The system on which our Github Enterprise server resides recently underwent a security upgrade, and now no longer supports TLS v1.0. We host a gem on that github server, which is retrieved by bundler via https using an x-oauth-basic token, like so:
gem 'our_gem', git: 'https://abcdef123456abcdef123456:x-oauth-basic#github.our-company.com/department/our_gem.git', require: false
Since the security upgrade, bundle install has started failing with:
fatal: unable to access 'https://abcdef123456abcdef123456:x-oauth-basic#github.our-company.com/department/our_gem.git': Peer reports incompatible or unsupported protocol version.
I have verified that the version of Ruby and OpenSSL we have do support TLS v1.2 - so how can we force bundler to use TLS v1.2?
Related
So I've been building a blog site using Jekyll and an specific theme called Chirpy, and deploying it all using Cloudflare Pages, the code is stored in a private Github repository so anytime I push code a new build gets generated by Cloudflare automatically.
It's been working fine for months but after some updates deploying a new build fails as:
12:57:58.188 Success: Finished cloning repository files
12:57:58.890 Installing dependencies
12:57:58.901 Python version set to 2.7
12:58:03.233 v12.18.0 is already installed.
12:58:04.608 Now using node v12.18.0 (npm v6.14.4)
12:58:04.922 Started restoring cached build plugins
12:58:04.937 Finished restoring cached build plugins
12:58:05.597 Attempting ruby version 2.7.1, read from environment
12:58:09.668 Using ruby version 2.7.1
12:58:10.041 Using PHP version 5.6
12:58:10.042 Started restoring cached ruby gems
12:58:10.060 Finished restoring cached ruby gems
12:58:10.062 Installing gem bundle
12:58:10.368 [DEPRECATED] The `--path` flag is deprecated because it relies on being remembered across bundler invocations, which bundler will no longer do in future versions. Instead please use `bundle config set path '/opt/buildhome/cache/bundle'`, and stop using this flag
12:58:10.526 [DEPRECATED] The --binstubs option will be removed in favor of `bundle binstubs`
12:58:13.673 Fetching gem metadata from https://rubygems.org/..........
12:58:13.834 Fetching gem metadata from https://rubygems.org/.
12:58:13.935 Resolving dependencies...
12:58:14.019 sass-embedded-1.58.0-x86_64-linux-musl requires rubygems version >= 3.3.22,
12:58:14.019 which is incompatible with the current version, 3.1.2
12:58:14.052 Error during gem install
12:58:14.073 Failed: build command exited with code: 1
12:58:14.848 Failed: an internal error occurred
Now Cloudflare allows you to specify which command you want to use in order to execute the build, that being:
bundle exec jekyll b
I've been looking for a way to update the Ruby version being used in Cloudflare and could not find any resources more than this one post. I've tried changing the Gemfile like:
spec.required_ruby_version = ">= 3.0"
, but it seems like Cloudflare does not support Ruby 3 at all; I then had the idea to use an older version of the Chirpy theme, since I already have a deployed version of the blog, I went back to Chirpy 5.2.1 but surprisingly the error persist.
Definitely adding gem "jekyll-sass-converter", "~> 2.0" to the Gemfile solved this problem, as Christian mentioned.
on a fresh install of an old windows ruby binary, I have an error that I dont know how to get around
environment:
windows 10
ruby 2.3.3p222 (2016-11-21 revision 56859) [i386-mingw32] (32 bit version)
devkit - DevKit-mingw64-32-4.7.2-20130224-1151-sfx
PS C:\Users\ALilland> gem install bundler --verbose
HEAD http://api.rubygems.org/api/v1/dependencies
200 OK
GET http://api.rubygems.org/api/v1/dependencies?gems=bundler
301 Moved Permanently
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError)
SSL_connect returned=1 errno=0 state=error: certificate verify failed (https://api.rubygems.org/api/v1/dependencies)
I've been using this ruby version for almost 8 years and have never seen this issue while installing, any ideas on how to get around it?
i've messed with the proxy settings on the machine and i do not currently believe that is the issue
on my mac I have an old ruby 2.4.1 install with rvm, and I can see that it resolves successfully to a different URI
$ gem install bundler -v 2.3.26 --verbose
HEAD https://rubygems.org/api/v1/dependencies
200 OK
GET https://rubygems.org/api/v1/dependencies?gems=bundler
200 OK
Downloading gem bundler-2.3.26.gem
GET https://rubygems.org/gems/bundler-2.3.26.gem
Fetching bundler-2.3.26.gem
200 OK
...
The problem is that the SSL certificates can't be verified. This is explained in detail in the Bundler documentation:
Why am I seeing certificate verify failed?
If you’ve seen the following SSL error when trying to pull updates from RubyGems: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
This error happens when your computer is missing a file that it needs to verify that the server behind RubyGems.org is the correct one.
The latest version of RubyGems should fix this problem, so we recommend updating to the current version. To tell RubyGems to update itself to the latest version, run gem update --system. If that doesn’t work, try the manual update process below.
(What do we mean by updating “should fix this problem”? Review the What are these certificates? and How Ruby uses CA certificates sections below to gain a better understanding of the underlying problems.)
