DigiCert Global Root certificate not trusted by default

[bnacey]

Pre issue-raising checklist

I have already (please mark the applicable with an x):

• Upgraded to the latest version of the relevant libraries
• Checked to see if the issue has already been raised
• Created an executable example that demonstrates the issue using either:
  • a Dockerfile
  • a fork of https://github.com/pact-foundation/pact-ruby-standalone-e2e-example
  • a Git repository with a Travis or Appveyor (or similar) build
  • a gist with all the relevant code and full instructions on how to run it

Software versions

• "@pact-foundation/pact": "^9.11.0"
• OS: Mac OSX 10.15.5

Expected behaviour

Publishing pacts to a broker using a valid certificate with a DigiCert root should be trusted.

Actual behaviour

Attempting to publish to the broker results in the following error:
Failed to publish node-message-consumer/node-message-provider pact due to error: OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 state=error: certificate verify failed One or more pacts failed to be published

Steps to reproduce

1. Create pacts using any project similar to https://github.com/pact-foundation/pact-js/tree/master/examples/messages
2. Update publish.js to point to a broker using a DigiCert root certificate
3. Attempt to publish pacts to the broker

Your bug will be fixed in our free time, so help us to help you, and make it as easy as possible for us to reproduce the issue. Issues that take longer to reproduce are less likely to be fixed quickly. Please provide a Dockerfile or git repository + build, with instructions on how to reproduce the issue.

Relevent log files

Please ensure you set logging to DEBUG and attach any relevant log files here (or link from a gist).

[bnacey]

Is there any update on this issue?

[bethesque]

We're currently in lockdown due to the pandemic (Melbourne Australia), so I am looking after 2 kids full time on the days that I'm not working, and so my time for fixing open source issues is very limited. I don't know when I will be able to look at it, I'm sorry.

[bethesque]

If you're willing to look at it yourself, I can give you some pointers. You'll need to install ruby 2.2. The command that creates the package is bundle exec rake package.

You'll find in build/traveling-ruby-20150715-2.2.2-osx/bin/ruby_environment (that's the osx location, adjust as necessary for your platform) the line echo SSL_CERT_FILE=\"$ROOT/lib/ca-bundle.crt\"

Grab that file (build/traveling-ruby-20150715-2.2.2-osx/lib/ca-bundle.crt), and using the openssl CLI tools, or text editor or whatever is needed (I've never done this so I'm unclear on the process) merge in your digicert certificate.

Git add that certificate file in the packaging directory.

In tasks/package.rake in the create_package add in an appropriate place (maybe after line 103):

sh "cp packaging/ca-bundle.crt #{package_dir}/lib/ca-bundle.crt"

Run bundle exec rake package to build the new package and test that it works, then submit a PR!