[MediaWiki-commits] [Gerrit] operations/puppet[production]: ruby-httpclient callers: Use the operating system's certific...
Alexandros Kosiaris has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/311048 ) Change subject: ruby-httpclient callers: Use the operating system's certificate store .. ruby-httpclient callers: Use the operating system's certificate store Rather than ruby-httpclient's cacert.p7s which doesn't even have the root used to sign Let's Encrypt CAs (DST Root CA X3). Bug: T145808 Bug: T154913 Change-Id: I310dd4040639cc56d2b7d49c48b86321ecbb220c --- M modules/wmflib/lib/hiera/httpcache.rb M modules/wmflib/lib/hiera/mwcache.rb 2 files changed, 12 insertions(+), 0 deletions(-) Approvals: Alexandros Kosiaris: Verified; Looks good to me, approved diff --git a/modules/wmflib/lib/hiera/httpcache.rb b/modules/wmflib/lib/hiera/httpcache.rb index 70a65f8..270c449 100644 --- a/modules/wmflib/lib/hiera/httpcache.rb +++ b/modules/wmflib/lib/hiera/httpcache.rb @@ -8,6 +8,12 @@ config = Config[:httpyaml] @url_prefix = config[:url_prefix] @http = HTTPClient.new(:agent_name => 'HieraHttpCache/0.1') + + # Use the operating system's certificate store, not ruby-httpclient's cacert.p7s which doesn't + # even have the root used to sign Let's Encrypt CAs (DST Root CA X3) + @http.ssl_config.clear_cert_store + @http.ssl_config.set_default_paths + @stat_ttl = config[:cache_ttl] || 60 if defined? @http.ssl_config.ssl_version @http.ssl_config.ssl_version = 'TLSv1' diff --git a/modules/wmflib/lib/hiera/mwcache.rb b/modules/wmflib/lib/hiera/mwcache.rb index 94d4b1b..7826806 100644 --- a/modules/wmflib/lib/hiera/mwcache.rb +++ b/modules/wmflib/lib/hiera/mwcache.rb @@ -12,6 +12,12 @@ @httphost = config[:host] || 'https://wikitech.wikimedia.org' @endpoint = config[:endpoint] || '/w/api.php' @http = HTTPClient.new(:agent_name => 'HieraMwCache/0.1') + + # Use the operating system's certificate store, not ruby-httpclient's cacert.p7s which doesn't + # even have the root used to sign Let's Encrypt CAs (DST Root CA X3) + @http.ssl_config.clear_cert_store + @http.ssl_config.set_default_paths + @stat_ttl = config[:cache_ttl] || 60 if defined? @http.ssl_config.ssl_version @http.ssl_config.ssl_version = 'TLSv1' -- To view, visit https://gerrit.wikimedia.org/r/311048 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I310dd4040639cc56d2b7d49c48b86321ecbb220c Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alex MonkGerrit-Reviewer: Alexandros Kosiaris Gerrit-Reviewer: BBlack Gerrit-Reviewer: Giuseppe Lavagetto Gerrit-Reviewer: Yuvipanda Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: ruby-httpclient callers: Use the operating system's certific...
Alex Monk has uploaded a new change for review. https://gerrit.wikimedia.org/r/311048 Change subject: ruby-httpclient callers: Use the operating system's certificate store .. ruby-httpclient callers: Use the operating system's certificate store Rather than ruby-httpclient's cacert.p7s which doesn't even have the root used to sign Let's Encrypt CAs (DST Root CA X3). Bug: T145808 Change-Id: I310dd4040639cc56d2b7d49c48b86321ecbb220c --- M modules/wmflib/lib/hiera/httpcache.rb M modules/wmflib/lib/hiera/mwcache.rb 2 files changed, 12 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/48/311048/1 diff --git a/modules/wmflib/lib/hiera/httpcache.rb b/modules/wmflib/lib/hiera/httpcache.rb index 70a65f8..270c449 100644 --- a/modules/wmflib/lib/hiera/httpcache.rb +++ b/modules/wmflib/lib/hiera/httpcache.rb @@ -8,6 +8,12 @@ config = Config[:httpyaml] @url_prefix = config[:url_prefix] @http = HTTPClient.new(:agent_name => 'HieraHttpCache/0.1') + + # Use the operating system's certificate store, not ruby-httpclient's cacert.p7s which doesn't + # even have the root used to sign Let's Encrypt CAs (DST Root CA X3) + @http.ssl_config.clear_cert_store + @http.ssl_config.set_default_paths + @stat_ttl = config[:cache_ttl] || 60 if defined? @http.ssl_config.ssl_version @http.ssl_config.ssl_version = 'TLSv1' diff --git a/modules/wmflib/lib/hiera/mwcache.rb b/modules/wmflib/lib/hiera/mwcache.rb index 94d4b1b..7826806 100644 --- a/modules/wmflib/lib/hiera/mwcache.rb +++ b/modules/wmflib/lib/hiera/mwcache.rb @@ -12,6 +12,12 @@ @httphost = config[:host] || 'https://wikitech.wikimedia.org' @endpoint = config[:endpoint] || '/w/api.php' @http = HTTPClient.new(:agent_name => 'HieraMwCache/0.1') + + # Use the operating system's certificate store, not ruby-httpclient's cacert.p7s which doesn't + # even have the root used to sign Let's Encrypt CAs (DST Root CA X3) + @http.ssl_config.clear_cert_store + @http.ssl_config.set_default_paths + @stat_ttl = config[:cache_ttl] || 60 if defined? @http.ssl_config.ssl_version @http.ssl_config.ssl_version = 'TLSv1' -- To view, visit https://gerrit.wikimedia.org/r/311048 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I310dd4040639cc56d2b7d49c48b86321ecbb220c Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alex Monk___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits