检索PEM证书:SSL_connect返回= 1 errno = 0状态= SSLv3读取服务器证书B:证书验证失败
[英]Retrieve PEM cert: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
问题描述
As many others I've got the error with Ruby: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. 
与其他许多错误一样,我也遇到了Ruby错误:SSL_connect返回= 1 errno = 0状态= SSLv3读取服务器证书B:证书验证失败。
I downloaded a cacert.pem and tried to add it like this: 我下载了一个cacert.pem,并尝试像这样添加它:
require 'net/http'
# create a path to the file "C:\RailsInstaller\cacert.pem"
cacert_file = File.join(%w{c: RailsInstaller cacert.pem})
Net::HTTP.start("curl.haxx.se") do |http|
resp = http.get("/ca/cacert.pem")
if resp.code == "200"
open(cacert_file, "wb") { |file| file.write(resp.body) }
puts "\n\nA bundle of certificate authorities has been installed to"
puts "C:\\RailsInstaller\\cacert.pem\n"
puts "* Please set SSL_CERT_FILE in your current command prompt session with:"
puts " set SSL_CERT_FILE=C:\\RailsInstaller\\cacert.pem"
puts "* To make this a permanent setting, add it to Environment Variables"
puts " under Control Panel -> Advanced -> Environment Variables"
else
abort "\n\n>>>> A cacert.pem bundle could not be downloaded."
end
end
And like this: 像这样:
require 'open-uri'
require 'net/https'
module Net
class HTTP
alias_method :original_use_ssl=, :use_ssl=
def use_ssl=(flag)
self.ca_file = Rails.root.join('lib/ca-bundle.crt')
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.original_use_ssl = flag
end
end
end
I even tried to cancel the check: 我什至试图取消支票:
require 'faraday'
module Faraday
class Adapter
class NetHttp < Faraday::Adapter
def call(env)
super
is_ssl = env[:url].scheme == 'https'
http = net_http_class(env).new(env[:url].host, env[:url].port || (is_ssl ? 443 : 80))
if http.use_ssl = is_ssl
ssl = env[:ssl]
if ssl[:verify] == false
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
else
http.verify_mode = OpenSSL::SSL::VERIFY_NONE # <= PATCH or HACK ssl[:verify]
end
http.cert = ssl[:client_cert] if ssl[:client_cert]
http.key = ssl[:client_key] if ssl[:client_key]
http.ca_file = ssl[:ca_file] if ssl[:ca_file]
end
req = env[:request]
http.read_timeout = net.open_timeout = req[:timeout] if req[:timeout]
http.open_timeout = req[:open_timeout] if req[:open_timeout]
full_path = full_path_for(env[:url].path, env[:url].query, env[:url].fragment)
http_req = Net::HTTPGenericRequest.new(
env[:method].to_s.upcase, # request method
(env[:body] ? true : false), # is there data
true, # does net/http love you, true or false?
full_path, # request uri path
env[:request_headers]) # request headers
if env[:body].respond_to?(:read)
http_req.body_stream = env[:body]
env[:body] = nil
end
http_resp = http.request http_req, env[:body]
resp_headers = {}
http_resp.each_header do |key, value|
resp_headers[key] = value
end
env.update \
:status => http_resp.code.to_i,
:response_headers => resp_headers,
:body => http_resp.body
@app.call env
rescue Errno::ECONNREFUSED
raise Error::ConnectionFailed.new(Errno::ECONNREFUSED)
end
def net_http_class(env)
if proxy = env[:request][:proxy]
Net::HTTP::Proxy(proxy[:uri].host, proxy[:uri].port, proxy[:user], proxy[:password])
else
Net::HTTP
end
end
end
end
end
But no luck (and not the way you want to fix this). 但没有运气(不是您要解决此问题的方式)。 Weird thing is that it works sometimes. 奇怪的是,它有时会起作用。
Now I'm trying this, but have trouble finding the certificates: 现在,我正在尝试此操作,但是找不到证书:
require 'net/http'
url = URI.parse('https://www.xpiron.com/schedule')
req = Net::HTTP::Get.new(url.path)
sock = Net::HTTP.new(url.host, 443)
sock.use_ssl = true
store = OpenSSL::X509::Store.new
store.add_cert OpenSSL::X509::Certificate.new(File.new('addtrust_ca.pem'))
store.add_cert OpenSSL::X509::Certificate.new(File.new('utn.pem'))
store.add_cert OpenSSL::X509::Certificate.new(File.new('user_first_ca.pem'))
store.add_cert OpenSSL::X509::Certificate.new(File.new('xpiron.pem'))
sock.cert_store = store
sock.start do |http|
response = http.request(req)
end
So I opened the https://myserver.com/Request.ashx request in chrome, clicked on the little lock-icon to get the certificate details. 因此,我打开了Chrome中的https://myserver.com/Request.ashx请求,单击了小锁图标以获取证书详细信息。 But I can't find any PEM files to export. 但是我找不到要导出的任何PEM文件。 I can see that it's a COMODO certificate. 我可以看到它是一个COMODO证书。 I don't own the server, so I got to find a solution for this on my side. 我不拥有服务器,所以我必须为此寻找解决方案。
1 个解决方案
解决方案1
2 已采纳 2013-09-04 16:22:32
you can disable certificate verification for a given instance of Net::HTTP : 您可以为Net::HTTP的给定实例禁用证书验证:
stock.verify_mode = OpenSSL::SSL::VERIFY_NONE
or you can disable SSL verification globally in your process using: 或者您可以使用以下方法在过程中全局禁用SSL验证:
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
Note: Ruby interpreter will give you warning that constant is already initialized. 注意:Ruby解释器会警告您常量已初始化。 Sometimes you might get hard error. 有时您可能会遇到严重错误。 if that's the case you can unassign constant and initialize it again using following code: 如果是这种情况,您可以取消分配常量,然后使用以下代码再次对其进行初始化:
OpenSSL::SSL.send(:remove_const, :VERIFY_PEER)
OpenSSL::SSL.const_set(:VERIFY_PEER, OpenSSL::SSL::VERIFY_NONE)
This is not a perfect solution for your problem, but if security is not a big cocern, you can use above methods to bypass SSL Cert verification. 对于您的问题,这不是一个完美的解决方案,但是如果安全性不是一个大问题,则可以使用上述方法绕过SSL证书验证。 You will still have encrypted secure connection to server. 您仍将具有到服务器的加密安全连接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.