Description
We are getting the below issue when doing bundle install with jruby today since the root CA is expired.
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
So basically it doesn't trust the first cert it finds in the chain even tho it is in the keystore.
DST Root CA X3 is not there, just like in the OS store.
If we add it to the key store, we are getting the below error.
SSL verification error at depth 3: certificate has expired (10)
Certificate /O=Digital Signature Trust Co./CN=DST Root CA X3 expired at 2021-09-30T14:01:15Z
I have tested against latest jruby docker image as well still the same
root@45d0eee28a21:/# openssl version
OpenSSL 1.1.1d 10 Sep 2019
root@45d0eee28a21:/# jruby -version
jruby 9.3.0.0 (2.6.8) 2021-09-17 85c20e780f OpenJDK 64-Bit Server VM 25.302-b08 on 1.8.0_302-b08 +jit [linux-x86_64]
root@45d0eee28a21:/# cat Gemfile
source 'https://gems.contribsys.com/' do
gem 'sidekiq-pro'
end
root@45d0eee28a21:/# bundle install
[DEPRECATED] This Gemfile does not include an explicit global source. Not using an explicit global source may result in a different lockfile being generated depending on the gems you have installed locally before bundler is run. Instead, define a global source in your Gemfile like this: source "https://rubygems.org".
Fetching source index from https://gems.contribsys.com/
Retrying fetcher due to error (2/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.contribsys.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Retrying fetcher due to error (3/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.contribsys.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Retrying fetcher due to error (4/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.contribsys.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Could not verify the SSL certificate for https://gems.contribsys.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification. For
information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect
without using SSL, edit your Gemfile sources and change 'https' to 'http'.
root@45d0eee28a21:/#
root@45d0eee28a21:/# gem source -a https://gems.contribsys.com/
ERROR: SSL verification error at depth 3: certificate has expired (10)
Error fetching https://gems.contribsys.com/:
certificate verify failed (https://gems.contribsys.com/specs.4.8.gz)
root@944e7cf133ba:/#
Can you Please help how to resolve this?