Home → Problems →

Unable to connect to rubygems.org from our linux server. Handshake_failure

• Edit

Suresh Kongara

15 Feb, 2021 11:57 PM

Hello team, I was trying to install logstash plugins in a Linux server in cloud(Amazon Linux AMI 2016.09). and got the error that the server is not able to download data from https://rubygems.org. Handshake_failure

Command used to install plugin: sudo /usr/share/logstash/bin/logstash-plugin install logstash-filter-environment

Error log: Validating logstash-filter-environment
Unable to download data from https://rubygems.org - Received fatal alert: handshake_failure (https://api.rubygems.org/latest_specs.4.8.gz)
ERROR: Installation aborted, verification failed for logstash-filter-environment

Tried to access this website from this server with this command: w3m https://rubygems.org
Error log: Bad cert ident from rubygems.org: dNSName=j.sni.global.fastly.net

I can successfully wget https://rubygems.org/latest_specs.4.8.gz from the server and it got downloaded successfully.

Got this issue with Ruby 2.0, so upgraded version to Ruby 3.0 and still the same error.

Please let me know if you know any solutions.

1. Support Staff 1 Posted by sonalkr132 on 16 Feb, 2021 06:17 AM

   

   Hi Suresh,

   w3m https://rubygems.org Error log: Bad cert ident from rubygems.org: dNSName=j.sni.global.fastly.net

   Can you please check which IP address is this connecting to? This is working on my system. please confirm you are using the latest version.

   Make sure you are using the latest rubygems version and try adding/updating ca-certificates package on your host. If this doesn't work, it would be helpful if you can share steps to reproduce this, with ami id and commands you ran. Also, please share output of following command:
   

   curl -Lks 'https://git.io/rg-ssl' | ruby
   

   • Edit

2. 2 Posted by Suresh Kongara on 16 Feb, 2021 07:51 AM

   

   Hi these are the details,

   IP address i am connecting to:
   [root@ip-10-65-0-91 rubygems.org]# nslookup rubygems.org
   Server: 10.65.227.23
   Address: 10.65.227.23#53

   Non-authoritative answer:
   Name: rubygems.org
   Address: 151.101.66.132
   Name: rubygems.org
   Address: 151.101.2.132
   Name: rubygems.org
   Address: 151.101.194.132
   Name: rubygems.org
   Address: 151.101.130.132

   I have updated to the latest versions:
   [root@ip-10-65-0-91 ~]# ruby -v
   ruby 3.0.0p0 (2020-12-25 revision 95aff21468) [x86_64-linux]

   [root@ip-10-65-0-91 ~]# gem --version
   3.2.3

   Checked the certificates:
   [root@ip-10-65-0-91 rubygems.org]# ls
   GlobalSignRootCA.pem GlobalSignRootCA_R3.pem GlobalSignRootCA_R3.pem.1
   [root@ip-10-65-0-91 rubygems.org]# pwd
   /usr/local/rvm/rubies/ruby-3.0.0/lib/ruby/3.0.0/rubygems/ssl_certs/rubygems.org

   Still have the same error. Sharing the commands to reproduce the error.
   1. wget https://artifacts.elastic.co/downloads/logstash/logstash-5.2.2.rpm
   2. rpm -Uvh logstash-5.2.2.rpm
   3. sudo /usr/share/logstash/bin/logstash-plugin install logstash-filter-environment

   AMI ID: ami-6536791d
   OS : Amazon Linux AMI 2018.03

   [root@ip-10-65-0-91 ~]# curl -Lks 'https://git.io/rg-ssl' | ruby
   Here's your Ruby and OpenSSL environment:

   Ruby: 3.0.0p0 (2020-12-25 revision 95aff214687a5e12c3eb57d056665741e734c188) [x86_64-linux]
   RubyGems: 3.2.3
   Bundler: 2.2.10
   Compiled with: OpenSSL 1.0.2k 26 Jan 2017
   Loaded version: OpenSSL 1.0.2k-fips 26 Jan 2017
   SSL_CERT_FILE: /etc/pki/tls/cert.pem
   SSL_CERT_DIR: /etc/pki/tls/certs

   With that out of the way, let's see if you can connect to rubygems.org...

   Bundler connection to rubygems.org: success ✅
   RubyGems connection to rubygems.org: success ✅
   Ruby net/http connection to rubygems.org: success ✅

   Hooray! This Ruby can connect to rubygems.org. You are all set to use Bundler and RubyGems. 

   Thank you.

   • Edit

3. Support Staff 3 Posted by sonalkr132 on 22 Feb, 2021 03:57 AM

   

   Hi,

   logstash doesn't uses MRI ruby. It uses Jruby:
   

   $ sudo cat /usr/share/logstash/bin/logstash-plugin
   #!/bin/sh
   unset CDPATH
   .  "$(cd dirname $0/..; pwd)/bin/logstash.lib.sh"
   setup
   #bin/logstash-plugin is a short lived ruby script thus we can use aggressive "faster starting JRuby options"
   export JRUBY_OPTS="$JRUBY_OPTS -J-XX:+TieredCompilation -J-XX:TieredStopAtLevel=1 -J-noverify -X-C -Xcompile.invokedynamic=false"
   

   As far as I can tell, the vendored version of jruby is too old and doesn't support SNI:
   

   $ sudo /usr/share/logstash/vendor/jruby/bin/jruby -v
   jruby 1.7.25 (1.9.3p551) 2016-04-13 867cb81 on OpenJDK 64-Bit Server VM 1.8.0_171-b10 +jit [linux-amd64]
   

   You will need to find a way to update jruby vendored with logstash. Alternatively, you can use slightly newer logstash, I have verified that logstash-5.6.16 works.
   • Edit

4. 4 Posted by Suresh Kongara on 23 Feb, 2021 05:27 PM

   

   Thank you for the insights. The version 5.6.16 works for me.

   • Edit

5. sonalkr132 closed this discussion on 12 Mar, 2021 09:12 AM.