skip to Main Content

I have small Rails app that performs various checks on our platform and sends me an email in case of an issue. Everything was running fine until today i started getting alerts about the following error:

SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)

Now the problem is the certificate in question is valid, it gets automatically renewed (Let’s encrypt) and this code has been untouched for a couple of years and never had any issues before and suddenly this started to happen.

The code that throws the exception:

def get_request url
  uri = URI.parse(url)
  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = true

  #more than 10 seconds this is too slow
  http.open_timeout = 10
  http.read_timeout = 10

  request = Net::HTTP::Get.new(uri.request_uri)
  response = http.request(request)

  if response.code.to_i == 200
    return true
  else
    puts "Failed to GET #{url}: #{response.code.to_i}"
    return false
  end
end

If i open the site in the browser, it shows the secure connection without issues and shows that is using a valid certificate, furthermore if i check with certbot i get the following: Expiry Date: 2021-11-22 17:48:58+00:00 (VALID: 52 days) so clearly the certificate is valid, why suddenly rails is throwing a tantrum about it?

Note that i have restarted Nginx just in case, that didn’t help.

Additional info: Ubuntu 16.04.5, OpenSSL 1.0.2g 1 Mar 2016, Rails 4.2, Ruby 2.6.5

EDIT:

This error also happens with a different url, which also has a valid certificate.

EDIT 2:

I’ve isolated the problem, it is related to Let’s Encrypt DST Root CA X3 that has expired. A lot of people are dealing with this issue, i’ll report my solution once i find one.

2

Answers


  1. Chosen as BEST ANSWER

    So after reading through this long thread of the Let's Encrypt community, the solution for my case ended up being to remove the DST Root CA X3 certificate:

    sudo rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
    sudo update-ca-certificates
    

    After that no more errors from openssl.


  2. I had this exact issue. I finally tracked it down to this gem: https://github.com/stevegraham/certified. Unfortunately, another gem we had included in our Gemfile had listed certified as a dependency. This gem provides certificate bundle back from 2014 and is extremely out of date. Check your Gemfile.lock to see if certified is listed. If it is, remove the gem(s) that require this dependency and see if that solves your issue.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search