wicked_pdf icon indicating copy to clipboard operation
wicked_pdf copied to clipboard

Published 20 hours ago verified publisher icon mileszs

ActionView::Template::Error: SSL_connect returned=1 errno=0 state=error: certificate verify failed

Open jpmermoz opened this issue 3 years ago • 15 comments

Issue description

Hi there,

Since the R3 expired certificate from September 30th, my Wickedpdf stopped working. It seems I cannot call wicked_pdf_stylesheet_link_tag, due to a certificate error.

Here is the stacktrace:

ActionView::Template::Error: SSL_connect returned=1 errno=0 state=error: certificate verify failed from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/protocol.rb:44:in connect_nonblock' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/protocol.rb:44:in ssl_socket_connect' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:928:in connect' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:863:in do_start' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:852:in start' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:584:in start' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:479:in get_response' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:456:in get' from /usr/local/rvm/gems/ruby-2.3.6/gems/wicked_pdf-2.1.0/lib/wicked_pdf/wicked_pdf_helper/assets.rb:159:in read_from_uri' from /usr/local/rvm/gems/ruby-2.3.6/gems/wicked_pdf-2.1.0/lib/wicked_pdf/wicked_pdf_helper/assets.rb:149:in read_asset' from /usr/local/rvm/gems/ruby-2.3.6/gems/wicked_pdf-2.1.0/lib/wicked_pdf/wicked_pdf_helper/assets.rb:20:in block in wicked_pdf_stylesheet_link_tag' from /usr/local/rvm/gems/ruby-2.3.6/gems/wicked_pdf-2.1.0/lib/wicked_pdf/wicked_pdf_helper/assets.rb:18:in collect' from /usr/local/rvm/gems/ruby-2.3.6/gems/wicked_pdf-2.1.0/lib/wicked_pdf/wicked_pdf_helper/assets.rb:18:in wicked_pdf_stylesheet_link_tag' from /home/app/app/views/layouts/pdf.html.erb:5:in _app_views_layouts_pdf_html_erb__4356050262088495231_58899600' from /usr/local/rvm/gems/ruby-2.3.6/gems/actionview-4.2.0/lib/action_view/template.rb:145:in block in render' from /usr/local/rvm/gems/ruby-2.3.6/gems/activesupport-4.2.0/lib/active_support/notifications.rb:166:in instrument'

Expected or desired behavior

Not getting any certificate errors.

System specifications

Ubuntu 16.04 Docker image: phusion/passenger-ruby23:0.9.29

wicked_pdf gem version (output of cat Gemfile.lock | grep wicked_pdf):

wicked_pdf (2.1.0)

wkhtmltopdf version (output of wkhtmltopdf --version):

whtmltopdf provider gem and version if one is used:

Using gem 'wkhtmltopdf-binary'

platform/distribution and version (e.g. Windows 10 / Ubuntu 16.04 / Heroku cedar):

Ubuntu 16.04

jpmermoz avatar Oct 01 '21 14:10 jpmermoz

Hi, Same problem here @jpmermoz Did you find a workaround?

tdutreui avatar Oct 04 '21 14:10 tdutreui

Hi, Same problem here @jpmermoz Did you find a workaround?

Yes, I modified the Dockerfile in order to remove the expired certificate:

FROM phusion/passenger-ruby23:0.9.29

Make a backup of your sources.list

RUN mv /etc/apt/sources.list.d /etc/apt/sources.list.d.bak

Install these 2 packages

RUN apt-get install libgnutls30 ca-certificates

Restore sources.list

RUN mv /etc/apt/sources.list.d.bak /etc/apt/sources.list.d

Rest of dockerfile

....

Fix R3 expired certificate

RUN rm /etc/ssl/certs/2e5ac55d.0 RUN rm /etc/ssl/certs/12d55845.0 RUN rm /etc/ssl/certs/DST_Root_CA_X3.pem RUN sed -i '/mozilla/DST_Root_CA_X3.crt/d' /etc/ca-certificates.conf RUN update-ca-certificates

jpmermoz avatar Oct 04 '21 14:10 jpmermoz

Thank you @jpmermoz it worked !

tdutreui avatar Oct 04 '21 15:10 tdutreui

Is this expired certificate part of wicked_pdf, wkhtmltopdf, or Ubuntu linux? Which Dockerfile did you edit, one related to deploying your specific application?

unixmonkey avatar Oct 04 '21 15:10 unixmonkey

Is this expired certificate part of wicked_pdf, wkhtmltopdf, or Ubuntu linux? Which Dockerfile did you edit, one related to deploying your specific application?

I think the issue is part of Ubuntu 16.04. Right now I'm using this image based on that version of Ubuntu: phusion/passenger-ruby23:0.9.29

jpmermoz avatar Oct 04 '21 18:10 jpmermoz

I'm using Debian 8.9 Jessie and had the issue as well. Worth to note that Ubuntu is based on Debian thought. The issue is part of the system configuration. Managing your certificates is a standard sysadmin maintenance operation

tdutreui avatar Oct 05 '21 11:10 tdutreui

Hi, Same problem here @jpmermoz Did you find a workaround?

Yes, I modified the Dockerfile in order to remove the expired certificate:

FROM phusion/passenger-ruby23:0.9.29

Make a backup of your sources.list

RUN mv /etc/apt/sources.list.d /etc/apt/sources.list.d.bak

Install these 2 packages

RUN apt-get install libgnutls30 ca-certificates

Restore sources.list

RUN mv /etc/apt/sources.list.d.bak /etc/apt/sources.list.d

Rest of dockerfile

....

Fix R3 expired certificate

RUN rm /etc/ssl/certs/2e5ac55d.0 RUN rm /etc/ssl/certs/12d55845.0 RUN rm /etc/ssl/certs/DST_Root_CA_X3.pem RUN sed -i '/mozilla/DST_Root_CA_X3.crt/d' /etc/ca-certificates.conf RUN update-ca-certificates

Same problem here, it not work

liuzhenangel avatar Oct 08 '21 06:10 liuzhenangel

Exception>>> ActionView::Template::Error: "SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)"

Backtrace( Application Only, 5 below )>>> app/helpers/wicked_pdf_helper.rb:11:in `pdf_stylesheet_pack_tag'

No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.1 LTS Release: 16.04 Codename: xenial

ruby 2.7.2

wicked_pdf (2.1.0)

liuzhenangel avatar Oct 08 '21 06:10 liuzhenangel

Same issue here. There is a strange behaviour in wicked_pdf_stylesheet_link_tag: considering that the asset is locally present(also in the manifest), ActionView::Base.new.wicked_pdf_stylesheet_link_tag "asset_name" works, and returns the actual asset, while wicked_pdf_stylesheet_link_tag "asset_name" raises the stated error. is it possible that net/http uses a different pem chain still affected by the X3 certificate expiration? and why does the first call works?

albertodega avatar Oct 13 '21 09:10 albertodega

Hi there. We are experiencing the same issue in one of our apps. We generate a PDF of an invoice and send it out as an email attachment. Recently this has started failing with the error SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (certificate has expired).

The stack trace points to a call to wicked_pdf_stylesheet_link_tag, which if commented out, resolves the problem.

Now here's where things get stranger: This issue only happens when we try to send it over email. We are using WickedPdf.new.pdf_from_string to generate the PDF and attach it.

We also have a view in the app that the user can click on to see the invoice on demand. This method goes through a rails controller and renders out using render pdf: . This view, currently, is working perfectly fine.

I'm completely perplexed as to why one way works and the other doesn't.

gregawoods avatar Oct 25 '21 15:10 gregawoods

@gregawoods

The stack trace points to a call to wicked_pdf_stylesheet_link_tag, which if commented out, resolves the problem.

Is that specific stylesheet being served from a domain with an expired certificate?

Now here's where things get stranger: This issue only happens when we try to send it over email. We are using WickedPdf.new.pdf_from_string to generate the PDF and attach it.

I'm completely perplexed as to why one way works and the other doesn't.

Are emails processed and sent from a different server than the app itself is deployed on? Recently the Ubuntu system SSL certs expired. Maybe they got updated on the web servers and not the job servers?

unixmonkey avatar Oct 25 '21 15:10 unixmonkey

Yes it could be something like that. If you use deliver_later, could you try to send your email with deliver_now ? The gem is a wrapper to a program that generates the PDF, so maybe in a request context (i.e in the controller) the asset path is given as a filepath but outside it as an https url ?

Regardless the exact understanding of the bug, the root cause is probably the same as ours : did you check for the certs and config files mentionned by jpmermoz ?

tdutreui avatar Oct 25 '21 15:10 tdutreui

  1. The stylesheet is local (= wicked_pdf_stylesheet_link_tag 'pdf/application').
  2. Email processing happens on the same server that the application runs on.
If you use deliver_later, could you try to send your email with deliver_now ?

In fact, I don't have to call either delivery method. Simply calling the mailer (eg: InvoiceMailer.foo(x) is enough to trigger the error. I can replicate this much in rails console.

Now, this makes some sense when I think about the fact that this is more about email rendering than it is about email delivery itself. Thus I come back to some apparent difference in using pdf_from_string versus render pdf:.

gregawoods avatar Oct 25 '21 15:10 gregawoods

Now, this makes some sense when I think about the fact that this is more about email rendering than it is about email delivery itself. Thus I come back to some apparent difference in using pdf_from_string versus render pdf:.

They are a little different. pdf_from_string takes render arguments as the second (optional) argument, and assumes the HTML being rendered is already complete.

You might want to compare what you are passing to pdf_from_string vs the HTML you get using render pdf: 'something', show_as_html: true.

Feel free to bundle open the wicked_pdf gem and place debugger breakpoints around also.

unixmonkey avatar Oct 25 '21 16:10 unixmonkey

Ah, I just figured something out. I have set config.action_mailer.asset_host = 'https://my-hostname-here.com in my production environment.

This, I suspect, is causing = wicked_pdf_stylesheet_link_tag 'pdf/application' to try and pull the css over http rather than treating like a local file. Interesting!

That at least explains why it was acting different for me.

gregawoods avatar Oct 25 '21 16:10 gregawoods