Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Self-signed cert being ignored in Docker | Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate #749

Closed
RailsCod3rFuture opened this issue Apr 30, 2024 · 4 comments
Closed

Self-signed cert being ignored in Docker | Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate #749

RailsCod3rFuture opened this issue Apr 30, 2024 · 4 comments

Comments

@RailsCod3rFuture
Copy link

I'm using registry.docker.com/library/ruby:2.7.7-slim for building my docker image...The issue is; the SSL_CERT_FILE env var is not being complied with -- while running bundle install. I tried copying over the cert to ca-certificates...but that also got ignored. Do you have a method for verifying self-signed certificates in docker images?
@rhenium
Copy link
Member

rhenium commented Apr 30, 2024

SSL_CERT_FILE is supposed to be handled by OpenSSL by default. I can't tell what is happening without more details.

Note that Ruby 2.7 is EOL. Please upgrade to Ruby 3.1 or later. https://www.ruby-lang.org/en/downloads/branches/

@RailsCod3rFuture
Copy link
Author

RailsCod3rFuture commented Apr 30, 2024
edited
Loading

I'll show what my dockerfile looks like. The main issue is that it does not pickup the fact that I've added a private cert before running bundle install. I set the SSL_CERT environment variable to match the location before the bundle install step...It ignores it.


# syntax = docker/dockerfile:1

# Make sure RUBY_VERSION matches the Ruby version in .ruby-version and Gemfile
ARG RUBY_VERSION=2.7.7
FROM registry.docker.com/library/ruby:$RUBY_VERSION as base

WORKDIR /web-app

ENV RAILS_ENV="development" \
  BUNDLE_WITHOUT=""
RUN apt-get update -qq && \
  apt-get install --no-install-recommends -y build-essential git libvips pkg-config mariadb-client yarn nodejs ca-certificates
COPY CUSTOM_CERT_SubCA_1.crt /usr/local/share/ca-certificates/CUSTOM_CERT_SubCA_1.crt
ENV SSL_CERT_FILE=/usr/local/share/ca-certificates/CUSTOM_CERT_SubCA_1.crt
RUN chmod 644 /usr/local/share/ca-certificates/CUSTOM_CERT_SubCA_1.crt && update-ca-certificates
COPY Gemfile Gemfile.lock ./
RUN mkdir -p /vendor/rails_7_gems
COPY vendor/rails_7_gems/ ./vendor/rails_7_gems/
RUN bundle install

# Copy application code
COPY . .

RUN useradd rails --create-home --shell /bin/bash && \
  chown -R rails:rails db log storage tmp
USER rails:rails

ENTRYPOINT ["/web-app/bin/docker-dev-entrypoint"]

EXPOSE 3000
CMD ["./bin/rails", "server", "-b", "0.0.0.0"]

ERROR

> [web_app  9/11] RUN bundle install:
0.300 Warning: the running version of Bundler (2.1.4) is older than the version that created the lockfile (2.4.22). We suggest you to upgrade to the version that created the lockfile by running `gem install bundler:2.4.22`.
0.305 fatal: not a git repository (or any of the parent directories): .git
0.335 fatal: not a git repository (or any of the parent directories): .git
0.338 fatal: not a git repository (or any of the parent directories): .git
0.397 The dependency tzinfo-data (>= 0) will be unused by any of the platforms Bundler is installing for. Bundler is installing for arm64-darwin-21, ruby but the dependency is only for x86-mingw32, x86-mswin32, x64-mingw32, java. To add those platforms to the bundle, run `bundle lock --add-platform x86-mingw32 x86-mswin32 x64-mingw32 java`.
0.494 Fetching source index from https://custom_domain.org/
0.533 
0.533 Retrying fetcher due to error (2/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://custom_domain.org/.
0.533 There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

@MSP-Greg
Copy link
Contributor

Have you tried making a verified connection with net/http? Or, bypass Bundler/RubyGems for testing to see if your env/certs are working correctly?

@RailsCod3rFuture
Copy link
Author

I'm going to try a new approach now.

@RailsCod3rFuture RailsCod3rFuture closed this as not planned Won't fix, can't repro, duplicate, stale May 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rhenium @RailsCod3rFuture @MSP-Greg