How Ruby uses CA certificates
The SSL certificate used by RubyGems.org descends from a new-ish root certificate. Ruby (and therefore RubyGems and Bundler) does not have a regularly updated CA bundle to use when contacting websites. Usually, Ruby uses a CA bundle provided by the operating system (OS). On older OSes, this CA bundle can be really old—as in a decade old. Since a CA bundle that old can’t verify the (new-ish) certificate for RubyGems.org, you might see the error in question: certificate verify failed.
Further complicating things, an otherwise unrelated change 18-24 months ago lead to a new SSL certificate being issued for RubyGems.org. This meant the “root” certificate that needed to verify connections changed. So even if you’d previously upgraded RubyGems/Bundler in order to fix the SSL problem, you would need to upgrade again—this time to an even newer version with even newer certificates.
There are advanced troubleshooting steps available in the documentation that I'm not going to replicate here as they are subject to change and you should always reference the latest instructions.
I can say very broadly though that:
You are using a version of Ruby that is end-of-life and will not receive further updates, including security updates
You are using a version of Ruby that possibly cannot be made to work even with the troubleshooting steps
The safest solution is likely to upgrade to a modern version of Ruby
If you cannot get any of the above steps to work then consider using :ssl_verify_mode: 0 in .gemrc. This should be a last-resort measure as it completely disables SSL certificate validation.
I've been at this upgrade for multiple hours now and am finally truly stuck.
It all started when I received the typical Bundler::Fetcher::CertificateFailureError. After much tinkering I think I have everything upgraded to the most current version
$ gem -v
2.6.9
$ ruby -v
ruby 2.3.3p222 (2016-11-21 revision 56859) [i386-mingw32]
$ bundle -v
Bundler version 1.14.2
At some point I changed my gem source with
$ gem sources --remove http://rubygems.org
$ gem sources --add http://rubygems.org
I've also changed my Gemfile to http
When I run `bundle install' I get the following error (note, I had to manually break the bit.ly url to post the content of the error)
Fetching source index from https://rails-assets.org/
Retrying fetcher due to error (2/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rails-assets.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit. ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Retrying fetcher due to error (3/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rails-assets.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit. ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Retrying fetcher due to error (4/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rails-assets.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit. ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Could not verify the SSL certificate for https://rails-assets.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification. For
information about OpenSSL certificates, see http://bit. ly/ruby-ssl. To connect
without using SSL, edit your Gemfile sources and change 'https' to 'http'.
enter code here
So I'm right back where I started from. On a side note, I'm now getting another error when I try to https: to my gem sources but that might be better as a different question after I get this one taken care of.
Try changing the rails-assets source to http://insecure.rails-assets.org/
It might be caused by RubyGems' move from SHA-1 to SHA-2. Here's a helpful guide on their website on how to fix the issue
If that and the guides in the bitly didn't fix it, you might have to reinstall. I've encountered this before and nothing seemed to work even after ensuring that my certificates were up to date; luckily, a reinstall seemed to fix it.
You can update the openssl package
C:\>gem install rhc
ERROR: Could not find a valid gem 'rhc' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)
tried with the following commands:
gem sources -r https://rubygems.org
gem sources -a http://rubygems.org
But still same error exists when trying to setup rhc.
rhc setup
By following these steps rhc gem is installed successfully, but when executing "rhc setup" for connecting to openshift here is the error message rather connecting to openshift server
The problem is that your Windows machine does not recognize the rubygems server certificate as a trusted certificate because Windows don't have its authority certificate present in its trusted certs store.
As a quick fix you'd need to remove the HTTPS version of the rubygems source URL (not HTTP as you did):
gem sources -r https://rubygems.org
This quick fix should make rubygems use the HTTP version which has no certificate checks involved.
But this should not be the definitive fix. Instead you should add the HTTPS source back (using the -a option) and install a proper CA certificate for the rubygems server cert into your windows trusted CA certs store.
There are quite a few pages that deal with this procedure on the net (google this), e.g. the post here has steps to download and install all CA certificates from the curl command, to your Windows machine, that fixes the problem permanently and without lowering security.
The reason and fix for the problem is stated here
Previously, this certificate was provided by one Certificate Authority, but the new certificate is provided by a different one.
Because of this, verions of RubyGems with both certificates were released, in an attempt to simplify the change.
However, at the scale RubyGems operates at, it’s impossible to make sure everybody updates the software. There are also operating systems shipping with old versions. As such, sometimes manual intervention (as described above) is required.
This has been described on Issue #1050
To fix the problem, follow these steps:
Download rubygems-update-2.6.7.gem. The download should be saved in a location you can later easily point to. Let's use like C:\rubygems-update-2.6.7.gem
On the command line, run the following commands:
C:\>gem install --local C:\rubygems-update-2.6.7.gem
C:\>update_rubygems --no-ri --no-rdoc
Run the following commands to uninstall rubygems-update:
C:\>gem uninstall rubygems-update -x
This should solve the problem.
I am currently running a gem server for our company that stores our local in house gems. We are currently using the default rubygems server that is invoked with gem server. However whenever we fetch from this server (using bundler) we get:
Could not fetch prerelease specs from rubygems repository http://rubygems.myserver.org
The server works fine otherwise, but we would actually like to have our server support prerelease anyhow. Is anyone running a gem server successfully with prerelease? If so what server are you using and how? I cannot seem to find any documentation on this.
The solution to this is not to use gem server, but use a regular web server then execute gem generate_index. This successfully built prerelease and regular indexes.
http://docs.rubygems.org/read/chapter/18 section 4.2