RubyGems - ufo - Versions diffs - 4.5.7 → 4.5.8 - Mend

ufo 4.5.7 → 4.5.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +5 -0
data/docs/_docs/ssl_errors.md +41 -0
data/docs/_includes/subnav.html +1 -1
data/docs/utils/ssl-doctor.rb +89 -0
data/docs/utils/test-aws-api-access.rb +11 -0
data/docs/utils/update-cert-chains.sh +11 -0
data/lib/template/.ufo/settings/cfn/default.yml.tt +1 -1
data/lib/ufo/cancel.rb +1 -1
data/lib/ufo/version.rb +1 -1
metadata +6 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 02b5707613ba8dc21865348e023da39ee0896c494899960a153ddf4e960c0a35
-  data.tar.gz: 63abc4de7f146c394023d2019584add57f1cc744e4e556c5fb8216926b835067
+  metadata.gz: 77c464a6ac76c7f5178cac5a8e7f03b55567fdc0878958a55d4855c3b04e956b
+  data.tar.gz: 7ff44130767630f6f6cd889cb1ba878585e1913dde1ecca1b61cbf4b4899d100
 SHA512:
-  metadata.gz: f250009b0c41d6c566adefeae7682f895e614d22f87e76d3819263f587bc3876b758c4b87376adadb1d9a6bae68ed7543b9dcdcc116e4e1a8eeed0683f7276c6
-  data.tar.gz: dc4a6d8248230337ef5a3fafb6e99d37cb10716cde584c830106f844a98b8c7c2ba2e6719b0b425fd3c0dff52e8347d1e17f7c0a92793ee59957248e7f6e6e77
+  metadata.gz: b445b6971da33ee4f7cf4e25eb099bdd314fcaa0616fd7acce582e19ddf6cc08656d861d6b5b7d08541444a3273fbdd54ce51a4397bc4656ddee9b99ecd2ccbd
+  data.tar.gz: 9e9beaf6fd336e4d6e457f2641985bfe011f38fae8ff51715e36e56b7bc1e45a0a6e3f0af380034d2f23a235fbf4090e7cdb028dba92477c7d91dd196537328b

data/CHANGELOG.md CHANGED

@@ -3,6 +3,11 @@
 All notable changes to this project will be documented in this file.
 This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
+## [4.5.8]
+- #91 added helper scripts to dianose and resolve the SSL issues - added docs to help explain and save the user time and research
+- improve cancel command
+- update /up check starter example
 ## [4.5.7]
 - #88 update starter variables template with += example

data/docs/_docs/ssl_errors.md ADDED

@@ -0,0 +1,41 @@
+---
+Title: SSL Errors
+# nav_order:
+---
+UFO uses the AWS Ruby SDK and the underlying default SSL certificate chain configured in your active Ruby and
+OpenSSL to communicate to your AWS environment. This means that you _must correctly configure_ your Ruby and OpenSSL to have all the needed ROOT certificates for UFO to be able to communicate to AWS - _especially_ if you are behind a proxy or a corporate SSL-Proxy.
+If you are behind a corporate SSL proxy and you have not updated system, OpenSSL and Ruby certificate chains to include the needed corporate root certificates, you will see errors, such as:
+```
+Seahorse::Client::NetworkingError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `ssl_socket_connect'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:996:in `connect'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:930:in `do_start'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:925:in `start'
+```
+## Helper Scripts
+The `docs/utils` directory has a few scripts that should be able to help you resolve these issues and track down which certs are giving you problems.
+- `ssl-doctor.rb` is from the very useful examples at <https://github.com/mislav/ssl-tools>, and it can help you find the missing ROOT cert in your certificate chain and give suggestion on getting OpenSSL working correctly.
+- `update-cert-chains.sh` will help you update your Ruby and OpenSSL chains by adding in the missing ROOT cert and also pulling in the OSX System Root to your rbenv environment.
+- `test-aws-api-access.rb` should now return a list of the S3 buckets for the current AWS profile that is active.
+## Trouble-shooting
+### Update Brew and OpenSSL
+- `brew update`
+- `brew upgrade openssl`
+### Use the Helper Scripts to find the trouble spot
+Once you have updated OpenSSL and your `brew` packages, use the helper scripts above to see if you can track down the missing certificate in your certificate chain.
+The `update-cert-chain.sh` file was created using the suggestions from <https://gemfury.com/help/could-not-verify-ssl-certificate/>. Please review the information at <https://gemfury.com/help/could-not-verify-ssl-certificate/> if the `Helper Scripts` above do not fully resolve your issue.
+The `test-aws-api-access.rb` uses examples from the <https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/quick-start-guide.html> for using and configuring the Ruby AWS SDK on your system.

data/docs/_includes/subnav.html CHANGED

@@ -58,7 +58,7 @@
                 <li><a href="{% link _docs/more/why-cloudformation.md %}">Why CloudFormation</a></li>
                 <li><a href="{% link _docs/more/customize-cloudformation.md %}">Customize CloudFormation</a></li>
                 <li><a href="{% link _docs/more/stuck-cloudformation.md %}">Stuck CloudFormation</a></li>
-                <li><a href="{% link _docs/more/run-in-pieces.md %}">Run In Pieces</a></li>
+                <li><a href="{% link _docs/more/run-in-pieces.md %}">Run In Steps</a></li>
                 <li><a href="{% link _docs/more/single-task.md %}">Run Single Task</a></li>
                 <li><a href="{% link _docs/more/migrations.md %}">Database Migrations</a></li>
                 <li><a href="{% link _docs/more/automated-cleanup.md %}">Automated Cleanup</a></li>

data/docs/utils/ssl-doctor.rb ADDED

@@ -0,0 +1,89 @@
+# Usage: ruby doctor.rb [HOST=status.github.com[:PORT=443]]
+# see: https://github.com/mislav/ssl-tools
+require 'rbconfig'
+require 'net/https'
+if ARGV[0] =~ /^[^-]/
+  host, port = ARGV[0].split(':', 2)
+else
+  host = 'status.github.com'
+end
+port ||= 443
+ruby = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
+ruby_version = RUBY_VERSION
+if patch = RbConfig::CONFIG['PATCHLEVEL']
+  ruby_version += "-p#{patch}"
+end
+puts "%s (%s)" % [ruby, ruby_version]
+openssl_dir = OpenSSL::X509::DEFAULT_CERT_AREA
+mac_openssl = '/System/Library/OpenSSL' == openssl_dir
+puts "%s: %s" % [OpenSSL::OPENSSL_VERSION, openssl_dir]
+[OpenSSL::X509::DEFAULT_CERT_DIR_ENV, OpenSSL::X509::DEFAULT_CERT_FILE_ENV].each do |key|
+  puts "%s=%s" % [key, ENV[key].to_s.inspect]
+end
+ca_file = ENV[OpenSSL::X509::DEFAULT_CERT_FILE_ENV] || OpenSSL::X509::DEFAULT_CERT_FILE
+ca_path = (ENV[OpenSSL::X509::DEFAULT_CERT_DIR_ENV] || OpenSSL::X509::DEFAULT_CERT_DIR).chomp('/')
+puts "\nHEAD https://#{host}:#{port}"
+http = Net::HTTP.new(host, port)
+http.use_ssl = true
+# Explicitly setting cert_store like this is not needed in most cases but it
+# seems necessary in edge cases such as when using `verify_callback` in some
+# combination of Ruby + OpenSSL versions.
+http.cert_store = OpenSSL::X509::Store.new
+http.cert_store.set_default_paths
+http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+failed_cert = failed_cert_reason = nil
+if mac_openssl
+  warn "warning: will not be able show failed certificate info on OS X's OpenSSL"
+  # This drives me absolutely nuts. It seems that on Rubies compiled against OS X's
+  # system OpenSSL, the mere fact of defining a `verify_callback` makes the
+  # cert verification fail for requests that would otherwise be successful.
+else
+  http.verify_callback = lambda { |verify_ok, store_context|
+    if !verify_ok
+      failed_cert = store_context.current_cert
+      failed_cert_reason = "%d: %s" % [ store_context.error, store_context.error_string ]
+    end
+    verify_ok
+  }
+end
+user_agent = "net/http #{ruby_version}"
+req = Net::HTTP::Head.new('/', 'user-agent' => user_agent)
+begin
+  res = http.start { http.request(req) }
+  abort res.inspect if res.code.to_i >= 500
+  puts "OK"
+rescue Errno::ECONNREFUSED
+  puts "Error: connection refused"
+  exit 1
+rescue OpenSSL::SSL::SSLError => e
+  puts "#{e.class}: #{e.message}"
+  if failed_cert
+    puts "\nThe server presented a certificate that could not be verified:"
+    puts "  subject: #{failed_cert.subject}"
+    puts "  issuer: #{failed_cert.issuer}"
+    puts "  error code %s" % failed_cert_reason
+  end
+  ca_file_missing = !File.exist?(ca_file) && !mac_openssl
+  ca_path_empty = Dir["#{ca_path}/*"].empty?
+  if ca_file_missing || ca_path_empty
+    puts "\nPossible causes:"
+    puts "  `%s' does not exist" % ca_file if ca_file_missing
+    puts "  `%s/' is empty" % ca_path if ca_path_empty
+  end
+  exit 1
+end

data/docs/utils/test-aws-api-access.rb ADDED

@@ -0,0 +1,11 @@
+# usage 'ruby s3-cert-chain-test.rb'
+# see: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/quick-start-guide.html
+require 'aws-sdk-s3' # v2: require 'aws-sdk'
+#Aws.use_bundled_cert!
+s3 = Aws::S3::Resource.new(region: 'us-east-1')
+s3.buckets.limit(50).each do |b|
+  puts "#{b.name}"
+end

data/docs/utils/update-cert-chains.sh ADDED

@@ -0,0 +1,11 @@
+#!/bin/bash
+cert_file=$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' 2>/dev/null)
+echo 'What is the uri to your organizations root certificate chain?'
+read -p 'org_root_chain: ' org_root_chain
+echo "$org_root_chain"
+curl "$org_root_chain" -o org_chain.txt
+cat org_chain.txt >> "$cert_file"
+mkdir -p "${cert_file%/*}"
+security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
+security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"

data/lib/template/.ufo/settings/cfn/default.yml.tt CHANGED

@@ -18,7 +18,7 @@ target_group:
                   #   network elb: TCP
                   # so we can keep this commented out, unless we need HTTPS at the app level
   # Health check settings are supported by application load balancer only:
-  # health_check_path: /upcheck
+  # health_check_path: /up # health check
   health_check_interval_seconds: 10 # default: 30. Network ELB can only take 10 or 30
   healthy_threshold_count: 2
   unhealthy_threshold_count: 2 # default: 10

data/lib/ufo/cancel.rb CHANGED

@@ -12,7 +12,7 @@ module Ufo
       if stack.stack_status == "CREATE_IN_PROGRESS"
         cloudformation.delete_stack(stack_name: @stack_name)
         puts "Canceling stack creation."
-      elsif stack.stack_status =~ /_IN_PROGRESS$/
+      elsif stack.stack_status == "UPDATE_IN_PROGRESS"
         cloudformation.cancel_update_stack(stack_name: @stack_name)
         puts "Canceling stack update."
       else

data/lib/ufo/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Ufo
-  VERSION = "4.5.7"
+  VERSION = "4.5.8"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ufo
 version: !ruby/object:Gem::Version
-  version: 4.5.7
+  version: 4.5.8
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-09-27 00:00:00.000000000 Z
+date: 2019-10-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-cloudformation
@@ -333,6 +333,7 @@ files:
 - docs/_docs/settings/cfn.md
 - docs/_docs/settings/cluster.md
 - docs/_docs/settings/network.md
+- docs/_docs/ssl_errors.md
 - docs/_docs/structure.md
 - docs/_docs/tutorial-ufo-docker-build.md
 - docs/_docs/tutorial-ufo-init.md
@@ -459,6 +460,9 @@ files:
 - docs/quick-start.md
 - docs/reference.md
 - docs/style.css
+- docs/utils/ssl-doctor.rb
+- docs/utils/test-aws-api-access.rb
+- docs/utils/update-cert-chains.sh
 - exe/ufo
 - lib/cfn/stack.yml
 - lib/template/.env