Update SSL certificates, again.

Why did openssl give me a certificate that doesn’t work to connect? :(
Also remove the intermediate certificates that aren’t actually needed to
validate a connection to the server. Finally, include tests to make sure
that Bundler can connect to each of the important Rubygems hosts using
only the vendored certificates (h/t @luislavena for an example test).

6 files changed, 70 insertions, 70 deletions

diff --git a/lib/bundler/ssl_certs/AddTrustExternalCARoot-2048.pem b/lib/bundler/ssl_certs/AddTrustExternalCARoot-2048.pem
new file mode 100644
index 0000000000..20585f1c01
--- /dev/null
+++ b/lib/bundler/ssl_certs/AddTrustExternalCARoot-2048.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
+IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
+MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
+FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
+bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
+H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
+uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
+mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
+a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
+E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
+WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
+VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
+Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
+cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
+IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
+AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
+YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
+6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
+Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
+c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
+mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
+-----END CERTIFICATE-----
diff --git a/lib/bundler/ssl_certs/COMODORSACertificationAuthority.pem b/lib/bundler/ssl_certs/COMODORSACertificationAuthority.pem
deleted file mode 100644
index d81d72a264..0000000000
--- a/lib/bundler/ssl_certs/COMODORSACertificationAuthority.pem
+++ /dev/null
@@ -1,35 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
-hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
-A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
-BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
-MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
-EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
-Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
-bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
-bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
-Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
-ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
-UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
-c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
-MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
-30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
-HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
-BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
-bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
-AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
-T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
-ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
-mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
-e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
-P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
-dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
-2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
-V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
-HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
-j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
-0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
-lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
-+AZxAeKCINT+b72x
------END CERTIFICATE-----
diff --git a/lib/bundler/ssl_certs/COMODORSADomainValidationSecureServer.pem b/lib/bundler/ssl_certs/COMODORSADomainValidationSecureServer.pem
deleted file mode 100644
index 178a558bcd..0000000000
--- a/lib/bundler/ssl_certs/COMODORSADomainValidationSecureServer.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFUzCCBDugAwIBAgIRAPLaUGqN5nvAm5oy7tfh3dEwDQYJKoZIhvcNAQELBQAw
-gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
-BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
-VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
-Q0EwHhcNMTQxMDE2MDAwMDAwWhcNMTUxMDE2MjM1OTU5WjBcMSEwHwYDVQQLExhE
-b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHjAcBgNVBAsTFUVzc2VudGlhbFNTTCBX
-aWxkY2FyZDEXMBUGA1UEAxQOKi5ydWJ5Z2Vtcy5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCmL7NyiM3y61Up2cjNJq5ETt7+qKtoiBKVJpYQ8cB/
-jk4tQuZwKF59dq1gAyU6SFf/iUFRYnvfEa/V+FpuyBL7b/jEzI809hVtkSQM+6vR
-9Vz9rey4wcBpgEX7vSRimtH7RUCitNF3OZkHc59Ny07q9FgW+rRlvWnL970QlgiT
-0o0m3SoJRzqu8zn2ZLtbDARzF3a767Ms6fPm/88cqakNQ9d26aW0yB6Ndgxn7crM
-e6LhlrSZo6Ta1WJs+l5umKDhMdJBGMumxkFlnlqZdZxNGBErOlPSFfQGHYfrWzsR
-EFf+jPe0+OEHB80JU3yQiNs+nBUxzdHDkKAkcO9p4bKzAgMBAAGjggHZMIIB1TAf
-BgNVHSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUJiRNFFXU
-9am4rs9kxMj9FY98/N4wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYD
-VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGy
-MQECAgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9D
-UFMwCAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2Rv
-Y2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5j
-cmwwgYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21v
-ZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNB
-LmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCcGA1Ud
-EQQgMB6CDioucnVieWdlbXMub3JnggxydWJ5Z2Vtcy5vcmcwDQYJKoZIhvcNAQEL
-BQADggEBAFFnezsXS+fBqJDiFdwbPkT9Hdn+cc2OqrJTP5GaPH3hnGc1tn5v5QVB
-+s0Uuoil/RiLRs4PzRlZiVZN86iY6GLxd8fkoeNMfdaH0i7i0lXJDz/qIdboPfxc
-2T0oTBJufxvLCeNOFgl5aKus5HD/mnKoD1hGEOBJjulUwn09n8PMFnXmAnDVZ3Tv
-6PltYiH4OadktplNR8oBB55Kn0ffYgIfofL9Mr2iCJlTvxMEpIRAe6NIs2r8InEJ
-CnoNbAXUBuqOjgiiYNLvDrv3usj15Yv8xRMn9pyxA14i6HSyf5LwrLWPWhhV3YJ7
-R+n4EAYack3mCZb2TZ8FwoS05OKhbw8=
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/lib/bundler/ssl_certs/certificate_manager.rb b/lib/bundler/ssl_certs/certificate_manager.rb
index 1f6a7b093e..22872cc770 100644
--- a/lib/bundler/ssl_certs/certificate_manager.rb
+++ b/lib/bundler/ssl_certs/certificate_manager.rb
@@ -1,4 +1,6 @@
 require 'fileutils'
+require 'net/https'
+require 'openssl'
 
