证书续订后,Ruby Net :: HTTP响应OpenSSL :: SSL :: SSLError“证书验证失败”
[英]Ruby Net::HTTP responds with OpenSSL::SSL::SSLError “certificate verify failed” after certificate renewal
问题描述
We recently renewed the SSL certificate of our site, and the following occurs on Mac OS El Capitan 10.11.3: 
我们最近更新了我们网站的SSL证书,并在Mac OS El Capitan 10.11.3上发生以下情况:
require 'net/http'
Net::HTTP.get URI('https://www.google.com')
# => "<HTML>...</HTML>"
# The site whose certificate got renewed
Net::HTTP.get URI('https://www.example.com')
# => OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
All my searches on Google and StackOverflow come up with answers suggesting a problem with the Ruby installation, but they seem to be related to older Ruby versions and I don't think this is the case here. 我在Google和StackOverflow上的所有搜索都提出了表明Ruby安装存在问题的答案,但它们似乎与较旧的Ruby版本有关,我认为这不是这种情况。 Here is what I've tried: 这是我尝试过的:
-
brew update -
brew upgrade openssl -
rvm osx-ssl-certs update all -
rvm install ruby-2.3.1 --disable-binary --with-openssl-dir="$(brew --prefix openssl)"(I did not have this version before)rvm install ruby-2.3.1 --disable-binary --with-openssl-dir="$(brew --prefix openssl)"(之前我没有这个版本) -
rvm requirements -
crlrefresh rpvto purge the OSX system wide CRL cache, per Uzbekjon's suggestion.根据Uzbekjon的建议, crlrefresh rpv清除OSX系统范围的CRL缓存。
How can I resolve this? 我该如何解决这个问题?
Notes: 笔记:
- The problem does not occur on a freshly installed linux Docker container that has bare Ruby 2.2.3. 在没有Ruby 2.2.3的新安装的Linux Docker容器上不会出现此问题。 So maybe it's something to do with Mac OS, or SSL local caching. 所以也许这与Mac OS或SSL本地缓存有关。
- This issue might have existed before the certificate renewal. 证书续订之前可能存在此问题。 I cannot know for sure. 我无法确定。 However, the renewal did cause a similar problem with a 3rd party we're using as I discuss in this question . 但是,正如我在这个问题中讨论的那样,更新确实会导致我们正在使用的第三方出现类似的问题。
- The certificate installation was verified by Namecheap to be correct, online checkers show everything works, and all major browsers show the certificate as valid. Namecheap验证证书安装是否正确,在线检查器显示一切正常,所有主要浏览器都将证书显示为有效。
Solution 解
With much help from BoraMa, it is now clear what was happening. 在BoraMa的帮助下,现在很清楚发生了什么。 COMODO added a new root called COMODO RSA Certification Authority instead of the previous COMODO Certification Authority . COMODO添加了一个名为COMODO RSA Certification Authority的新根,而不是之前的COMODO Certification Authority 。 The new root was not registered within Mac's keychain, causing this issue. 新的root用户未在Mac的钥匙串中注册,导致此问题。
One way we attempted to debug this was by running: 我们尝试调试此方法的一种方法是运行:
openssl s_client -connect www.mysite.com:443
Which showed a warning verify error:num=20:unable to get local issuer certificate . 其中显示警告verify error:num=20:unable to get local issuer certificate 。 This warning is not an issue, as openssl s_client does not use any certificates by default. 此警告不是问题,因为openssl s_client默认情况下不使用任何证书。 Running the following was able to prevent the warning after downloading the certificate from COMODO into comodo.pem (index here ): 将证书从COMODO下载到comodo.pem ( 此处为索引)后,运行以下命令可以防止出现警告:
openssl s_client -connect www.mysite.com:443 -CAfile comodo.pem
However, this could not and did not affect Ruby OpenSSL interface. 但是,这不能也不会影响Ruby OpenSSL接口。 This article made things much clearer for me, and the SSL doctor script created by its author was also helpful, as it confirmed the hypothesis. 这篇文章让我更加清楚,其作者创建的SSL医生脚本也很有帮助,因为它证实了这一假设。 The article suggested to look at OpenSSL::X509::DEFAULT_CERT_FILE , which for me was /usr/local/etc/openssl/cert.pem . 文章建议查看OpenSSL::X509::DEFAULT_CERT_FILE ,对我来说是/usr/local/etc/openssl/cert.pem 。 That file did not exist on my machine, which meant Apple's patch for OpendSSL was using the Keychain App. 该文件在我的机器上不存在,这意味着Apple的OpendSSL补丁正在使用Keychain App。 For whatever reason, importing comodo.pem into my keychain and marking it as trusted based on this post did not work. 无论出于何种原因,将comodo.pem导入我的钥匙串并根据此帖子将其标记为受信任不起作用。
So, the solution was to create the cert.pem file manually. 因此,解决方案是手动创建cert.pem文件。 I went to the keychain app, and exported all System Root certificates to system_root.pem . 我去了钥匙串应用程序,并将所有系统根证书导出到system_root.pem 。 Then: cat system_root.pem comodo.pem > cert.pem and moving that file to /usr/local/etc/openssl/ did the trick. 然后: cat system_root.pem comodo.pem > cert.pem并将该文件移动到/usr/local/etc/openssl/就可以了。 Running Net::HTTP.get in Ruby no longer failed. 在Ruby中运行Net::HTTP.get不再失败。
3 个解决方案
解决方案1
3 已采纳 2016-05-01 17:19:35
I would try to double-check the trusted certificate store if it contains the COMODO_RSA_Certification_Authority.pem certificate. 如果它包含COMODO_RSA_Certification_Authority.pem证书,我会尝试仔细检查可信证书库。 In my (Linux) setup, the site works OK but when I temporarily remove the certificate of the COMODO cert authority from the cert store, I get exactly the same error as you (while in browsers it still works as they have their own cert stores). 在我的(Linux)设置中,该站点工作正常,但是当我暂时从证书存储中删除COMODO证书颁发机构的证书时,我得到与您完全相同的错误(在浏览器中它仍然有效,因为它们拥有自己的证书库)。
BTW, the same error is also recognizable using curl as it also appears to use the same trusted cert store as ruby, so you might first ensure that the site works under curl. 顺便说一下,使用curl也可以识别同样的错误,因为它似乎也使用与ruby相同的可信证书库,因此您可能首先确保该站点在curl下工作。
In linux, the cert store is located usually in /etc/ssl/certs whereas under OSX it should probably be /System/Library/OpenSSL (see this article for other options). 在linux中,cert存储通常位于/etc/ssl/certs而在OSX下它应该是/System/Library/OpenSSL (有关其他选项,请参阅此文章 )。
You should see something like the following in the cert store directory: 您应该在cert store目录中看到类似以下内容的内容:
root@apsara:/etc/ssl/certs$ ls -l | grep COMODO_RSA_Certification_Authority.pem
lrwxrwxrwx 1 root root 73 úno 28 10:24 COMODO_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
lrwxrwxrwx 1 root root 38 úno 28 10:24 d4c339cb.0 -> COMODO_RSA_Certification_Authority.pem
lrwxrwxrwx 1 root root 38 úno 28 10:24 d6325660.0 -> COMODO_RSA_Certification_Authority.pem
The following is a snipped of some attributes of this root CA certificate: 以下是此根CA证书的一些属性:
$ openssl x509 -in COMODO_RSA_Certification_Authority.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Validity
Not Before: Jan 19 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha384WithRSAEncryption
...
The certificate can be downloaded from Comodo here (index of all certs is here ). 证书可以在这里从Comodo下载(所有证书的索引都在这里 )。
More info : while looking into it, it turns out that there are actually two distinct certification chains for certs by the Comodo CA. 更多信息 :在调查结果时,事实证明Comodo CA实际上有两个不同的证书认证链。 One, the older one, is the one with the root CA listed above. 一个是较旧的,是上面列出的根CA的那个。 The newer validation chain uses "External CA root" certificates in the chain. 较新的验证链使用链中的“外部CA根”证书。 This forum post explains further, with specific instructions for OSX for marking those certs as trusted. 该论坛帖子进一步解释了OSX的具体说明,用于将这些证书标记为可信任。
解决方案2
0 2016-05-01 16:09:01
It sounds like the problem is with your OSX certificates cache. 听起来问题在于您的OSX证书缓存。 I guess you updated your certificates before the old one has expired? 我猜你在旧证书到期之前更新了你的证书?
