Description
Hi,
We are getting the below issue when doing bundle install with jruby today since the root CA is expired.
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Added /opt/jruby/lib/ruby/stdlib/rubygems/ssl_certs/rubygems.org/AddTrustExternalCARoot.pem to X509 store
Added /opt/jruby/lib/ruby/stdlib/rubygems/ssl_certs/rubygems.global.ssl.fastly.net/DigiCertHighAssuranceEVRootCA.pem to X509 store
Added /opt/jruby/lib/ruby/stdlib/rubygems/ssl_certs/index.rubygems.org/GlobalSignRootCA.pem to X509 store
SSL verification error at depth 2: unable to get local issuer certificate (20)
You must add /O=Digital Signature Trust Co./CN=DST Root CA X3 to your local trusted store
We added the debug printing about ssl verification result above.
So basically it doesn't trust the first cert it finds in the chain even tho it is in the keystore.
DST Root CA X3 is not there, just like in the OS store.
If we add it to the key store, we are getting the below error.
SSL verification error at depth 3: certificate has expired (10)
Certificate /O=Digital Signature Trust Co./CN=DST Root CA X3 expired at 2021-09-30T14:01:15Z
Maybe this flag X509_V_FLAG_TRUSTED_FIRST should be added here https://github.com/jruby/jruby-openssl/blob/master/src/main/java/org/jruby/ext/openssl/x509store/VerifyParameter.java#L153-L162
We tried bundle install with pure ruby and it is working fine. Then we noticed that jRuby is using this module instead of openssl.
Could we have some suggestions here please?