[MediaWiki-commits] [Gerrit] operations/puppet[production]: ruby-httpclient callers: Use the operating system's certific...

[Alexandros Kosiaris (Code Review)]

Alexandros Kosiaris has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/311048 )

Change subject: ruby-httpclient callers: Use the operating system's certificate 
store
..


ruby-httpclient callers: Use the operating system's certificate store

Rather than ruby-httpclient's cacert.p7s which doesn't even have the root used
to sign Let's Encrypt CAs (DST Root CA X3).

Bug: T145808
Bug: T154913
Change-Id: I310dd4040639cc56d2b7d49c48b86321ecbb220c
---
M modules/wmflib/lib/hiera/httpcache.rb
M modules/wmflib/lib/hiera/mwcache.rb
2 files changed, 12 insertions(+), 0 deletions(-)

Approvals:
  Alexandros Kosiaris: Verified; Looks good to me, approved



diff --git a/modules/wmflib/lib/hiera/httpcache.rb 
b/modules/wmflib/lib/hiera/httpcache.rb
index 70a65f8..270c449 100644
--- a/modules/wmflib/lib/hiera/httpcache.rb
+++ b/modules/wmflib/lib/hiera/httpcache.rb
@@ -8,6 +8,12 @@
   config = Config[:httpyaml]
   @url_prefix = config[:url_prefix]
   @http = HTTPClient.new(:agent_name => 'HieraHttpCache/0.1')
+
+  # Use the operating system's certificate store, not ruby-httpclient's 
cacert.p7s which doesn't
+  # even have the root used to sign Let's Encrypt CAs (DST Root CA X3)
+  @http.ssl_config.clear_cert_store
+  @http.ssl_config.set_default_paths
+
   @stat_ttl = config[:cache_ttl] || 60
   if defined? @http.ssl_config.ssl_version
 @http.ssl_config.ssl_version = 'TLSv1'
diff --git a/modules/wmflib/lib/hiera/mwcache.rb 
b/modules/wmflib/lib/hiera/mwcache.rb
index 94d4b1b..7826806 100644
--- a/modules/wmflib/lib/hiera/mwcache.rb
+++ b/modules/wmflib/lib/hiera/mwcache.rb
@@ -12,6 +12,12 @@
   @httphost = config[:host] || 'https://wikitech.wikimedia.org'
   @endpoint = config[:endpoint] || '/w/api.php'
   @http = HTTPClient.new(:agent_name => 'HieraMwCache/0.1')
+
+  # Use the operating system's certificate store, not ruby-httpclient's 
cacert.p7s which doesn't
+  # even have the root used to sign Let's Encrypt CAs (DST Root CA X3)
+  @http.ssl_config.clear_cert_store
+  @http.ssl_config.set_default_paths
+
   @stat_ttl = config[:cache_ttl] || 60
   if defined? @http.ssl_config.ssl_version
 @http.ssl_config.ssl_version = 'TLSv1'

-- 
To view, visit https://gerrit.wikimedia.org/r/311048
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I310dd4040639cc56d2b7d49c48b86321ecbb220c
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alex Monk 
Gerrit-Reviewer: Alexandros Kosiaris 
Gerrit-Reviewer: BBlack 
Gerrit-Reviewer: Giuseppe Lavagetto 
Gerrit-Reviewer: Yuvipanda 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: ruby-httpclient callers: Use the operating system's certific...

[Alex Monk (Code Review)]

Alex Monk has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/311048

Change subject: ruby-httpclient callers: Use the operating system's certificate 
store
..

ruby-httpclient callers: Use the operating system's certificate store

Rather than ruby-httpclient's cacert.p7s which doesn't even have the root used
to sign Let's Encrypt CAs (DST Root CA X3).

Bug: T145808
Change-Id: I310dd4040639cc56d2b7d49c48b86321ecbb220c
---
M modules/wmflib/lib/hiera/httpcache.rb
M modules/wmflib/lib/hiera/mwcache.rb
2 files changed, 12 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/48/311048/1

diff --git a/modules/wmflib/lib/hiera/httpcache.rb 
b/modules/wmflib/lib/hiera/httpcache.rb
index 70a65f8..270c449 100644
--- a/modules/wmflib/lib/hiera/httpcache.rb
+++ b/modules/wmflib/lib/hiera/httpcache.rb
@@ -8,6 +8,12 @@
   config = Config[:httpyaml]
   @url_prefix = config[:url_prefix]
   @http = HTTPClient.new(:agent_name => 'HieraHttpCache/0.1')
+
+  # Use the operating system's certificate store, not ruby-httpclient's 
cacert.p7s which doesn't
+  # even have the root used to sign Let's Encrypt CAs (DST Root CA X3)
+  @http.ssl_config.clear_cert_store
+  @http.ssl_config.set_default_paths
+
   @stat_ttl = config[:cache_ttl] || 60
   if defined? @http.ssl_config.ssl_version
 @http.ssl_config.ssl_version = 'TLSv1'
diff --git a/modules/wmflib/lib/hiera/mwcache.rb 
b/modules/wmflib/lib/hiera/mwcache.rb
index 94d4b1b..7826806 100644
--- a/modules/wmflib/lib/hiera/mwcache.rb
+++ b/modules/wmflib/lib/hiera/mwcache.rb
@@ -12,6 +12,12 @@
   @httphost = config[:host] || 'https://wikitech.wikimedia.org'
   @endpoint = config[:endpoint] || '/w/api.php'
   @http = HTTPClient.new(:agent_name => 'HieraMwCache/0.1')
+
+  # Use the operating system's certificate store, not ruby-httpclient's 
cacert.p7s which doesn't
+  # even have the root used to sign Let's Encrypt CAs (DST Root CA X3)
+  @http.ssl_config.clear_cert_store
+  @http.ssl_config.set_default_paths
+
   @stat_ttl = config[:cache_ttl] || 60
   if defined? @http.ssl_config.ssl_version
 @http.ssl_config.ssl_version = 'TLSv1'

-- 
To view, visit https://gerrit.wikimedia.org/r/311048
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I310dd4040639cc56d2b7d49c48b86321ecbb220c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alex Monk 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits