Upgrade Failure - Unable to verify certificate


(Rob Burkman) #1

A few months ago, I inherited a discourse site that we use internally, so I am pretty new to all of this. In the past, I’ve been able to upgrade smoothly via the one-click browser upgrade feature, but today it failed with the following message. Any help is appreciated!

rake aborted!
Excon::Error::Certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError) Unable to verify certificate. This may be an issue with the remote host or with Excon. Excon has certificates bundled, but these can be customized:

            `Excon.defaults[:ssl_ca_path] = path_to_certs`
            `ENV['SSL_CERT_DIR'] = path_to_certs`
            `Excon.defaults[:ssl_ca_file] = path_to_file`
            `ENV['SSL_CERT_FILE'] = path_to_file'
            `Excon.defaults[:ssl_verify_callback] = callback`
                (see OpenSSL::SSL::SSLContext#verify_callback)
or:
            `Excon.defaults[:ssl_verify_peer] = false` (less secure).

The full log.pdf (376.0 KB).


(Jay Pfaffman) #2

Given that your hostname still resolves to your site, try:

cd /var/discourse
./launcher rebuild app

(Matt Palmer) #3

That’s a first… build log as a PDF. I’m not up for reading through that, it’s a mess. Drop it in a gist or a pastebin or something more sane, please.


(Robby O'Connor) #4

Also, make sure you read the log – I’ve seen a few people now not bother to read the log – but just panic – take a step back and read it…it’s telling you what’s wrong.


(Rob Burkman) #5

I get the same error when I attempt to rebuild the app.

I created a gist.

The only thing that jumped out to me was the error. Am I missing something else?


Excon / OpenSSL problem on upgrade
(Matt Palmer) #6

A gist! A palpable gist! :tada:

What is wrong is not quite the same thing as why it is going wrong, and in this case, that’s something of a mystery. What’s the environment this is running in? I’m strongly suspecting HTTPS-mangling middlebox as the culprit, given that https://cdn.discourse.org/ is most definitely presenting a valid cert. What does openssl s_client -connect cdn.discourse.org:443 -servername cdn.discourse.org, run on the host where you’re running ./launcher, say about the certificate chain being presented? Here’s what it should look like:

Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=j.ssl.fastly.net
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

(Rob Burkman) #7

I’m getting the following certificate chain.

Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=j.ssl.fastly.net
   i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailAddress=support@zscaler.com
 1 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailAddress=support@zscaler.com
   i:/C=US/ST=California/L=San Jose/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Root CA/emailAddress=support@zscaler.com

(Rob Burkman) #8

I was able to successfully upgrade the site after whitelisting cdn.discourse.org like this post.


(Matt Palmer) #9

So, SSL middlebox ftl. Lucky you.