[英]Ruby Net::HTTP responds with OpenSSL::SSL::SSLError “certificate verify failed” after certificate renewal
We recently renewed the SSL certificate of our site, and the following occurs on Mac OS El Capitan 10.11.3: 我们最近更新了我们网站的SSL证书,并在Mac OS El Capitan 10.11.3上发生以下情况:
require 'net/http'
Net::HTTP.get URI('https://www.google.com')
# => "<HTML>...</HTML>"
# The site whose certificate got renewed
Net::HTTP.get URI('https://www.example.com')
# => OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
All my searches on Google and StackOverflow come up with answers suggesting a problem with the Ruby installation, but they seem to be related to older Ruby versions and I don't think this is the case here. 我在Google和StackOverflow上的所有搜索都提出了表明Ruby安装存在问题的答案,但它们似乎与较旧的Ruby版本有关,我认为这不是这种情况。 Here is what I've tried:
这是我尝试过的:
brew update
brew upgrade openssl
rvm osx-ssl-certs update all
rvm install ruby-2.3.1 --disable-binary --with-openssl-dir="$(brew --prefix openssl)"
(I did not have this version before) rvm install ruby-2.3.1 --disable-binary --with-openssl-dir="$(brew --prefix openssl)"
(之前我没有这个版本) rvm requirements
crlrefresh rpv
to purge the OSX system wide CRL cache, per Uzbekjon's suggestion. crlrefresh rpv
清除OSX系统范围的CRL缓存。 How can I resolve this? 我该如何解决这个问题?
Notes: 笔记:
With much help from BoraMa, it is now clear what was happening. 在BoraMa的帮助下,现在很清楚发生了什么。 COMODO added a new root called
COMODO RSA Certification Authority
instead of the previous COMODO Certification Authority
. COMODO添加了一个名为
COMODO RSA Certification Authority
的新根,而不是之前的COMODO Certification Authority
。 The new root was not registered within Mac's keychain, causing this issue. 新的root用户未在Mac的钥匙串中注册,导致此问题。
One way we attempted to debug this was by running: 我们尝试调试此方法的一种方法是运行:
openssl s_client -connect www.mysite.com:443
Which showed a warning verify error:num=20:unable to get local issuer certificate
. 其中显示警告
verify error:num=20:unable to get local issuer certificate
。 This warning is not an issue, as openssl s_client
does not use any certificates by default. 此警告不是问题,因为
openssl s_client
默认情况下不使用任何证书。 Running the following was able to prevent the warning after downloading the certificate from COMODO into comodo.pem
(index here ): 将证书从COMODO下载到
comodo.pem
( 此处为索引)后,运行以下命令可以防止出现警告:
openssl s_client -connect www.mysite.com:443 -CAfile comodo.pem
However, this could not and did not affect Ruby OpenSSL interface. 但是,这不能也不会影响Ruby OpenSSL接口。 This article made things much clearer for me, and the SSL doctor script created by its author was also helpful, as it confirmed the hypothesis.
这篇文章让我更加清楚,其作者创建的SSL医生脚本也很有帮助,因为它证实了这一假设。 The article suggested to look at
OpenSSL::X509::DEFAULT_CERT_FILE
, which for me was /usr/local/etc/openssl/cert.pem
. 文章建议查看
OpenSSL::X509::DEFAULT_CERT_FILE
,对我来说是/usr/local/etc/openssl/cert.pem
。 That file did not exist on my machine, which meant Apple's patch for OpendSSL was using the Keychain App. 该文件在我的机器上不存在,这意味着Apple的OpendSSL补丁正在使用Keychain App。 For whatever reason, importing
comodo.pem
into my keychain and marking it as trusted based on this post did not work. 无论出于何种原因,将
comodo.pem
导入我的钥匙串并根据此帖子将其标记为受信任不起作用。
So, the solution was to create the cert.pem
file manually. 因此,解决方案是手动创建
cert.pem
文件。 I went to the keychain app, and exported all System Root certificates to system_root.pem
. 我去了钥匙串应用程序,并将所有系统根证书导出到
system_root.pem
。 Then: cat system_root.pem comodo.pem > cert.pem
and moving that file to /usr/local/etc/openssl/
did the trick. 然后:
cat system_root.pem comodo.pem > cert.pem
并将该文件移动到/usr/local/etc/openssl/
就可以了。 Running Net::HTTP.get
in Ruby no longer failed. 在Ruby中运行
Net::HTTP.get
不再失败。
I would try to double-check the trusted certificate store if it contains the COMODO_RSA_Certification_Authority.pem
certificate. 如果它包含
