Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL Certificate Verification Error When Using importmap pin Command #263

Open
tbbooher opened this issue Sep 18, 2024 · 0 comments
Open

Comments

@tbbooher
Copy link

tbbooher commented Sep 18, 2024

I'm encountering an SSL certificate verification error when using the importmap pin command with importmap-rails (2.0.1) to pin packages like Bootstrap. Despite having the correct SSL certificates installed and being able to make HTTPS requests using Ruby's net/http, the importmap command fails with an SSL error.

Steps to Reproduce:

Set Up Environment Variables for SSL Certificates:

export SSL_CERT_FILE="/opt/homebrew/etc/openssl@3/cert.pem"
export SSL_CERT_DIR="/opt/homebrew/etc/openssl@3/certs"

Verify SSL Connectivity with a Test Script:

Created a test script ssl_test.rb to confirm that Ruby's net/http can establish an SSL connection:

require 'net/http'
require 'openssl'

uri = URI('https://ga.jspm.io/npm:bootstrap@5.3.3/dist/js/bootstrap.esm.js')

Net::HTTP.start(
  uri.host,
  uri.port,
  use_ssl: true,
  verify_mode: OpenSSL::SSL::VERIFY_PEER
) do |http|
  request = Net::HTTP::Get.new(uri)
  response = http.request(request)
  puts "Response Code: #{response.code}"
end

Output:
Response Code: 200

Attempt to Pin Bootstrap Using importmap:

Ran the command: ./bin/importmap pin bootstrap

Output/Error:

Pinning "bootstrap" to vendor/javascript/bootstrap.js via download from https://ga.jspm.io/npm:bootstrap@5.3.3/dist/js/bootstrap.esm.js
/path/to/gems/net-protocol-0.2.2/lib/net/protocol.rb:46:in `connect_nonblock': SSL_connect returned=1 errno=0 peeraddr=205.234.175.175:443 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)

Additional Information:

Ruby Version: 3.2.2
OpenSSL Version: (Output of ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'): OpenSSL 3.3.2 3 Sep 2024
Importmap-Rails Version: 2.0.1
Operating System: macOS on Apple Silicon

Environment Variables:

echo $SSL_CERT_FILE
# Output: /opt/homebrew/etc/openssl@3/cert.pem
echo $SSL_CERT_DIR
# Output: /opt/homebrew/etc/openssl@3/certs

What I've Tried:

Verified Certificates:

Ensured that the DigiCert Global Root G2 certificate is present in /opt/homebrew/etc/openssl@3/cert.pem.
Updated and rehashed the certificates in the certs directory.
Reinstalled Ruby and Gems:

Uninstalled and reinstalled Ruby using rbenv, ensuring it links to the correct OpenSSL.
Updated gems and checked for conflicting versions of net-http and net-protocol.
Modified bin/importmap:

Added debug statements to print environment variables and Ruby version.
Attempted to override Net::HTTP settings within bin/importmap to explicitly set ca_file and ca_path.
Modified importmap-rails Gem Code:

Edited packager.rb to set SSL options explicitly when initializing Net::HTTP.
Tested with OpenSSL::SSL::VERIFY_NONE:

As a test (not for production), set verify_mode to OpenSSL::SSL::VERIFY_NONE, which allowed the command to succeed, indicating the issue is with SSL verification.
Manually Downloaded Bootstrap:

Used curl to download Bootstrap and updated config/importmap.rb as a temporary workaround.

Suspected Cause:

It seems that the importmap-rails gem may not be correctly utilizing the SSL certificates specified by the environment variables or might be overriding SSL settings internally, leading to the SSL verification failure.

Expected Behavior:

The importmap pin command should respect the SSL certificate environment variables and successfully establish an SSL connection to pin packages.

Actual Behavior:

The command fails with an SSL certificate verification error, even though SSL connections work in other Ruby scripts and tools.

Please let me know if I can provide any more information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant