ruby-on-rails ssl openssl certificate rails-assets

Could not verify the SSL certificate error when running bundle install in ruby on rails app

I have a ruby on rails app that is throwing an error when I try to run bundle install. The error is the following:

bundle stdout: Could not verify the SSL certificate for https://rails-assets.org/ There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification

Our SSL certificate was updated just a few days ago and we haven't changed anything in the app. It started to throw this error out of the blue.

Is there any chance we need to update the root certificates in the system? I mean like running sudo update-ca-certificates or something like that? is it safe to do that?

The app is in digitalOcean and we use capistrano gem to deploy the app

@lingYan Thanks a lot for guiding me in the right direction! I read the links you posted but in my case I had to change the steps a little bit because I am not on Centos-7. So this is exactly what I did:

Made a backup of the certificates file in /etc/ssl/certs:

cp ca-certificates.crt ~/certificatesBackup/ca-certificates-backup.crt
Made a backup of the config file in /etc:

cp ca-certificates.conf ~/certificatesBackup/ca-certificates-backup.conf
Made a backup of the expired certificate in /etc/ssl/certs:

cp DST_Root_CA_X3.pem ~/certificatesBackup/DST_Root_CA_X3_backup.pem
Removed DST_Root_CA_X3.pem from ca-certificates.conf:

I opened the file with vim and removed the line
Removed expired certificate in /etc/ssl/certs:

sudo rm DST_Root_CA_X3.pem
Updated certificates:

update-ca-certificates -f -v
Checked if expired certificate was removed from the chain in ca-certificates.crt:

diff ~/certificatesBackup/ca-certificates-backup.crt ca-certificates.crt

It showed the new certificate

It was still throwing the error after doing all the steps above so I realized that I didn't have the ISRG Root CA certificate. In order to add the ISRG Root CA I did the following (which I think it is not correct or maybe I am missing something):

Went to this page https://letsencrypt.org/certificates/ and downloaded the file called ISRG Root X1 (self-signed / pem format)
Went to /usr/local/share/ca-certificates/
Created a new folder called isrgrootx1
Copied the pem file I downloaded previously into the isrgrootx1 folder
Made sure the permissions were OK (755 for the folder, 644 for the file)
updated the certificates with update-ca-certificates -f -v
Checked if the certificate was added using the diff command: When I ran the diff command it didn't show any change so I guess the certificate was not added and the error is still there

Am I doing someting wrong? Are the steps above correct to add a new certificate? I am starting to feel frustrated with this :(

Solution

I checked the certificate of https://rails-assets.org/, it's signed by LetsEncrypt and one of the Root CA from LetsEncrypt is expired and that would be the cause of your issue.

To understand the issue:

https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

The possible solution: https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4

Basically, if that's the cause, you need to remove the DST Root CA and make sure ISRG Root CA is in your certificate store.

For ubuntu or Debian system, the following document describes how to update the certificates: /usr/share/doc/ca-certificates/README.Debian

Run the following command to create a directory for your own trusted ca-certificates: sudo mkdir /usr/local/share/ca-certificates/extra
Copy the root certificate to the new directory: sudo cp rootCA.crt /usr/local/share/ca-certificates/extra/ Make sure that the certificate file has the .crt extension.
Run the following command to update the system certificates: sudo update-ca-certificates