Run bootstrap behind SSL-intercepting proxy, all SSL connections fail


(Kun Zhu) #1

I want to install discourse on a VM that is behind a proxy. But I got the certificate error when the script updates gem. The log info is as following:

FAILED

RuntimeError: cd /var/www/discourse && gem update bundler failed with return $
Location of failure: /pups/lib/pups/exec_command.rb:105:in `spawn'
exec failed with the params {"cd"=>"$home", "hook"=>"web", "cmd"=>["gem updat$
03ddefcc67a4576532eaac06b03d799e957dbdb8530cff6ff49331e6a087b3e7
FAILED TO BOOTSTRAP

detailed info is as following:

[2015-07-22T10:16:57.849945 #45]  INFO -- : > cd /var/www/discourse && gem update bundler
ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

I guess that’s because this host is behind a proxy, and the proxy have replaced the certificate. I was encountered the similar error in git command and I have to modify the launcher script to add

 git config --global http.sslverify false

to bypass certificate verify. How could I by pass certificate verify for this gem update as well?


(Rafael dos Santos Silva) #2

Hello fellow corporate proxy hater,

I suggest changing the source of gem command to plain http rubygems (add http rubygems one, remove HTTPS) with gem sources command, and changing it too on the first line of Discourse Gemfile.


(Kun Zhu) #3

Thanks for your suggestion. I’m new to discourse and ruby, could you please be more specific that which file I need to change?


(Rafael dos Santos Silva) #4

Are you following the guide and using the docker install?


(Kun Zhu) #5

Yes, the error happens when I run ./launcher bootstrap app


(Rafael dos Santos Silva) #6

First and foremost don’t forget to update & upgrade your ubuntu machine.

If it persists let’s get dirty:

./launcher enter app gem sources --add http://rubygems.org gem sources --remove https://rubygems.org
Now you can try to install a random gem just to see if it works, let’s try sinatra:
gem install sinatra

If it works we need to change Discourse Gemfile:
vim /var/www/discourse/Gemfile
and try to install.

Since my docker-fu ain’t that strong, I’m not sure if ./laucher bootstrap will just reset our modified Gemfile. :sadpanda:


(Kane York) #7

@Sirius can’t run enter because the build failed.

I think you need to get the CA certificate for your proxy and install it into the container in a before_code hook.


(Kun Zhu) #8

@Falco
./launcher enter app failed:

Error response from daemon: no such id: app

I tried to add

gem sources --add http://rubygems.org
gem sources --remove https://rubygems.org

to a template file and run then in a before_web hook:

hooks:
  before_web:
    - exec:
       cmd:
         - gem sources --remove https://rubygems.org/
         - gem sources -add http://rubygems.org/

Then I got the following error:

[2015-07-24T01:53:18.299109 #45] INFO – : > gem sources -a http://rubygems.org/
ERROR: While executing gem … (Gem::OperationNotSupportedError)
Not connected to a tty and no default specified


@riking
Could you be more specific about how to install CA certificate to container? I’m not quite familiar to docker and ruby.I found a stackoverflow discuss [docker container ssl certificates ][1]

[1]: docker container ssl certificates - Stack Overflow says to use the following command to mount certs to docker container:

docker run -v /host/path/to/certs:/container/path/to/certs -d IMAGE_ID "update-ca-certificates"

So I run

sudo docker run -v /etc/ssl/certs/:/etc/ssl/certs/ -d samsaffron/discourse:1.0.8 "update-ca-certificates"

Now I got the following error:
Message from syslogd@apc-lgmdcapp210 at Jul 24 05:12:27 …
kernel:journal commit I/O error
Error response from daemon: Error running DeviceSuspend dm_task_run failed

Could you please help? Thanks.


(Rafael dos Santos Silva) #9

What about downloading the certificate when you visit https://rubygems.org/ and then use this commands on the pre-hook?


On the ugly workaroud way you can try this too:

sed -i -- 's/https/http/g' /var/www/discourse/Gemfile
On the pre-hook too


(Kun Zhu) #10

The hard drive of my VM is full, I need to apply larger hard drive and provide an update about this later.


(Kun Zhu) #11

Hey guys,
I’v updated the image to 1.0.12, now I get this error:

[2016-03-28T09:00:51.116726 #39]  INFO -- : > cd /var/www/discourse && gem update bundler
ERROR:  While executing gem ... (Gem::RemoteFetcher::UnknownHostError)
    no such name (https://api.rubygems.org/specs.4.8.gz)

Is it because the proxy issue? How can I config the proxy info for a ruby command in a docker?