A few months ago, I inherited a discourse site that we use internally, so I am pretty new to all of this. In the past, I’ve been able to upgrade smoothly via the one-click browser upgrade feature, but today it failed with the following message. Any help is appreciated!
rake aborted!
Excon::Error::Certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError) Unable to verify certificate. This may be an issue with the remote host or with Excon. Excon has certificates bundled, but these can be customized:
`Excon.defaults[:ssl_ca_path] = path_to_certs`
`ENV['SSL_CERT_DIR'] = path_to_certs`
`Excon.defaults[:ssl_ca_file] = path_to_file`
`ENV['SSL_CERT_FILE'] = path_to_file'
`Excon.defaults[:ssl_verify_callback] = callback`
(see OpenSSL::SSL::SSLContext#verify_callback)
or:
`Excon.defaults[:ssl_verify_peer] = false` (less secure).
Also, make sure you read the log – I’ve seen a few people now not bother to read the log – but just panic – take a step back and read it…it’s telling you what’s wrong.
What is wrong is not quite the same thing as why it is going wrong, and in this case, that’s something of a mystery. What’s the environment this is running in? I’m strongly suspecting HTTPS-mangling middlebox as the culprit, given that https://cdn.discourse.org/ is most definitely presenting a valid cert. What does openssl s_client -connect cdn.discourse.org:443 -servername cdn.discourse.org, run on the host where you’re running ./launcher, say about the certificate chain being presented? Here’s what it should look like:
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=j.ssl.fastly.net
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA