Fix for OpenSSL::SSL::SSLError when logging in via ELIXIR AAI

Due to LetsEncrypt root CA changing and HTTPClient maintaining its own, old list of CAs.
seek4science · Oct 5, 2021 · 622401e · 622401e
1 parent d6d4cfd
commit 622401e
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 11 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -113,7 +113,7 @@ GEM
       activerecord (>= 3.0.0)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
-    aes_key_wrap (1.0.1)
+    aes_key_wrap (1.1.0)
     akami (1.2.2)
       gyoku (>= 0.4.0)
       nokogiri
@@ -138,7 +138,7 @@ GEM
       rack (>= 0.9.0)
     bibtex-ruby (5.1.0)
       latex-decode (~> 0.0)
-    bindata (2.4.4)
+    bindata (2.4.10)
     binding_of_caller (0.8.0)
       debug_inspector (>= 0.0.1)
     bio (1.5.1)
@@ -284,7 +284,7 @@ GEM
       railties (>= 3.2.16)
     json (2.5.1)
     json-diff (0.4.1)
-    json-jwt (1.11.0)
+    json-jwt (1.13.0)
       activesupport (>= 4.2)
       aes_key_wrap
       bindata
@@ -379,7 +379,7 @@ GEM
     mimemagic (0.3.10)
       nokogiri (~> 1)
       rake
-    mini_mime (1.1.0)
+    mini_mime (1.1.1)
     mini_portile2 (2.5.1)
     minitest (5.14.4)
     minitest-reporters (1.1.14)
@@ -432,12 +432,12 @@ GEM
     omniauth-rails_csrf_protection (0.1.2)
       actionpack (>= 4.2)
       omniauth (>= 1.3.1)
-    omniauth_openid_connect (0.2.4)
+    omniauth_openid_connect (0.3.1)
       addressable (~> 2.5)
       omniauth (~> 1.3)
       openid_connect (~> 1.1)
     open4 (1.3.0)
-    openid_connect (1.1.6)
+    openid_connect (1.3.0)
       activemodel
       attr_required (>= 1.0.0)
       json-jwt (>= 1.5.0)
@@ -481,12 +481,12 @@ GEM
     rack (2.2.3)
     rack-attack (5.0.1)
       rack
-    rack-oauth2 (1.9.3)
+    rack-oauth2 (1.19.0)
       activesupport
       attr_required
       httpclient
-      json-jwt (>= 1.9.0)
-      rack
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails (5.2.4.6)
@@ -727,7 +727,7 @@ GEM
       rails (>= 3)
       sunspot (= 2.2.8)
     sunspot_solr (2.2.7)
-    swd (1.1.2)
+    swd (1.3.0)
       activesupport (>= 3)
       attr_required (>= 0.0.5)
       httpclient (>= 2.4)
@@ -774,7 +774,7 @@ GEM
     wasabi (2.5.1)
       httpi (~> 1.0)
       nokogiri (>= 1.4.0)
-    webfinger (1.1.0)
+    webfinger (1.2.0)
       activesupport
       httpclient (>= 2.4)
     webmock (3.10.0)

diff --git a/config/initializers/httpclient_ssl_fix.rb b/config/initializers/httpclient_ssl_fix.rb
@@ -0,0 +1,12 @@
+# Monkeypatch to work around: https://github.com/nahi/httpclient/issues/445
+require 'httpclient'
+
+class HTTPClient
+  alias original_initialize initialize
+
+  def initialize(*args, &block)
+    original_initialize(*args, &block)
+    # Force use of the default system CA certs (instead of the 6 year old bundled ones)
+    @session_manager&.ssl_config&.set_default_paths
+  end
+end