#ruby - 21 December 2018
« Back 1 day Forward 1 day »
[00:02:41] havenwood: isene: It's always `false` in Pry, since Pry requires FileUtils. In IRB it'd usually be `true` the first time.
[00:07:10] havenwood: isene: Maybe Ubuntu packagers are doing `irb -rfileutils` or patched IRB. Assuming it's not causing you any issue? Just curious?
[00:11:40] isene: Hmm.. it seems it doesn't cause me any issues - I have an issue that I'm wrestling with, and I thought this could be an issue but it's not. Thanks for the input regarding pry and fileutils, though - I didn't know that
[00:21:16] isene: I have a mail fetch script that has run more than 5 million times without a hickup. Now as I upgraded from Ubuntu 18.04 to 18.10 (with Ruby 2.5), I get this when trying to login to a remote (gmail) server:
[00:21:21] isene: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)
[00:33:50] havenwood: isene: Did you add your self-signed cert .crt to /usr/local/share/ca-certificates and c_rehash or whatever?
[00:34:28] havenwood: isene: Normally you'd install the update-ca-certificates package to update certs, but looks like you're using a self signed one?
[00:35:35] isene: havenwood: I'm clueless in this - my script has worked just nicely before and now it fails... baby steps please?
[00:36:33] havenwood: isene: So this isn't a Ruby issue, but your OS has a list of certs it trusts. There's an apt package called update-ca-certificates that folk usually use to update trusted certs.
[00:39:44] havenwood: isene: In your case, an up-to-date list of trusted certs doesn't help, because it's balking at a self-signed cert.
[00:42:59] havenwood: isene: It's pretty offtopic for this channel, but the good folk in #ubuntu can probably guide you.
[00:43:42] havenwood: isene: Generally, try `apropos certificates`, and then check any manpages that seem relevant. Like: man update-ca-certificates
[00:45:23] havenwood: isene: It's likely put a cert in a folder then run a command. I don't recall offhand or I'd just say.
[00:46:24] havenwood: isene: Or you're not supposed to be using a self-signed cert. That's another possibility, but the reason Ruby is balking is it doesn't know about this cert.
[00:47:55] havenwood: isene: I see you mention Gmail, which makes me think something is amiss with a self-signed cert.
[00:48:25] havenwood: isene: Check the cert outside Ruby, but it's likely a system problem rather than Ruby-related.
[00:53:41] havenwood: isene: Take a look at the cert and see if you can spot any issues. You might want to read up a bit on certs.
[00:57:23] havenwood: isene: Is there a certificate chain? You changed "gmail.com" to what you're really hitting?
[00:59:38] havenwood: isene: If you can share your Ruby code, folk here might be better able to guess what's going on.
[01:03:31] isene: havenwood: Sure, it's all here: https://github.com/isene/mailfetch/blob/master/mail_fetch.rb
[01:13:14] isene: havenwood: It's failing on this: $imap_from = Net::IMAP.new("imap.gmail.com", port="993", usessl="true")
[10:06:19] isene: back to the issue at hand after a night's sleep; Anyone knows how to ensure Ruby looks for certificates in the correct place?
[10:50:56] Iambchop: isene: are you using ubuntu's packaged, build your own, 3rd party package? you used imap.gmail.com:993 on your s_client test? the line you said it's failing on "imap.gmail.com" isn't in the script you posted (ms is in the script). test with just a minimal example e.g. $ ruby -r net/imap -e 'p Net::IMAP.new("imap.gmail.com", 993, ssl: true)'
[13:14:18] marz_d`ghostman: Does Logger automatically capture stderr and stdout if you set it to FATAL?
[14:31:27] isene: OK, I have checked and verified left, right & center. This is a Ruby specific issue with my setup after upgrading from Ubuntu 18.04 to 18.10. It seems some package was broken, but I don't understand which (or if there is another Ruby issue relating to upgrade to 2.5). Here's my testing results:
[14:32:25] isene: Checking with openssl raw ' openssl s_client -showcerts -connect imap.gmail.com -port 993 ' all certs checks out with verify=1
[14:34:24] isene: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)
[14:35:20] isene: There is no issue with the certificates (as verified with openssl and python). It may be that Ruby is looking for certificates in the wrong place or something?
[14:36:13] isene: As you see, I don't even get to logging in to gmail with un/pw - as it fails on connect
[14:37:50] phaul: you could try scanning through strace of pry vs python. Looking for paths they open for certs. It's a long shot but it could prove you right, or give more hints
[14:41:03] isene: phaul: I could do that (will check when I get home - I am on an airplane as I write with a spartan connection)
[14:42:11] phaul: well, it's just an idea, usually strace outputs thousands of lines of logs, so it helps if you have something to grp for. like "cert"
[14:44:23] isene: lambarena: The very basic ' ruby -r net/imap -e 'p Net::IMAP.new("imap.gmail.com", 993, ssl: true)' ' returns the same error as the pry/irb example; /usr/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)
[14:53:14] isene: phaul: Seems that was a really good idea to use strace. Check this: http://dpaste.com/26N1H17
[16:34:00] marz_d`ghostman: If a thread raises an error like TypeError: no implicit converison of nil into String, how do I capture it for logging?
[16:55:33] KrzaQ: is there somethign like .first_or(val) for arrays/enumerables? I want to streamline getting data from containers
[16:59:05] marz_d`ghostman: How do I capture errors from a thread. I tried: https://gist.github.com/marzdgzmn/da9c0eb69a6fa9647531e8ffbeecf2eb/edit. But it does't seem to work
[17:12:40] Iambchop: KrzaQ: when should it return val instead of first (e.g. only if array is empty, only if first is nil, only if first is falsey)?
[17:15:21] KrzaQ: In my case I wanted to get a proper value, but anything that would allow me getting a point-free chain would be preferred over wrapping the chain in parens or naming variables
[17:17:51] KrzaQ: I would say it makes for very clear intent if you're doing just data manipulation and can fit it short code
[17:20:22] marz_d`ghostman: Can someone suggest a good article or book about threads in ruby like how to capture its stdout and stderr.
[17:25:26] KrzaQ: recent advent of code made me wish for array fetch that wouldn't interpret negative indices
[17:28:37] KrzaQ: I mean, it was trivial to monkey patch it into the class, but I would prefer not having to do that (and not doing it outside of a toy puzzle code)
[18:21:21] KrzaQ: in the case I wanted? nil, basically I wanted to build a grid out of arrays, and to cut the edge cases by having out-of-bounds access return nil
[19:20:08] isene: phaul: I'm back. And with a bit more research it seems that Ruby is looking for a cert.pem in /usr/lib/ssl/ that doesn't exist (this may be just one of several issues). I tried prging ruby completely and reinstalling it - to no use. wtf?
[19:28:07] havenwood: isene: What's your DEFAULT_CERT_DIR?: ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_DIR"
[19:34:50] ubuntuisloved: I'm taking over a project with pundit but I cannot seem to figure out how to get my user authorized with it. There are api routes and such but none actually throw up a user auth screen. Any direction you can send me to look for would be very helpful.
[19:35:03] ruby[bot]: ubuntuisloved: Please join #RubyOnRails for Rails questions. You need to be identified with NickServ, see /msg NickServ HELP
[19:35:41] isene: after yet another update-ca-certificates and the c_rehash I still get the same :-/
[19:37:09] isene: Well, openssl finds it and python runs everything just fine... how do I see if it's there (I'm not well versed in certificates and such)?
[19:38:55] havenwood: isene: It'd be one of the .pem files in that dir. You could put it there then c_rehash if it's not there.
[19:40:30] havenwood: isene: Here's how you can just load a .pem directly without getting it setup in /usr/lib/ssl/certs at all: https://mislav.net/2013/07/ruby-openssl/#it-was-a-custom-certificate-that-we-use-internally-in-our-organization-that-my-program-cant-verify
[19:40:59] havenwood: isene: That ^ writeup mislav did also has some background reading about certs in the context of Ruby.
