certificate verify failed about airbrake HOT 34 CLOSED

No problem, @JonTheStone. Might be worth a try removing it, but best of luck!

@mattbarrry THANK YOU! That was 100% the problem. I installed the latest version of Airbrake gem and removed the certified gem and it worked like a charm.

@Brandon21318 @mmcdaris please see the above solution

from airbrake.

Seems to still persist on our side. However the error message has slightly changed. The old message being:

bundle stderr: **Airbrake: HTTP error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (certificate has expired)

has now changed to:

**Airbrake: HTTP error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain)

So it would seem that the certificate has been updated, however verification with the new one still fails.

We're using version 11.0.0 of the airbrake gem and 5.0.2 of airbrake-ruby

Hi,

We (airbrake team) have updated our certificate. The new cert includes an SSL.com Root cert which was created in 2016. We have had other customers with either an old version of an ssl library or an old OS (such as Ubuntu 14.04) which did not include this certificate, and it needed to be manually added to the trusted root certs. If this is a task you are able to complete yourself, the certificate can be downloaded from here:

https://www.ssl.com/how-to/install-ssl-com-ca-root-certificates/#downloads

You'll need the SSL_COM_TLS_RSA download which includes the SSLcomRootCertificationAuthorityRSA.crt file.

If you need further assistance, can you please provide errors after installing the Root certificate from SSL.com?

from airbrake.

Seems to still persist on our side. However the error message has slightly changed. The old message being:
bundle stderr: **Airbrake: HTTP error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (certificate has expired)
has now changed to:
**Airbrake: HTTP error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain)
So it would seem that the certificate has been updated, however verification with the new one still fails.
We're using version 11.0.0 of the airbrake gem and 5.0.2 of airbrake-ruby

Hi,

We (airbrake team) have updated our certificate. The new cert includes an SSL.com Root cert which was created in 2016. We have had other customers with either an old version of an ssl library or an old OS (such as Ubuntu 14.04) which did not include this certificate, and it needed to be manually added to the trusted root certs. If this is a task you are able to complete yourself, the certificate can be downloaded from here:

https://www.ssl.com/how-to/install-ssl-com-ca-root-certificates/#downloads

You'll need the SSL_COM_TLS_RSA download which includes the SSLcomRootCertificationAuthorityRSA.crt file.

If you need further assistance, can you please provide errors after installing the Root certificate from SSL.com?

That seems to have done the trick, yep.

The issue was that we were using the older OS.

from airbrake.

Thanks for working with me on this! I'll email with the results.

from airbrake.

No need @Brandon21318 - sorry, I should have posted in the original question.

It looks like we had added the certified gem at some point in the past. It broke with Ruby 3.x - stevegraham/certified#19

Removing the (seemingly) unnecessary gem fixed the problem for us, without having to do any of the other steps in the thread. I'm a little shaky on the why, but my assumption is the certs from the gem were overriding anything else we were trying above, and we couldn't update the certs via the gem because it's broken.

Anyways, this solved it for me, and hoping it solves it for someone else!

from airbrake.

We're getting ssl errors in the browser and through Sharpbrake for the last 24 hours.

from airbrake.

No need @Brandon21318 - sorry, I should have posted in the original question.

It looks like we had added the certified gem at some point in the past. It broke with Ruby 3.x - stevegraham/certified#19

Removing the (seemingly) unnecessary gem fixed the problem for us, without having to do any of the other steps in the thread. I'm a little shaky on the why, but my assumption is the certs from the gem were overriding anything else we were trying above, and we couldn't update the certs via the gem because it's broken.

Anyways, this solved it for me, and hoping it solves it for someone else!

Hey there! No, we're on ruby 2.7.5 and we do have the certified gem, but I don't believe that's the issue

from airbrake.

Same problem here.

from airbrake.

Seeing the same issue during a deploy. Notifying airbrake of a deploy, however the deploy fails when the notifying fails.

Quite possibly similar, if not the same issues in previous years:

#1095

#1203

from airbrake.

Same here.

from airbrake.

What version of the gem are you using @brainwipe @Kilvak @xMKx ?

from airbrake.

What version of the gem are you using @brainwipe @Kilvak @xMKx ?

We're @ 5.0.2 .

from airbrake.

We got an email confirmation from airbrake - they fixed this.

from airbrake.

Seems to still persist on our side. However the error message has slightly changed.
The old message being:

bundle stderr: **Airbrake: HTTP error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (certificate has expired)

has now changed to:

**Airbrake: HTTP error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain)

So it would seem that the certificate has been updated, however verification with the new one still fails.

We're using version 11.0.0 of the airbrake gem and 5.0.2 of airbrake-ruby

from airbrake.

We're seeing this as well during Capistrano deploys and on v10.0.4. No airbrake-ruby gem, just the airbrake gem.

from airbrake.

Seems to still persist on our side. However the error message has slightly changed. The old message being:
bundle stderr: **Airbrake: HTTP error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (certificate has expired)
has now changed to:
**Airbrake: HTTP error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain)
So it would seem that the certificate has been updated, however verification with the new one still fails.
We're using version 11.0.0 of the airbrake gem and 5.0.2 of airbrake-ruby

Hi,

We (airbrake team) have updated our certificate. The new cert includes an SSL.com Root cert which was created in 2016. We have had other customers with either an old version of an ssl library or an old OS (such as Ubuntu 14.04) which did not include this certificate, and it needed to be manually added to the trusted root certs. If this is a task you are able to complete yourself, the certificate can be downloaded from here:

https://www.ssl.com/how-to/install-ssl-com-ca-root-certificates/#downloads

You'll need the SSL_COM_TLS_RSA download which includes the SSLcomRootCertificationAuthorityRSA.crt file.

If you need further assistance, can you please provide errors after installing the Root certificate from SSL.com?

We seem to still be having issues and we're on Ubuntu 20.04 for our instances.

from airbrake.

We seem to still be having issues and we're on Ubuntu 20.04 for our instances.

And you installed the SSL.com root certificate/verified that it is installed on the affected machine?

from airbrake.

We seem to still be having issues and we're on Ubuntu 20.04 for our instances.

And you installed the SSL.com root certificate/verified that it is installed on the affected machine?

I believe so, yes.

Receiving this error: **Airbrake: HTTP error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

Ran the following as root user to install:

wget https://d1smxttentwwqu.cloudfront.net/wp-content/uploads/2023/05/SSL_COM_TLS_RSA.zip?_gl=1*te4qsg*_gcl_au*NDAxMjQwMi4xNjk0Nzg5NjAx
unzip SSL_COM_TLS_RSA.zip?_gl=1*te4qsg*_gcl_au*NDAxMjQwMi4xNjk0Nzg5NjAx
mv /home/[MY USER]/SSL_COM_TLS_RSA/SSLcomRootCertificationAuthorityRSA.crt /usr/local/share/ca-certificates/
update-ca-certificates

I also rebooted both machines after these steps

from airbrake.

I believe so, yes.

Receiving this error: **Airbrake: HTTP error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

Ran the following as root user to install:

wget https://d1smxttentwwqu.cloudfront.net/wp-content/uploads/2023/05/SSL_COM_TLS_RSA.zip?_gl=1*te4qsg*_gcl_au*NDAxMjQwMi4xNjk0Nzg5NjAx
unzip SSL_COM_TLS_RSA.zip?_gl=1*te4qsg*_gcl_au*NDAxMjQwMi4xNjk0Nzg5NjAx
mv /home/[MY USER]/SSL_COM_TLS_RSA/SSLcomRootCertificationAuthorityRSA.crt /usr/local/share/ca-certificates/
update-ca-certificates

I also rebooted both machines after these steps

Thanks for the info @JonTheStone.

We had similar problems after running the same steps on our Jenkins host. Turns out the update-ca-certificates did not install the certificates where Jenkins was looking for the certificates, at
sql:/var/lib/jenkins/.pki/nssdb/

So we had to use certutil:

jenkins@jenkins:/home/breynolds$ certutil -d sql:/var/lib/jenkins/.pki/nssdb/ -A -t "CT,c,c" -n "SSL.com" -i /usr/local/share/ca-certificates/ssl-com-root.crt
jenkins@jenkins:/home/breynolds$ certutil -d sql:/var/lib/jenkins/.pki/nssdb/ -L | grep SSL
                                                             SSL,S/MIME,JAR/XPI
SSL.com                                                      CT,c,c

For example if you are using Jenkins. If not if you can share more info about the environment I can try and assist in troubleshooting.

