Acabo de configurar y comenzar a probar un servidor Discourse y, hasta ahora, es excelente. Tengo un problema donde onebox falla debido a lo que creo que es un filtro de inspección SSL que no logra verificarse con la gem excon. He descargado el certificado raíz personalizado y lo he agregado a /etc/ssl/certs en el host, e incluso dentro del contenedor (para probar), pero sin éxito. Todavía obtengo el siguiente error en /log/rails/production.log cada vez que pego una URL para incrustar.
Failed to onebox [youtube url] SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError) Unable to verify certificate.
Se menciona cambiar los valores predeterminados de excon para apuntar a una ruta SSL diferente, pero no estoy seguro de cómo hacerlo de manera segura y aún permitir que Discourse se actualice. ¿Alguien puede aconsejar cómo podría asegurarme de que un certificado raíz personalizado se considere válido dentro de excon? ¿Existe un comando rails -r exec que pueda agregar en app.yml?
Looks like by default excon bundles its own certificate bundle but since other people had similar issues, he’s added the ability to configure it in the environment? And it’ll use the system one if the certificate is in properly.
It might need the hash link to work. Can you try the following and see if it solves the problem?
do both:
add your custom cert to /etc/ssl/certsinside the container
I set the environment variable and created the hash, and I’m not seeing a visible SSL error now, but still onebox is not doing anything. Don’t know if Jeff has any advice on what I might be doing wrong? @codinghorror.
I’m concerned that making changes inside the container will just get destroyed upon a rebuild though, so i’m not sure what the best approach here is.
It may have cached the failure, but let’s test one thing at a time.
You shouldn’t need to add the environment variable, but you can check to see whether adding the certificate worked by doing, for example:
root:~# /var/discourse/launcher enter app
root@app:/var/www/discourse# rails console
[1] pry(main)> Net::HTTP.get URI 'https://meta.discourse.org/about.json'
If you get a result (and you didn’t before), that means the certificate is properly installed. Then you can add commands to the container definition to install that certificate on every rebuild so it’ll persist.
Thanks Michael, the rails console command worked fine, it’s able to download the json file you linked.
I’m not sure if that wouldn’t have worked previously, but I had previously installed the root cer into /etc/ssl/certs/ and it wasn’t working still.
I ran export SSL_CERT_DIR="/etc/ssl/certs/" in the container and the SSL error seemed to go away after that. At least i’m no longer seeing anything in the production.log
Actually, I think I may have worked out the issue now. It’s an authentication prompt with the corporate filter I believe. I did the Net::HTTP.get in the console using a youtube oembed uri to retrieve the embed JSON and instead it provided back an authentication html document. So I think that’s what is getting in the way now. Thanks a bunch Michael.