[19:41:53] isene: The cert I need is for imap.gmail.com - how do I find it in that dir? I have no idea what I'm looking for even
[19:42:47] isene: Would you want to see the full strace of ruby -r net/imap -e 'p Net::IMAP.new("imap.gmail.com", 993, ssl: true)' ?
[19:44:42] havenwood: isene: Usually you grab a CA certificate store in .pem format from curl or mozilla that has a whitelist of certificate authority certs. pdate-ca-certificates is the automagical way to do that.
[19:45:44] havenwood: isene: In my experience it usually *just works* after a: sudo update-ca-certificates
[19:46:05] isene: So, does that include the imap.gmail.com? You see, this was working just beautifully since 10 years back, and my mail_fetch.rb has been running more than 5 million time since then without a glitch. No stuff is wrecked.
[19:47:07] isene: And it DOES work with openssl and with Python, and That is what drives me nuts here
[19:48:45] havenwood: isene: It looks like Gmail used to be configured with a self-signed cert - one that wouldn't be in a cert bundle. Hrm. This isn't my area of expertise so I'm not spotting the issue.
[19:50:52] isene: But how can openssl and python do this without an issue while ruby balks? mepuzzled
[19:51:27] havenwood: isene: What's the Python equivalent of OpenSSL::X509::DEFAULT_CERT_FILE pointing at?
[19:57:03] isene: Commands here https://stackoverflow.com/questions/36449336/what-is-my-openssl-and-ssl-default-ca-certs-path tells me that python finds the certs here: /etc/ssl/certs/ca-certificates.crt and logs in to imap.gmail.com just fine
[20:01:09] havenwood: isene: Does it work if you set: ENV['SSL_CERT_FILE'] = '/etc/ssl/certs/ca-certificates.crt'
[20:02:16] havenwood: isene: If so, from your shell you can: export SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"
[20:02:56] havenwood: isene: I'm tempted to say just convert that .crt to a .pem, put it in /usr/lib/ssl/certs and c_rehash
[20:03:47] darix: seems I have another action items NOTE: Gem::Specification#has_rdoc is deprecated with no replacement. It will be removed on or after 2018-12-01.
[20:04:41] darix: /etc/ssl/certs/ca-certificates.crt this seems like something wrong when you use update-ca-certificates
[20:05:06] darix: havenwood: before I can work on this I need to wait for my gitlab package to publish
[20:05:39] isene: That ENV['SSL_CERT_FILE'] = '/etc/ssl/certs/ca-certificates.crt' did nothing. I will try to copy the .crt file to .pem and do c_rehash
[20:06:10] darix: you shouldnt have to use c_rehash anymore with a system that uses update-ca-certificates
[20:07:42] isene: darix: Well, I have tried what seems to be everything under the sun here and still coming up short :-/
[20:09:32] darix: isene: normally if you use your system ruby and dont configure anything special with your CA certs in your script or any of the gems you are using
[20:11:44] isene: darix: I have done that. Works just fine. Python also works just fine. But Ruby goes haywire (see https://isene.org/x/strace.log3)
[20:13:33] isene: So - it isn't a certificate issue, it is a ruby issue. I do this: ruby -r net/imap -e 'p Net::IMAP.new("imap.gmail.com", 993, ssl: true)' and it reports this: /usr/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)
[20:14:47] isene: Everything worked just fine up until I upgraded from Ubuntu 18.04 to 18.10 yesterday (I mean it has worked more than 5 million times over the past 10 years with script running every minute)
[20:16:18] isene: my full script is here, btw; https://github.com/isene/mailfetch/blob/master/mail_fetch.rb
[20:20:37] isene: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)
[22:11:46] Quintasan: Is anyone familiar with BigInteger internals? I'm trying to find how does MRI handle cases when a custom class implements #coerce
[22:42:59] isene: On Ubuntu 18.10, there is only Ruby 2.5.1 What's the simplest way of installing Ruby 2.0 instead?
[22:43:58] Eiam: it will literally show the implementation, not sure how much more direct how it works gets!