.3",
    "@pact-foundation/pact-node": "10.13.8"

Output:

$ NODE_ENV=test jest --config=jest.provider.cdc.config.js --runInBand
[2021-10-01 12:40:44.170 +0000] WARN (248 on 1523dc979738): [email protected]: 'consumerVersionTag' and 'providerVersionTag' have been deprecated, please use 'consumerVersionTags' or 'providerVersionTags' instead
 FAIL  src/__tests__/pact/provider/platform.provider.cdc.ts (17.843s)
  Platform cdc
    ✕ should verify the contract (11553ms)

  ● Platform cdc › should verify the contract

    Error making request - OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed , attempt 1 of 3

    Error making request - OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed , attempt 2 of 3

    Error making request - OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed , attempt 3 of 3

@mefellows
Copy link
Member

mefellows commented Oct 1, 2021
edited
Loading

I've just checked that it supports allowing disabling of the certificate as per pact-foundation/pact-ruby-standalone#69 (comment), but it should also support the OpenSSL standard SSL_CERT_FILE or SSL_CERT_DIR env vars.

See also the upstream ticket: pact-foundation/pact-ruby-standalone#69.

I think it might need a separate solution to get the correct CA into the bundle, stay tuned.

@mefellows mefellows pinned this issue Oct 1, 2021
@mefellows
Copy link
Member

@TimothyJones going to pin this issue whilst we sort the situation out.

@mefellows mefellows mentioned this issue Oct 5, 2021
Closed
5 tasks
@MishaTsypkin
Copy link
Author

Finally made it work with SSL_CERT_FILE.
If anyone is still facing this issue - keep in mind that SSL certificates on your machine (or in CI image) might be outdated too.
You can download the latest certificates from the Mozilla repo in order to test it.

Thanks a lot @mefellows for the support!

@mefellows
Copy link
Member

Thank you for confirming Misha!

@mefellows
Copy link
Member

v10.13.9 is now released with upstream fix - can you please check if this resolves the issue? You should no longer need to set environment variables manually.

@MishaTsypkin
Copy link
Author

It looks like this is not yet available in the latest version of the client library pact-foundation/pact, but when I do:

  "resolutions": {
    "@pact-foundation/pact-node": "^10.13.9"
  }

It works like a charm! Thanks a lot @mefellows 🙏

@mefellows
Copy link
Member

Great, thanks for clarifying!

A clean install should bring in the right version, we only pin to the major version: https://github.com/pact-foundation/pact-js/blob/4c949aec080472ea18d883468e705918a5389430/package.json#L97

@TimothyJones
Copy link
Contributor

TimothyJones commented Oct 11, 2021 via email

@mefellows mefellows unpinned this issue Apr 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Indicates an unexpected problem or unintended behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mefellows @TimothyJones @MishaTsypkin