certificate verify failed (self signed certificate in certificate chain) (OpenSSL::SSL::SSLError)

[daveomcd]

I'm trying to run chromedriver-update but I get the following error. Anything I could try to correct this? I was able to install chromedriver manually because they allowed an option for passing the following argument --no-certificate-check

Also not sure if it is relevant, but I'm working within Windows' WSL Ubuntu.

daveomcd@mcdonald-PC9020:~/rails_projects/sample$ chromedriver-update
Traceback (most recent call last):
        19: from /home/daveomcd/.rvm/gems/ruby-2.5.1/bin/ruby_executable_hooks:15:in `<main>'
        18: from /home/daveomcd/.rvm/gems/ruby-2.5.1/bin/ruby_executable_hooks:15:in `eval'
        17: from /home/daveomcd/.rvm/gems/ruby-2.5.1/bin/chromedriver-update:23:in `<main>'
        16: from /home/daveomcd/.rvm/gems/ruby-2.5.1/bin/chromedriver-update:23:in `load'
        15: from /home/daveomcd/.rvm/gems/ruby-2.5.1/gems/chromedriver-helper-2.1.0/bin/chromedriver-update:5:in `<top (required)>'
        14: from /home/daveomcd/.rvm/gems/ruby-2.5.1/gems/chromedriver-helper-2.1.0/lib/chromedriver/helper.rb:42:in `update'
        13: from /home/daveomcd/.rvm/gems/ruby-2.5.1/gems/chromedriver-helper-2.1.0/lib/chromedriver/helper.rb:63:in `google_code_parser'
        12: from /home/daveomcd/.rvm/gems/ruby-2.5.1/gems/chromedriver-helper-2.1.0/lib/chromedriver/helper.rb:63:in `new'
        11: from /home/daveomcd/.rvm/gems/ruby-2.5.1/gems/chromedriver-helper-2.1.0/lib/chromedriver/helper/google_code_parser.rb:14:in `initialize'
        10: from /home/daveomcd/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/open-uri.rb:165:in `open_uri'
         9: from /home/daveomcd/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/open-uri.rb:224:in `open_loop'
         8: from /home/daveomcd/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/open-uri.rb:224:in `catch'
         7: from /home/daveomcd/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/open-uri.rb:226:in `block in open_loop'
         6: from /home/daveomcd/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/open-uri.rb:755:in `buffer_open'
         5: from /home/daveomcd/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/open-uri.rb:337:in `open_http'
         4: from /home/daveomcd/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/net/http.rb:909:in `start'
         3: from /home/daveomcd/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/net/http.rb:920:in `do_start'
         2: from /home/daveomcd/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/net/http.rb:981:in `connect'
         1: from /home/daveomcd/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
/home/daveomcd/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) (OpenSSL::SSL::SSLError)

[flavorjones]

@daveomcd Sorry to hear you're having trouble.

You may want to check if there's a network proxy that is responding to your request from a different domain (e.g., hotel wifi often does this to force you to sign in via a webform), because I'm able to run this myself and it's fine, and the cert chain looks fine.

If you are still seeing this error, please try visiting this URL via a web browser, and let us know what results you see:

https://chromedriver.storage.googleapis.com/

[daveomcd]

@flavorjones thanks Mike for responding. This is actually happening inside my organization, however they don't really have anyone using something like OpenSSL except myself. They have seen that it does work when visiting the site through the browser as you have suggested, but still doesn't when doing chromedriver-update. I could show my cert chain but not that familiar with certificates and not sure if that's a security issue to display here or not.

[flavorjones]

@daveomcd I'd be interested if you're able to run this command from your system:

curl https://chromedriver.storage.googleapis.com/

Do you get a similar ssl cert verification problem?

[daveomcd]

@flavorjones I do not. I get the XML results; however, I do get a similar command using wget.

daveomcd@mcdonald-PC9020:~/downloads$ wget https://chromedriver.storage.googleapis.com/
--2018-10-01 10:12:33--  https://chromedriver.storage.googleapis.com/
Resolving chromedriver.storage.googleapis.com (chromedriver.storage.googleapis.com)... 172.217.7.208, 2607:f8b0:4004:801::2010
Connecting to chromedriver.storage.googleapis.com (chromedriver.storage.googleapis.com)|172.217.7.208|:443... connected.
ERROR: cannot verify chromedriver.storage.googleapis.com's certificate, issued by <Company>:
  Self-signed certificate encountered.
To connect to chromedriver.storage.googleapis.com insecurely, use `--no-check-certificate'.

I removed the company certificate string as a precaution. I can get around it by passing the --no-check-certificate

[flavorjones]

OK, just to absolutely pin down the issue, please try these two commands in irb:

require 'open-uri'
URI.parse("https://chromedriver.storage.googleapis.com/").open.read

and

require 'open-uri'
require 'openssl'
URI.parse("https://chromedriver.storage.googleapis.com/").open(:ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE).read

If the first script emits the certificate verify error, and the second doesn't, then that confirms my understanding of the underlying issue (which is that a proxy is intercepting SSL traffic with locally-signed certs).

[daveomcd]

Results

1. URI.parse("https://chromedriver.storage.googleapis.com/").open.read

2.5.1 :002 > URI.parse("https://chromedriver.storage.googleapis.com/").open.read
Traceback (most recent call last):
        1: from (irb):2
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain))

2. URI.parse("https://chromedriver.storage.googleapis.com/").open(:ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE).read

Works. Returning the XML.

So to someone that doesn't understand your hypothesis what is happening exactly? Just trying to figure out what to convey back to my IT team.

[flavorjones]

I won't comment on what's going on or why, but will point you at a link to a similar question that might help you frame this for IT:

https://it.slashdot.org/story/14/03/05/1724237/ask-slashdot-does-your-employer-perform-https-mitm-attacks-on-employees

I think we can work around this, just need a bit of time to look into it.

[daveomcd]

@flavorjones Much appreciated, I'll look forward to the work-around thanks.

[flavorjones]

I'm going to close this issue, as the gem is being deprecated in favor of webdrivers, see #83.