I have small Rails app that performs various checks on our platform and sends me an email in case of an issue. Everything was running fine until today i started getting alerts about the following error:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
Now the problem is the certificate in question is valid, it gets automatically renewed (Let’s encrypt) and this code has been untouched for a couple of years and never had any issues before and suddenly this started to happen.
The code that throws the exception:
def get_request url
uri = URI.parse(url)
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
#more than 10 seconds this is too slow
http.open_timeout = 10
http.read_timeout = 10
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
if response.code.to_i == 200
return true
else
puts "Failed to GET #{url}: #{response.code.to_i}"
return false
end
end
If i open the site in the browser, it shows the secure connection without issues and shows that is using a valid certificate, furthermore if i check with certbot
i get the following: Expiry Date: 2021-11-22 17:48:58+00:00 (VALID: 52 days)
so clearly the certificate is valid, why suddenly rails is throwing a tantrum about it?
Note that i have restarted Nginx just in case, that didn’t help.
Additional info: Ubuntu 16.04.5, OpenSSL 1.0.2g 1 Mar 2016, Rails 4.2, Ruby 2.6.5
EDIT:
This error also happens with a different url, which also has a valid certificate.
EDIT 2:
I’ve isolated the problem, it is related to Let’s Encrypt DST Root CA X3 that has expired. A lot of people are dealing with this issue, i’ll report my solution once i find one.
2
Answers
So after reading through this long thread of the Let's Encrypt community, the solution for my case ended up being to remove the
DST Root CA X3
certificate:After that no more errors from openssl.
I had this exact issue. I finally tracked it down to this gem: https://github.com/stevegraham/certified. Unfortunately, another gem we had included in our
Gemfile
had listedcertified
as a dependency. This gem provides certificate bundle back from 2014 and is extremely out of date. Check yourGemfile.lock
to see ifcertified
is listed. If it is, remove the gem(s) that require this dependency and see if that solves your issue.