bundle install / gem install affected by DST Root CA X3 expiration

[sachingade20]

We are getting the below issue when doing bundle install with jruby today since the root CA is expired.
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190

There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
So basically it doesn't trust the first cert it finds in the chain even tho it is in the keystore.
DST Root CA X3 is not there, just like in the OS store.
If we add it to the key store, we are getting the below error.

SSL verification error at depth 3: certificate has expired (10)
Certificate /O=Digital Signature Trust Co./CN=DST Root CA X3 expired at 2021-09-30T14:01:15Z

I have tested against latest jruby docker image as well still the same

root@45d0eee28a21:/# openssl version
OpenSSL 1.1.1d  10 Sep 2019


root@45d0eee28a21:/# jruby -version
jruby 9.3.0.0 (2.6.8) 2021-09-17 85c20e780f OpenJDK 64-Bit Server VM 25.302-b08 on 1.8.0_302-b08 +jit [linux-x86_64]


root@45d0eee28a21:/# cat Gemfile
source 'https://gems.contribsys.com/' do
  gem 'sidekiq-pro'
end

root@45d0eee28a21:/# bundle install
[DEPRECATED] This Gemfile does not include an explicit global source. Not using an explicit global source may result in a different lockfile being generated depending on the gems you have installed locally before bundler is run. Instead, define a global source in your Gemfile like this: source "https://rubygems.org".
Fetching source index from https://gems.contribsys.com/

Retrying fetcher due to error (2/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.contribsys.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

Retrying fetcher due to error (3/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.contribsys.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

Retrying fetcher due to error (4/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.contribsys.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

Could not verify the SSL certificate for https://gems.contribsys.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification. For
information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect
without using SSL, edit your Gemfile sources and change 'https' to 'http'.
root@45d0eee28a21:/#

root@45d0eee28a21:/# gem source -a https://gems.contribsys.com/
ERROR:  SSL verification error at depth 3: certificate has expired (10)
Error fetching https://gems.contribsys.com/:
	certificate verify failed (https://gems.contribsys.com/specs.4.8.gz)
root@944e7cf133ba:/#

Can you Please help how to resolve this?

[dentarg]

@sachingade20 do you have ISRG Root X1 in your trust store?

[dentarg]

From https://www.ssllabs.com/ssltest/analyze.html?d=gems.contribsys.com

[sachingade20]

Yes with OpenSSL version 1.1.1d and ca-certificates i already have X1 in my trust store still it fails, it work for ruby docker images but only fails jruby docker images, something related to jruby-openssl but not sure,

[brendanstennett]

Experiencing a similar issue. Getting bundle install failures for some gem hosts that are effected due to the expired root cert. I think rebuilding this image will solve the problem since it was built before the expiry happened.

[pollosp]

It come from here and the intermediate CA DST_Root_CA_X3.pem it is expired since September 3.

jruby/jruby-openssl#236

Adding new jruby-ssl version

gem install jruby-openssl --version 0.11.0.cr1

This snippet works works

require 'openssl'

puts JOpenSSL::VERSION if defined? JRUBY_VERSION

require 'net/http'

puts Net::HTTP.get_response(URI('https://helloworld.letsencrypt.org'))

I think next version of Jruby will fix this as as jruby-openssl is a dependency.
In this jruby-ssl patch they are trusting top level CA

[headius]

I think this is fixed in more recent images since we have updated jruby-openssl. Could someone confirm this?

[theRocket]

I tested using the JDK11 Dockerfile and received the following (using same test as above):

❯ docker exec -it 442451cc5b65c514abf2277be7434570ffc7b6eccbd7e26028bdaa07a640a258 /bin/sh
# ruby -v
jruby 9.3.4.0 (2.6.8) 2022-03-23 eff48c1ebf OpenJDK 64-Bit Server VM 11.0.14.1+1 on 11.0.14.1+1 +jit [aarch64-linux]

irb(main):001:0> require 'openssl'

irb(main):002:0> puts JOpenSSL::VERSION if defined? JRUBY_VERSION
0.12.2

irb(main):003:0> require 'net/http'

irb(main):004:0> puts Net::HTTP.get_response(URI('https://helloworld.letsencrypt.org'))
#<Net::HTTPOK:0x71d0b8a4>

I tried the same on my M1 Macbook using 9.3.4.0 installed via rvm and got the same result:

❯ ruby -v
jruby 9.3.4.0 (2.6.8) 2022-03-23 eff48c1ebf OpenJDK 64-Bit Server VM 11.0.14.1+1-LTS on 11.0.14.1+1-LTS +jit [arm64-darwin]