<jgnagy>
I've been working on a web service using Sinatra and been really happy with the performance of jruby (as usual) and really like delivering WAR files using warbler as artifacts from my CI jobs
<jgnagy>
but I've broken parts of the app into gems that, at least until I can get approval to open source, I've been hosting on Nexus (artifact repository) since it makes making a gem host really easy (plus it has other niceties)
<jgnagy>
and I've got Nexus behind Apache + SSL with a *.domain.tld cert
<jgnagy>
the cert is valid and works great
<jgnagy>
but bundler with jruby with this SSL cert has been a bit of a pain
<jgnagy>
lots of SNI errors that I don't get from curl / "normal" ruby
<jgnagy>
"unrecognized_name" exceptions
<jgnagy>
I've seen it with other Java apps... just usually add "-Djsse.enableSNIExtension=false" to JAVA_OPTS
<jgnagy>
didn't seem to fix it for jruby + bundler... anybody have any ideas?
<jgnagy>
sure would be nice if I could simplify that part of my CI process to `bundle install`
<headius>
jgnagy: Nexus, is that the Sonatype server?
<jgnagy>
yes
camlow325 has quit [Quit: WeeChat 1.5]
<jgnagy>
they include a rubygems option
<headius>
nice...I'd love to see a short post about how to use that
<jgnagy>
will do
<headius>
we have worked with them on it, on and off, but I've never used it myself
<jgnagy>
I'll @ mention you when I put it on my blog
<headius>
we push our gems as maven artifacts primarily, and some as real rubygems.org
<headius>
so back to your issue
<jgnagy>
yeah, it is pretty simple, and since they have an OOTB option to make a new repo that does rubygems hosting, it is a good way to go for private hosts
<headius>
is it something you can give us an easy reproduction for?
<headius>
SSL has been a big thorn mostly because we have to emulate OpenSSL atop JVM-based crypto libraries, so we're always looking for better tests
<jgnagy>
perhaps
<headius>
first thing I'd ask is whether you're on recent JDK, JRuby, and jruby-openssl
<jgnagy>
I can get the Apache config (sans identifying details)
<headius>
that would be helpful
<headius>
open an issue against jruby/jruby-openssl
<jgnagy>
JDK 1.8.0_91
<mmonkeyking>
don't suppose you guys have experience with torquebox? i'm trying to get websockets to work in my rails app and having a darn hard time getting the websocket to connect.
<headius>
ok, so very recent
<jgnagy>
jruby 9.1.2.0
<jgnagy>
and jruby-openssl is in the Gemfile for the app
<headius>
mmonkeyking: I only have demo-level experience with TB I'm afraid, but there's a #torquebox channel
<headius>
so should be pulling latest
<headius>
ok
<jgnagy>
and I tried installing it first and still no luck
<headius>
jgnagy: ^
<headius>
open an issue and show me the full errors
<jgnagy>
will do
<jgnagy>
let me get that opened and I'll drop the issue # in here
<mmonkeyking>
headius: got it, thanks. i'll see if any of the guys there can help
<jgnagy>
are you wanting me to manually add the CA cert for that server to the JDK's cacerts file?
TheWhip has quit [Ping timeout: 264 seconds]
<jgnagy>
or you'd like me to refresh the JDK's cacerts from some other source?
<jgnagy>
sorry, I fully admit I'm an idiot, and I greatly appreciate having you help with this
<jgnagy>
definitely wasn't expecting to have headius himself help with my problem
<jgnagy>
:)
<headius>
heh no problem :-)
<headius>
yeah refresh JDK's cacerts with something newer
<headius>
or I guess add the ones you need
<headius>
so the problem, I believe, is simply bad/old CA certs
<jgnagy>
that's unfortunate
<headius>
I'd like to confirm or rule that out by making sure the JDK itself has the right certs for your server
<jgnagy>
though it is still confusing that curl and openssl play so nicely with them
<headius>
if that works then it's a problem with us pulling in non-JDK certs
<headius>
right, they use a different store
<headius>
system-level
<headius>
JDK has its own for whatever reason
<jgnagy>
fair enough
<jgnagy>
but I would have thought they include the same root certs / trusts, but I guess when they number in the hundreds it might be difficult for them to always be in agreement
<jgnagy>
I'll create a keystore that includes the specific CA that issued the cert
<jgnagy>
or otherwise get it where it needs to be
<headius>
ok
<headius>
I'll update bug with this suggestion and you can update with results
<headius>
I'll be logging off IRC for the night but periodically checking bugs this evening and weekend