Run bootstrap behind SSL-intercepting proxy, all SSL connections fail

Sirius · July 22, 2015, 10:23am

I want to install discourse on a VM that is behind a proxy. But I got the certificate error when the script updates gem. The log info is as following:

FAILED

RuntimeError: cd /var/www/discourse && gem update bundler failed with return $
Location of failure: /pups/lib/pups/exec_command.rb:105:in `spawn'
exec failed with the params {"cd"=>"$home", "hook"=>"web", "cmd"=>["gem updat$
03ddefcc67a4576532eaac06b03d799e957dbdb8530cff6ff49331e6a087b3e7
FAILED TO BOOTSTRAP

detailed info is as following:

[2015-07-22T10:16:57.849945 #45]  INFO -- : > cd /var/www/discourse && gem update bundler
ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

I guess that’s because this host is behind a proxy, and the proxy have replaced the certificate. I was encountered the similar error in git command and I have to modify the launcher script to add

 git config --global http.sslverify false

to bypass certificate verify. How could I by pass certificate verify for this gem update as well?

Falco · July 22, 2015, 11:59pm

Hello fellow corporate proxy hater,

I suggest changing the source of gem command to plain http rubygems (add http rubygems one, remove HTTPS) with gem sources command, and changing it too on the first line of Discourse Gemfile.

Sirius · July 23, 2015, 1:09am

Thanks for your suggestion. I’m new to discourse and ruby, could you please be more specific that which file I need to change?

Falco · July 23, 2015, 4:32am

Are you following the guide and using the docker install?

Sirius · July 23, 2015, 7:54am

Yes, the error happens when I run ./launcher bootstrap app

Falco · July 23, 2015, 9:15pm

First and foremost don’t forget to update & upgrade your ubuntu machine.

If it persists let’s get dirty:

./launcher enter app gem sources --add http://rubygems.org gem sources --remove https://rubygems.org
Now you can try to install a random gem just to see if it works, let’s try sinatra:
gem install sinatra

If it works we need to change Discourse Gemfile:
vim /var/www/discourse/Gemfile
and try to install.

Since my docker-fu ain’t that strong, I’m not sure if ./laucher bootstrap will just reset our modified Gemfile.

riking · July 23, 2015, 9:35pm

@Sirius can’t run enter because the build failed.

I think you need to get the CA certificate for your proxy and install it into the container in a before_code hook.

Sirius · July 24, 2015, 2:06am

@Falco
./launcher enter app failed：

Error response from daemon: no such id: app

I tried to add

gem sources --add http://rubygems.org
gem sources --remove https://rubygems.org

to a template file and run then in a before_web hook:

hooks:
  before_web:
    - exec:
       cmd:
         - gem sources --remove https://rubygems.org/
         - gem sources -add http://rubygems.org/

Then I got the following error:

[2015-07-24T01:53:18.299109 #45] INFO – : > gem sources -a http://rubygems.org/
ERROR: While executing gem … (Gem::OperationNotSupportedError)
Not connected to a tty and no default specified

@riking
Could you be more specific about how to install CA certificate to container? I’m not quite familiar to docker and ruby.I found a stackoverflow discuss [docker container ssl certificates ][1]

[1]: http://stackoverflow.com/questions/26028971/docker-container-ssl-certificates says to use the following command to mount certs to docker container:

docker run -v /host/path/to/certs:/container/path/to/certs -d IMAGE_ID "update-ca-certificates"

So I run

sudo docker run -v /etc/ssl/certs/:/etc/ssl/certs/ -d samsaffron/discourse:1.0.8 "update-ca-certificates"

Now I got the following error:
Message from syslogd@apc-lgmdcapp210 at Jul 24 05:12:27 …
kernel:journal commit I/O error
Error response from daemon: Error running DeviceSuspend dm_task_run failed

Could you please help? Thanks.

Falco · July 24, 2015, 6:17pm

What about downloading the certificate when you visit https://rubygems.org/ and then use this commands on the pre-hook?

On the ugly workaroud way you can try this too:

sed -i -- 's/https/http/g' /var/www/discourse/Gemfile
On the pre-hook too

Sirius · July 28, 2015, 2:27am

The hard drive of my VM is full, I need to apply larger hard drive and provide an update about this later.

Sirius · March 28, 2016, 9:08am

Hey guys,
I’v updated the image to 1.0.12, now I get this error:

[2016-03-28T09:00:51.116726 #39]  INFO -- : > cd /var/www/discourse && gem update bundler
ERROR:  While executing gem ... (Gem::RemoteFetcher::UnknownHostError)
    no such name (https://api.rubygems.org/specs.4.8.gz)

Is it because the proxy issue? How can I config the proxy info for a ruby command in a docker?

Topic		Replies	Views
New install won't bootstrap; gem update socket error? Installation	10	2743	September 5, 2018
Installing Discourse on Centos/WHM Installation	9	2413	February 10, 2015
Discourse installation on intranet - bootstrap failed with exit code 17 Installation unsupported-install	9	368	April 10, 2024
Problem updating my installation Installation	9	504	November 3, 2023
After Update, bootstrap failed due to missing Celluloid Bug	13	3659	August 19, 2015

Run bootstrap behind SSL-intercepting proxy, all SSL connections fail

Related topics