Mastodon: OpenSSL - SSLError : certificate verify failed

Do you have the ca-certificates bundle installed? Which Linux distribution do you use?

I'm not sure at which paths the ruby OpenSSL module looks by default, but maybe you'll have to set it to the correct location for your distribution.

I had a similar-looking problem with let's encrypt certificates. This pointed me in the right direction: https://github.com/certbot/certbot/issues/2026

I'm on Debian (Jessie). I installed ca-certificates.

ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE' tells me "/usr/lib/ssl/cert.pem".

I'm using let's encrypt, so I have put the let's encrypt chain.pem + ca-certifcates.crt inside /usr/lib/ssl/cert.pem, but it's still doesn't work...
Is this what you have done @celesteh ?

Thanks!

I have the same problem since Gargron bumped the Ruby-Version.
I don't know if my instance is still federating, I've stumbled upon this problem realizing my instance doesn't send mails any more because of the error. I've tried three E-Mail-Servers with various certificates and setting the SSL-Options to OpenSSL::SSL::VERIFY_NONE but the problem still persists.

Have you guys checked #1496 or #1486 ?

Hey @ToroNZ . Thanks for pointing me in that direction. I patched it manually and now it is sending mails again.

Hey @ToroNZ: I tried to add the cert file like here, but it only concerns SMTP, that changed nothing about federation... :|

I hit the same issue and I think I've got a lead. See the logs containing the Arguments to this job.

One URL there that appears a lot is bernard.tcit.fr. This is weird, because the mastodon instance hosted there is called social.tcit.fr. I wonder if the admin hasn't moved domain names and forgot to change something in their configuration. When trying to access bernard.tcit.fr with my browser, I get a SSL exception saying that the certificate is valid for social.tcit.fr. Since this triggers a SSL error in Ruby code, I assume this could be the same cause. I've contacted the admin and asked them to see if there was something wrong in their configuration.

However, Sidekiq could probably be more resilient here and just 1. avoid fetching data on a domain that has a SSL issue, with a way to warn the administrator ideally, or 2. just have a way to ignore SSL errors with all/some domains.

The following is fixing the issue locally, but I am very unsure about my ruby, so I'll defer to somebody who can make a better patch out of this.

commit 68c39fc917479b9f1eb7a6525b1b6f0160d1afac
Author: Benjamin Bouvier <[email protected]>
Date:   Mon Apr 24 02:18:33 2017 +0200

    Fix fetch of avatar/header if SSL is incorrectly set on the instance;

diff --git a/app/models/account.rb b/app/models/account.rb
index 084b17f..b263060 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -188,6 +188,8 @@ class Account < ApplicationRecord

     self.avatar              = parsed_url
     self[:avatar_remote_url] = url
+  rescue OpenSSL::SSL::SSLError => e
+    Rails.logger.debug "Error fetching remote avatar: #{e}"
   rescue OpenURI::HTTPError => e
     Rails.logger.debug "Error fetching remote avatar: #{e}"
   end
@@ -199,6 +201,8 @@ class Account < ApplicationRecord

     self.header              = parsed_url
     self[:header_remote_url] = url
+  rescue OpenSSL::SSL::SSLError => e
+    Rails.logger.debug "Error fetching remote avatar: #{e}"
   rescue OpenURI::HTTPError => e
     Rails.logger.debug "Error fetching remote header: #{e}"
   end