ufo 4.5.7 → 4.5.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 02b5707613ba8dc21865348e023da39ee0896c494899960a153ddf4e960c0a35
-  data.tar.gz: 63abc4de7f146c394023d2019584add57f1cc744e4e556c5fb8216926b835067
+  metadata.gz: 77c464a6ac76c7f5178cac5a8e7f03b55567fdc0878958a55d4855c3b04e956b
+  data.tar.gz: 7ff44130767630f6f6cd889cb1ba878585e1913dde1ecca1b61cbf4b4899d100
 SHA512:
-  metadata.gz: f250009b0c41d6c566adefeae7682f895e614d22f87e76d3819263f587bc3876b758c4b87376adadb1d9a6bae68ed7543b9dcdcc116e4e1a8eeed0683f7276c6
-  data.tar.gz: dc4a6d8248230337ef5a3fafb6e99d37cb10716cde584c830106f844a98b8c7c2ba2e6719b0b425fd3c0dff52e8347d1e17f7c0a92793ee59957248e7f6e6e77
+  metadata.gz: b445b6971da33ee4f7cf4e25eb099bdd314fcaa0616fd7acce582e19ddf6cc08656d861d6b5b7d08541444a3273fbdd54ce51a4397bc4656ddee9b99ecd2ccbd
+  data.tar.gz: 9e9beaf6fd336e4d6e457f2641985bfe011f38fae8ff51715e36e56b7bc1e45a0a6e3f0af380034d2f23a235fbf4090e7cdb028dba92477c7d91dd196537328b

data/CHANGELOG.md

@@ -3,6 +3,11 @@
 All notable changes to this project will be documented in this file.
 This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
 
+## [4.5.8]
+- #91 added helper scripts to dianose and resolve the SSL issues - added docs to help explain and save the user time and research
+- improve cancel command
+- update /up check starter example
+
 ## [4.5.7]
 - #88 update starter variables template with += example
 

data/docs/_docs/ssl_errors.md

@@ -0,0 +1,41 @@
+---
+Title: SSL Errors
+# nav_order:
+---
+
+UFO uses the AWS Ruby SDK and the underlying default SSL certificate chain configured in your active Ruby and
+OpenSSL to communicate to your AWS environment. This means that you _must correctly configure_ your Ruby and OpenSSL to have all the needed ROOT certificates for UFO to be able to communicate to AWS - _especially_ if you are behind a proxy or a corporate SSL-Proxy.
+
+If you are behind a corporate SSL proxy and you have not updated system, OpenSSL and Ruby certificate chains to include the needed corporate root certificates, you will see errors, such as:
+
+```
+Seahorse::Client::NetworkingError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `ssl_socket_connect'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:996:in `connect'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:930:in `do_start'
+  ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:925:in `start'
+```
+
+## Helper Scripts
+
+The `docs/utils` directory has a few scripts that should be able to help you resolve these issues and track down which certs are giving you problems.
+
+- `ssl-doctor.rb` is from the very useful examples at <https://github.com/mislav/ssl-tools>, and it can help you find the missing ROOT cert in your certificate chain and give suggestion on getting OpenSSL working correctly.
+- `update-cert-chains.sh` will help you update your Ruby and OpenSSL chains by adding in the missing ROOT cert and also pulling in the OSX System Root to your rbenv environment.
+- `test-aws-api-access.rb` should now return a list of the S3 buckets for the current AWS profile that is active.
+
+## Trouble-shooting
+
+### Update Brew and OpenSSL
+
+- `brew update`
+- `brew upgrade openssl`
+
+### Use the Helper Scripts to find the trouble spot
+
+Once you have updated OpenSSL and your `brew` packages, use the helper scripts above to see if you can track down the missing certificate in your certificate chain.
+
+The `update-cert-chain.sh` file was created using the suggestions from <https://gemfury.com/help/could-not-verify-ssl-certificate/>. Please review the information at <https://gemfury.com/help/could-not-verify-ssl-certificate/> if the `Helper Scripts` above do not fully resolve your issue.
+
+The `test-aws-api-access.rb` uses examples from the <https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/quick-start-guide.html> for using and configuring the Ruby AWS SDK on your system.

