[#2328] Make httpclient use system certs

Force httpclient to use the default system cacert configuration. Otherwise, when the cacerts bundled with httpclient expire we are prone to get validation errors in different places (for example, openid_connect gem depends on this, and we were left without login). This patch has been copied from the gitlab PR: https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/30749/diffs.
cyfronet-fid · Oct 6, 2021 · 85a0df5 · 85a0df5
1 parent 571ef01
commit 85a0df5
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/config/application.rb b/config/application.rb
@@ -19,11 +19,6 @@ class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
     config.load_defaults 6.1
 
-    # fix ssl verify error caused by old version of the gem
-    OpenIDConnect.http_config do |config|
-      config.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
-    end
-
     # Settings in config/environments/* take precedence over those specified here.
     # Application configuration can go into files in config/initializers
     # -- all .rb files in that directory are automatically loaded after loading

diff --git a/config/initializers/httpclient_patch.rb b/config/initializers/httpclient_patch.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# Force httpclient to use the default system cacert configuration.
+# Otherwise, when the cacerts bundled with httpclient expire we are
+# prone to get validation errors in different places (for example,
+# openid_connect gem depends on this, and we were left without login).
+# This patch has been copied from the gitlab PR:
+# https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/30749/diffs.
+module HTTPClient::SSLConfigDefaultPaths
+  def initialize(client)
+    super
+
+    set_default_paths
+  end
+end
+
+HTTPClient::SSLConfig.prepend HTTPClient::SSLConfigDefaultPaths