Hi Rick, I am back on-line,
BTW, I read your WSL-thread. What works for you guys is fine with me. So let's tackle this one:
Good that NTP worked - for the record, chronyd
is used nowadays but NTP is still available to easily eliminate the eventual clock error on Ubuntu 18.04LTS command line utility of Canonical for Microsoft. There is no timing daemon that I could find and the NTP is a quick way to jump over the local CPU HW emulated by the Windows WSL.
Originally Posted by rgleason
For some reason gem is not authorized to download data from rubygems.org.
So this appears to be a certificate problem I think.
We came to the same conclusion. But maybe we are wrong, the verification script you executed tells you if you have a invalid certificate, according a few examples I have found. For us, it does not tell that, just timeout.
Originally Posted by rgleason
I am going to reboot now.
That may help if it is a Windows issue (disabling the firewall, etc.).
Let's see what I get on my fresh installation
with the SSL analysis script:
petri@macchina:~$ ruby -ropen-uri -e 'eval open("https://git.io/vQhWq").read'
Here's your Ruby and OpenSSL environment:
Ruby: 2.6.3p62 (2019-04-16 revision 67580) [x86_64-linux]
Compiled with: OpenSSL 1.1.1b 26 Feb 2019
Loaded version: OpenSSL 1.1.1 11 Sep 2018
With that out of the way, let's see if you can connect to rubygems.org...
Bundler connection to rubygems.org: success ✅
RubyGems connection to rubygems.org: success ✅
Ruby net/http connection to rubygems.org: success ✅
Hooray! This Ruby can connect to rubygems.org. You are all set to use Bundler and RubyGems. 👌
(eval):136: warning: constant OpenSSL::SSL::SSLContext::METHODS is deprecated
ls -l /usr/lib/ssl
lrwxrwxrwx 1 root root 14 Apr 25 2018 certs -> /etc/ssl/certs
drwxr-xr-x 1 root root 512 May 21 16:40 misc
lrwxrwxrwx 1 root root 20 Dec 5 2018 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root 16 Apr 25 2018 private -> /etc/ssl/private
is too big to be listed here.
Note that there is no /usr/lib/ssl/cert.pem
file or a symbolic link to it but that does not seem to prevent the connection for me. But let's check the certificate the Ruby .org-site seems to use:
ls -l /etc/ssl/certs | grep GlobalSign_Root_CA.crt
lrwxrwxrwx 1 root root 57 May 21 16:39 GlobalSign_Root_CA.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt
ls -l /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt
-rw-r--r-- 1 root root 1261 Apr 10 2018 /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt
Is that root certificate still valid?
openssl x509 -noout -in /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt -dates
notBefore=Sep 1 12:00:00 1998 GMT
notAfter=Jan 28 12:00:00 2028 GMT
What is our OpenSSL version?
OpenSSL 1.1.0g 2 Nov 2017 (Library: OpenSSL 1.1.1 11 Sep 2018)
What TLS versions Ruby installation supports?
ruby -ropenssl -e "puts OpenSSL::SSL::SSLContext::METHODS.grep(/.+\d$/).sort"
-e:1: warning: constant OpenSSL::SSL::SSLContext::METHODS is deprecated
So, it will be TLS v1.2 for us.
Let's try to connect to the server without ruby and check a bit about those certificates in a working system:
openssl s_client -connect rubygems.org:443 -tls1_2
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc.", CN = l.ssl.fastly.net
0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=l.ssl.fastly.net
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
<snipping out a big chunk, continue:>
subject=/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=l.ssl.fastly.net
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
SSL handshake has read 5498 bytes and written 287 bytes
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 3e 11 30 39 71 06 64 97-19 33 ab 08 ca a9 55 98 >.09q.d..3....U.
0010 - 07 09 a0 70 fd 34 2b e6-c7 f0 e7 6d 97 51 31 7f ...p.4+....m.Q1.
0020 - fa 64 15 a2 de 03 cf 33-3d 96 b6 3d b2 6a 5f 67 .d.....3=..=.j_g
0030 - 32 38 42 44 ae 11 b7 8e-0f 46 f9 89 ed c5 83 ac 28BD.....F......
0040 - 5c 97 c2 b4 99 d1 fa ab-3a a2 21 64 72 76 9d f7 \.......:.!drv..
0050 - 59 d8 e9 ae 80 9c 53 30-f2 4d 08 ca 8f 07 c9 fd Y.....S0.M......
0060 - 69 e9 bd d7 1d b0 34 a9-4e da e3 65 38 3e be 5b i.....4.N..e8>.[
0070 - 89 82 fc cc f4 a7 1a 8f-c0 47 5a d6 5f 5d 5c 9c .........GZ._]\.
0080 - ff ac dd ad 33 fb f4 9f-2e 56 82 fe ff 6b 59 ad ....3....V...kY.
0090 - 9b c1 c9 e4 ac ca 09 ad-33 da 94 48 ba 7a 48 ee ........3..H.zH.
Start Time: 1561406116
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
(leave with Ctrl+C)
You may want to scroll down to appreciate the line (ok)
I've marked with green color.
Ok, let's stop here. If this works then... we need to find something else!