data/docs/_includes/subnav.html

@@ -58,7 +58,7 @@
                 <li><a href="{% link _docs/more/why-cloudformation.md %}">Why CloudFormation</a></li>
                 <li><a href="{% link _docs/more/customize-cloudformation.md %}">Customize CloudFormation</a></li>
                 <li><a href="{% link _docs/more/stuck-cloudformation.md %}">Stuck CloudFormation</a></li>
-                <li><a href="{% link _docs/more/run-in-pieces.md %}">Run In Pieces</a></li>
+                <li><a href="{% link _docs/more/run-in-pieces.md %}">Run In Steps</a></li>
                 <li><a href="{% link _docs/more/single-task.md %}">Run Single Task</a></li>
                 <li><a href="{% link _docs/more/migrations.md %}">Database Migrations</a></li>
                 <li><a href="{% link _docs/more/automated-cleanup.md %}">Automated Cleanup</a></li>

data/docs/utils/ssl-doctor.rb

@@ -0,0 +1,89 @@
+# Usage: ruby doctor.rb [HOST=status.github.com[:PORT=443]]
+# see: https://github.com/mislav/ssl-tools
+require 'rbconfig'
+require 'net/https'
+
+if ARGV[0] =~ /^[^-]/
+  host, port = ARGV[0].split(':', 2)
+else
+  host = 'status.github.com'
+end
+port ||= 443
+
+ruby = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
+ruby_version = RUBY_VERSION
+if patch = RbConfig::CONFIG['PATCHLEVEL']
+  ruby_version += "-p#{patch}"
+end
+puts "%s (%s)" % [ruby, ruby_version]
+
+openssl_dir = OpenSSL::X509::DEFAULT_CERT_AREA
+mac_openssl = '/System/Library/OpenSSL' == openssl_dir
+puts "%s: %s" % [OpenSSL::OPENSSL_VERSION, openssl_dir]
+[OpenSSL::X509::DEFAULT_CERT_DIR_ENV, OpenSSL::X509::DEFAULT_CERT_FILE_ENV].each do |key|
+  puts "%s=%s" % [key, ENV[key].to_s.inspect]
+end
+
+ca_file = ENV[OpenSSL::X509::DEFAULT_CERT_FILE_ENV] || OpenSSL::X509::DEFAULT_CERT_FILE
+ca_path = (ENV[OpenSSL::X509::DEFAULT_CERT_DIR_ENV] || OpenSSL::X509::DEFAULT_CERT_DIR).chomp('/')
+
+puts "\nHEAD https://#{host}:#{port}"
+http = Net::HTTP.new(host, port)
+http.use_ssl = true
+
+# Explicitly setting cert_store like this is not needed in most cases but it
+# seems necessary in edge cases such as when using `verify_callback` in some
+# combination of Ruby + OpenSSL versions.
+http.cert_store = OpenSSL::X509::Store.new
+http.cert_store.set_default_paths
+
+http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+failed_cert = failed_cert_reason = nil
+
+if mac_openssl
+  warn "warning: will not be able show failed certificate info on OS X's OpenSSL"
+  # This drives me absolutely nuts. It seems that on Rubies compiled against OS X's
+  # system OpenSSL, the mere fact of defining a `verify_callback` makes the
+  # cert verification fail for requests that would otherwise be successful.
+else
+  http.verify_callback = lambda { |verify_ok, store_context|
+    if !verify_ok
+      failed_cert = store_context.current_cert
+      failed_cert_reason = "%d: %s" % [ store_context.error, store_context.error_string ]
+    end
+    verify_ok
+  }
+end
+
+user_agent = "net/http #{ruby_version}"
+req = Net::HTTP::Head.new('/', 'user-agent' => user_agent)
+
+begin
+  res = http.start { http.request(req) }
+  abort res.inspect if res.code.to_i >= 500
+  puts "OK"
+rescue Errno::ECONNREFUSED
+  puts "Error: connection refused"
+  exit 1
+rescue OpenSSL::SSL::SSLError => e
+  puts "#{e.class}: #{e.message}"
+
+  if failed_cert
+    puts "\nThe server presented a certificate that could not be verified:"
+    puts "  subject: #{failed_cert.subject}"
+    puts "  issuer: #{failed_cert.issuer}"
+    puts "  error code %s" % failed_cert_reason
+  end
+
+  ca_file_missing = !File.exist?(ca_file) && !mac_openssl
+  ca_path_empty = Dir["#{ca_path}/*"].empty?
+
+  if ca_file_missing || ca_path_empty
+    puts "\nPossible causes:"
+    puts "  `%s' does not exist" % ca_file if ca_file_missing
+    puts "  `%s/' is empty" % ca_path if ca_path_empty
+  end
+
+  exit 1
+end
+

data/docs/utils/test-aws-api-access.rb

@@ -0,0 +1,11 @@
+# usage 'ruby s3-cert-chain-test.rb'
+# see: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/quick-start-guide.html
+
+require 'aws-sdk-s3' # v2: require 'aws-sdk'
+#Aws.use_bundled_cert!
+
+s3 = Aws::S3::Resource.new(region: 'us-east-1')
+
+s3.buckets.limit(50).each do |b|
+  puts "#{b.name}"
+end

data/docs/utils/update-cert-chains.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cert_file=$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' 2>/dev/null)
+echo 'What is the uri to your organizations root certificate chain?'
+read -p 'org_root_chain: ' org_root_chain
+echo "$org_root_chain"
+curl "$org_root_chain" -o org_chain.txt
+cat org_chain.txt >> "$cert_file"
+mkdir -p "${cert_file%/*}"
+security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
+security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"

data/lib/template/.ufo/settings/cfn/default.yml.tt

@@ -18,7 +18,7 @@ target_group:
                   #   network elb: TCP
                   # so we can keep this commented out, unless we need HTTPS at the app level
   # Health check settings are supported by application load balancer only:
-  # health_check_path: /upcheck
+  # health_check_path: /up # health check
   health_check_interval_seconds: 10 # default: 30. Network ELB can only take 10 or 30
   healthy_threshold_count: 2
   unhealthy_threshold_count: 2 # default: 10

data/lib/ufo/cancel.rb

@@ -12,7 +12,7 @@ module Ufo
       if stack.stack_status == "CREATE_IN_PROGRESS"
         cloudformation.delete_stack(stack_name: @stack_name)
         puts "Canceling stack creation."
-      elsif stack.stack_status =~ /_IN_PROGRESS$/
+      elsif stack.stack_status == "UPDATE_IN_PROGRESS"
         cloudformation.cancel_update_stack(stack_name: @stack_name)
         puts "Canceling stack update."
       else

data/lib/ufo/version.rb

@@ -1,3 +1,3 @@
 module Ufo
-  VERSION = "4.5.7"
+  VERSION = "4.5.8"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ufo
 version: !ruby/object:Gem::Version
-  version: 4.5.7
+  version: 4.5.8
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-09-27 00:00:00.000000000 Z
+date: 2019-10-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-cloudformation
@@ -333,6 +333,7 @@ files:
 - docs/_docs/settings/cfn.md
 - docs/_docs/settings/cluster.md
 - docs/_docs/settings/network.md
+- docs/_docs/ssl_errors.md
 - docs/_docs/structure.md
 - docs/_docs/tutorial-ufo-docker-build.md
 - docs/_docs/tutorial-ufo-init.md
@@ -459,6 +460,9 @@ files:
 - docs/quick-start.md
 - docs/reference.md
 - docs/style.css
+- docs/utils/ssl-doctor.rb
+- docs/utils/test-aws-api-access.rb
+- docs/utils/update-cert-chains.sh
 - exe/ufo
 - lib/cfn/stack.yml
 - lib/template/.env