A few months ago, I inherited a discourse site that we use internally, so I am pretty new to all of this. In the past, I’ve been able to upgrade smoothly via the one-click browser upgrade feature, but today it failed with the following message. Any help is appreciated!
Excon::Error::Certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError) Unable to verify certificate. This may be an issue with the remote host or with Excon. Excon has certificates bundled, but these can be customized:
`Excon.defaults[:ssl_ca_path] = path_to_certs`
`ENV['SSL_CERT_DIR'] = path_to_certs`
`Excon.defaults[:ssl_ca_file] = path_to_file`
`ENV['SSL_CERT_FILE'] = path_to_file'
`Excon.defaults[:ssl_verify_callback] = callback`
`Excon.defaults[:ssl_verify_peer] = false` (less secure).
What is wrong is not quite the same thing as why it is going wrong, and in this case, that’s something of a mystery. What’s the environment this is running in? I’m strongly suspecting HTTPS-mangling middlebox as the culprit, given that https://cdn.discourse.org/ is most definitely presenting a valid cert. What does openssl s_client -connect cdn.discourse.org:443 -servername cdn.discourse.org, run on the host where you’re running ./launcher, say about the certificate chain being presented? Here’s what it should look like:
0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=j.ssl.fastly.net
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA