مشكلة التحقق من SSL في Excon لـ ONEBOX

الدعم تثبيت
1

مرحباً بالجميع،

لقد قمت للتو بإعداد خادم Discourse وبدأت اختباره، وهو حتى الآن رائع. لدي مشكلة حيث يفشل Onebox في العمل بسبب ما أعتقد أنه فلتر فحص SSL يفشل في التحقق باستخدام مكتبة excon. لقد قمت بتنزيل شهادة الجذر المخصصة وأضفتها إلى /etc/ssl/certs على المضيف، وحتى داخل الحاوية (للاختبار)، دون جدوى. لا يزال يظهر الخطأ التالي في /log/rails/production.log في كل مرة ألصق فيها رابطاً للتضمين.

فشل Onebox [رابط يوتيوب] SSL_connect returned=1 errno=0 state=error: فشل التحقق من الشهادة (تعذر الحصول على جهة إصدار محلية للشهادة) (OpenSSL::SSL::SSLError) تعذر التحقق من الشهادة.

يُشار إلى تغيير إعدادات excon الافتراضية لتوجيهها إلى مسار SSL مختلف، لكنني غير متأكد من كيفية القيام بذلك بأمان مع السماح لـ Discourse بالتحديث. هل يمكن لأي شخص تقديم نصيحة حول كيفية التأكد من أن شهادة الجذر المخصصة تُعتبر صالحة داخل excon؟ هل هناك أمر rails -r exec يمكنني إضافته إلى app.yml؟

شكراً جزيلاً،

غلين.

2

Which URL is showing the issue? Are you using the official Docker based install of Discourse?

3

Looks like by default excon bundles its own certificate bundle but since other people had similar issues, he’s added the ability to configure it in the environment? And it’ll use the system one if the certificate is in properly.

It might need the hash link to work. Can you try the following and see if it solves the problem?

  • do both:

    • add your custom cert to /etc/ssl/certs inside the container

    • add the hash link: e.g.

      ln -s my_custom_cert.pem /etc/ssl/certs/$(openssl x509 -hash -noout -in /etc/ssl/certs/my_custom_cert.pem).0
5

Thanks Michael,

I set the environment variable and created the hash, and I’m not seeing a visible SSL error now, but still onebox is not doing anything. Don’t know if Jeff has any advice on what I might be doing wrong? @codinghorror.

I’m concerned that making changes inside the container will just get destroyed upon a rebuild though, so i’m not sure what the best approach here is.

Glenn.

6

It may have cached the failure, but let’s test one thing at a time.

You shouldn’t need to add the environment variable, but you can check to see whether adding the certificate worked by doing, for example:

root:~# /var/discourse/launcher enter app
root@app:/var/www/discourse# rails console
[1] pry(main)> Net::HTTP.get URI 'https://meta.discourse.org/about.json'

If you get a result (and you didn’t before), that means the certificate is properly installed. Then you can add commands to the container definition to install that certificate on every rebuild so it’ll persist.

7

Thanks Michael, the rails console command worked fine, it’s able to download the json file you linked.

I’m not sure if that wouldn’t have worked previously, but I had previously installed the root cer into /etc/ssl/certs/ and it wasn’t working still.

I ran export SSL_CERT_DIR="/etc/ssl/certs/" in the container and the SSL error seemed to go away after that. At least i’m no longer seeing anything in the production.log

Thanks,

Glenn.

8

Actually, I think I may have worked out the issue now. It’s an authentication prompt with the corporate filter I believe. I did the Net::HTTP.get in the console using a youtube oembed uri to retrieve the embed JSON and instead it provided back an authentication html document. So I think that’s what is getting in the way now. Thanks a bunch Michael.

9

Did you also create the symlink? That’s a very important part.

To get the certificate permanently in place, you want to amend the app.yml file add or modify a hooks section to something like the following:

hooks:
  before_code:
    - file:
        path: /etc/ssl/certs/custom-root.crt
        chmod: 644
        contents: |
          -----BEGIN CERTIFICATE-----
          …
          -----END CERTIFICATE-----
    - exec:
        cmd:
          - bash -c "ln -s custom-root.crt /etc/ssl/certs/$(openssl x509 -hash -noout -in /etc/ssl/certs/custom-root.crt).0"

Ah, likely nothing we can add into the app.yml file to fix that.