 module Bundler
   module SSLCerts
@@ -9,9 +11,11 @@ module Bundler
         new(rubygems_path).update!
       end
 
-      def initialize(rubygems_path)
-        rubygems_certs = File.join(rubygems_path, 'lib/rubygems/ssl_certs')
-        @rubygems_certs = certificates_in(rubygems_certs)
+      def initialize(rubygems_path = nil)
+        if rubygems_path
+          rubygems_cert_path = File.join(rubygems_path, 'lib/rubygems/ssl_certs')
+          @rubygems_certs = certificates_in(rubygems_cert_path)
+        end
 
         @bundler_cert_path = File.expand_path("..", __FILE__)
         @bundler_certs = certificates_in(bundler_cert_path)
@@ -32,12 +36,30 @@ module Bundler
         FileUtils.cp rubygems_certs, bundler_cert_path
       end
 
+      def connect_to(host)
+        http = Net::HTTP.new(host, 443)
+        http.use_ssl = true
+        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        http.cert_store = store
+        http.head('/')
+      end
+
     private
 
       def certificates_in(path)
         Dir[File.join(path, "*.pem")].sort
       end
 
+      def store
+        @store ||= begin
+          store = OpenSSL::X509::Store.new
+          bundler_certs.each do |cert|
+            store.add_file cert
+          end
+          store
+        end
+      end
+
     end
   end
 end
diff --git a/spec/other/ssl_cert_spec.rb b/spec/other/ssl_cert_spec.rb
index ac9283a218..04f7a1f25f 100644
--- a/spec/other/ssl_cert_spec.rb
+++ b/spec/other/ssl_cert_spec.rb
@@ -1,10 +1,23 @@
 require 'spec_helper'
 require 'bundler/ssl_certs/certificate_manager'
 
-describe "SSL Certificates", :if => (ENV['RGV'] == "master") do
+describe "SSL Certificates", :rubygems_master do
   it "are up to date with Rubygems" do
     rubygems = File.expand_path("../../../tmp/rubygems", __FILE__)
     manager = Bundler::SSLCerts::CertificateManager.new(rubygems)
     expect(manager).to be_up_to_date
   end
+
+  hosts = %w(
+    d2chzxaqi4y7f8.cloudfront.net
+    rubygems.org
+    s3.amazonaws.com
+    staging.rubygems.org
+  )
+
+  hosts.each do |host|
+    it "can securely connect to #{host}", :realworld do
+      Bundler::SSLCerts::CertificateManager.new.connect_to(host)
+    end
+  end
 end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index bef35a1aa9..774f10cecb 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -76,6 +76,12 @@ RSpec.configure do |config|
     config.filter_run_excluding :rubygems => "2.2"
   end
 
+  if ENV['RGV'] == "master"
+    config.filter_run :rubygems_master => true
+  else
+    config.filter_run_excluding :rubygems_master => true
+  end
+
   config.filter_run :focused => true unless ENV['CI']
   config.run_all_when_everything_filtered = true
   config.alias_example_to :fit, :focused => true