Try purging your OSX system wide CRL cache by running this command: 尝试通过运行此命令来清除OSX系统范围的CRL缓存:
crlrefresh rpv
# p - purges cache, r - refreshes them, v - run in verbose mode
This is a built-in command-line tool that updates and maintains system-wide CRL cache. 这是一个内置的命令行工具,可以更新和维护系统范围的CRL缓存。 Read more about it in its man page ( mand crlrefresh ). 在其man页( mand crlrefresh )中阅读更多相关信息。
解决方案3
0 2017-05-03 20:49:11
I have been pulling my hair out all morning with this error. 因为这个错误,我整个早上一直把头发拉出来。 This question and the answer led me to a solution that works for me. 这个问题和答案使我得到了一个适合我的解决方案。 I'm not adding new information here, but just the specifics of what I did in case it's of use to anyone else with this error on a platform similar to mine. 我不是在这里添加新信息,而只是我所做的具体细节,以防在类似我的平台上使用此错误的任何人使用它。
I'm using: 我正在使用:
Ubuntu 16.04
ruby 2.3.0
rails 4.2.7.1
HTTParty
I'm accessing an API secured with an COMODO SSL certificate. 我正在访问使用COMODO SSL证书保护的API。 In my code, when I tried: 在我的代码中,当我尝试时:
HTTParty.get(secured_url).tap{|response| puts response}
I got: 我有:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError)
I, too, used the SSL doctor script noted above. 我也使用上面提到的SSL医生脚本。 When I ran the script (substituting my actual api server address for host ), I got: 当我运行脚本(用我的实际api服务器地址代替host )时,我得到了:
$ ruby doctor.rb host:443
/home/<redacted>/.rvm/rubies/ruby-2.3.0/bin/ruby (2.3.0-p0)
OpenSSL 1.0.2g 1 Mar 2016: /usr/lib/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://host:443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
The server presented a certificate that could not be verified:
subject: <redacted>
issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
error code 20: unable to get local issuer certificate
In a separate terminal, I went into my certs directory: 在一个单独的终端中,我进入了我的certs目录:
$ cd /etc/ssl/certs
And did (using COMODO_RSA_Organization_Validation_Secure_Server_CA derived from the issuer text, above): 并且(使用从上面的issuer文本派生的COMODO_RSA_Organization_Validation_Secure_Server_CA ):
<redacted>:/etc/ssl/certs$ openssl x509 -in COMODO_RSA_Organization_Validation_Secure_Server_CA.pem -noout -text
Error opening Certificate COMODO_RSA_Organization_Validation_Secure_Server_CA.pem
140455648364184:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('COMODO_RSA_Organization_Validation_Secure_Server_CA.pem','r')
140455648364184:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
I went to the COMODO site where the COMODO RSA Organization Validation Secure Server CA pem is located. 我去了COMODO RSA组织验证安全服务器CA pem所在的COMODO站点。 I copied the certificate into a new file called COMODO_RSA_Organization_Validation_Secure_Server_CA.crt on my desktop (some instructions say to use crt extension instead of pem even though you need the pem certicate content). 我将证书复制到我桌面上名为COMODO_RSA_Organization_Validation_Secure_Server_CA.crt的新文件中(即使您需要pem certicate内容,一些说明也会使用crt扩展而不是pem )。
Then, following these instructions , I did: 然后,按照这些说明 ,我做了:
<redacted>:~/Desktop$ sudo cp COMODO_RSA_Organization_Validation_Secure_Server_CA.crt /usr/share/ca-certificates/COMODO_RSA_Organization_Validation_Secure_Server_CA.crt
<redacted>:~/Desktop$ sudo dpkg-reconfigure ca-certificates
Then I did: 然后我做了:
sudo dpkg-reconfigure ca-certificates
And then: 然后:
<redacted>:~/Desktop$ ruby doctor.rb host:443
/home/<redacted>/.rvm/rubies/ruby-2.3.0/bin/ruby (2.3.0-p0)
OpenSSL 1.0.2g 1 Mar 2016: /usr/lib/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://host:443
OK
After which my code ran fine. 之后我的代码运行正常。 Thank you, thank you, thank you! 谢谢你,谢谢你,谢谢你!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.