Thanks,
Brandon

from airbrake.

Not entirely sure where Capistrano/airbrake would be looking, but thanks for the info!

from airbrake.

Not entirely sure where Capistrano/airbrake would be looking, but thanks for the info!

You could verify that the certs are installed at /etc/ssl/certs/ by running the following:

breynolds@jenkins:~$ openssl s_client -showcerts -servername airbrake.io -connect airbrake.io:443 -CApath /etc/ssl/certs/ | openssl x509 -noout -dates
depth=2 C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com Root Certification Authority RSA
verify return:1
depth=1 C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com RSA SSL subCA
verify return:1
depth=0 CN = *.airbrake.io
verify return:1
notBefore=Sep 12 14:47:25 2023 GMT
notAfter=Oct 18 14:47:25 2023 GMT

from airbrake.

Seem to be there

root@[SERVER]:/home/[USER]# openssl s_client -showcerts -servername airbrake.io -connect airbrake.io:443 -CApath /etc/ssl/certs/ | openssl x509 -noout -dates
depth=2 C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com Root Certification Authority RSA
verify return:1
depth=1 C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com RSA SSL subCA
verify return:1
depth=0 CN = *.airbrake.io
verify return:1
notBefore=Sep 12 14:47:25 2023 GMT
notAfter=Oct 18 14:47:25 2023 GMT

from airbrake.

Ok. Gonna get with the ruby dev team and see if they have any input on where Capistrano/airbrake would be looking. Thanks for the info Jon.

from airbrake.

Ok. Gonna get with the ruby dev team and see if they have any input on where Capistrano/airbrake would be looking. Thanks for the info Jon.

Thanks. I just rebooted the machines and tried again but still failing. Let me know if you need anything else from me.

Also, FWIW, this is the airbrake:deploy Capistrano step in our deploy process

from airbrake.

One more thing Jon,

Can you provide the output for the following:

openssl version

openssl version -d

from airbrake.

OpenSSL 1.1.1f 31 Mar 2020 and OPENSSLDIR: "/usr/lib/ssl" respectively

from airbrake.

Jon,

Would you try setting the following ENV variable in your Ruby code:

ENV['SSL_CERT_DIR'] = '/etc/ssl/certs/'

from airbrake.

Tried adding to the .env file on the server as well as running this: RAILS_ENV=staging SSL_CERT_DIR='/etc/ssl/certs' bundle exec rake airbrake:deploy and got the same error as before

from airbrake.

Hi @JonTheStone, sorry for the issues with this, can you try this next? Thanks for all your patience.
If we want to break off into a private thread feel free to email us details to [email protected] and we can continue there.
We can do some more iterations and just post back what worked here once we get it sorted.

Okay next try saving this script as airbrake_req.rb

require 'net/http'
require 'uri'

uri = URI.parse("https://airbrake.io/")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true

request = Net::HTTP::Get.new(uri.request_uri)
http.request(request)

Then we can strace it to grep for to "cert" to see what matches we get. The idea being to see where ruby is looking when it's checking for certs.

strace ruby airbrake_req.rb 2>&1 | grep "cert"

If you see no output you can grep for some other clues but please double check there is no sensitive data in the output if shared.

from airbrake.

I've been following along here, suffering from basically the same issue. @JonTheStone - any chance you're on Ruby 3.x and using the certified gem?

from airbrake.

Hi mattbarry,

Can you try steps listed here: #1254 (comment)

And create an email chain with [email protected]? I am working with Jon there now following these steps and can jump in and follow up with you as well.

from airbrake.

No problem, @JonTheStone. Might be worth a try removing it, but best of luck!

from airbrake.

That's excellent news!

from airbrake.

Thanks for reporting this one and providing detailed reports. I'll close this one out, if anyone still needs help please email [email protected] and we'll get you sorted 👍

from airbrake.