COMODO_RSA_Certification_Authority.pem
证书,我会尝试仔细检查可信证书库。 In my (Linux) setup, the site works OK but when I temporarily remove the certificate of the COMODO cert authority from the cert store, I get exactly the same error as you (while in browsers it still works as they have their own cert stores). 在我的(Linux)设置中,该站点工作正常,但是当我暂时从证书存储中删除COMODO证书颁发机构的证书时,我得到与您完全相同的错误(在浏览器中它仍然有效,因为它们拥有自己的证书库)。
BTW, the same error is also recognizable using curl
as it also appears to use the same trusted cert store as ruby, so you might first ensure that the site works under curl. 顺便说一下,使用
curl
也可以识别同样的错误,因为它似乎也使用与ruby相同的可信证书库,因此您可能首先确保该站点在curl下工作。
In linux, the cert store is located usually in /etc/ssl/certs
whereas under OSX it should probably be /System/Library/OpenSSL
(see this article for other options). 在linux中,cert存储通常位于
/etc/ssl/certs
而在OSX下它应该是/System/Library/OpenSSL
(有关其他选项,请参阅此文章 )。
You should see something like the following in the cert store directory: 您应该在cert store目录中看到类似以下内容的内容:
root@apsara:/etc/ssl/certs$ ls -l | grep COMODO_RSA_Certification_Authority.pem
lrwxrwxrwx 1 root root 73 úno 28 10:24 COMODO_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
lrwxrwxrwx 1 root root 38 úno 28 10:24 d4c339cb.0 -> COMODO_RSA_Certification_Authority.pem
lrwxrwxrwx 1 root root 38 úno 28 10:24 d6325660.0 -> COMODO_RSA_Certification_Authority.pem
The following is a snipped of some attributes of this root CA certificate: 以下是此根CA证书的一些属性:
$ openssl x509 -in COMODO_RSA_Certification_Authority.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Validity
Not Before: Jan 19 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha384WithRSAEncryption
...
The certificate can be downloaded from Comodo here (index of all certs is here ). 证书可以在这里从Comodo下载(所有证书的索引都在这里 )。
More info : while looking into it, it turns out that there are actually two distinct certification chains for certs by the Comodo CA. 更多信息 :在调查结果时,事实证明Comodo CA实际上有两个不同的证书认证链。 One, the older one, is the one with the root CA listed above.
一个是较旧的,是上面列出的根CA的那个。 The newer validation chain uses "External CA root" certificates in the chain.
较新的验证链使用链中的“外部CA根”证书。 This forum post explains further, with specific instructions for OSX for marking those certs as trusted.
该论坛帖子进一步解释了OSX的具体说明,用于将这些证书标记为可信任。
It sounds like the problem is with your OSX certificates cache. 听起来问题在于您的OSX证书缓存。 I guess you updated your certificates before the old one has expired?
我猜你在旧证书到期之前更新了你的证书?
Try purging your OSX system wide CRL cache by running this command: 尝试通过运行此命令来清除OSX系统范围的CRL缓存:
crlrefresh rpv
# p - purges cache, r - refreshes them, v - run in verbose mode
This is a built-in command-line tool that updates and maintains system-wide CRL cache. 这是一个内置的命令行工具,可以更新和维护系统范围的CRL缓存。 Read more about it in its
man
page ( mand crlrefresh
). 在其
man
页( mand crlrefresh
)中阅读更多相关信息。
I have been pulling my hair out all morning with this error. 因为这个错误,我整个早上一直把头发拉出来。 This question and the answer led me to a solution that works for me.
这个问题和答案使我得到了一个适合我的解决方案。 I'm not adding new information here, but just the specifics of what I did in case it's of use to anyone else with this error on a platform similar to mine.
我不是在这里添加新信息,而只是我所做的具体细节,以防在类似我的平台上使用此错误的任何人使用它。
I'm using: 我正在使用:
Ubuntu 16.04
ruby 2.3.0
rails 4.2.7.1
HTTParty
I'm accessing an API secured with an COMODO SSL certificate. 我正在访问使用COMODO SSL证书保护的API。 In my code, when I tried:
在我的代码中,当我尝试时:
HTTParty.get(secured_url).tap{|response| puts response}
I got: 我有:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError)
I, too, used the SSL doctor script noted above. 我也使用上面提到的SSL医生脚本。 When I ran the script (substituting my actual api server address for
host
), I got: 当我运行脚本(用我的实际api服务器地址代替
host
)时,我得到了:
$ ruby doctor.rb host:443
/home/<redacted>/.rvm/rubies/ruby-2.3.0/bin/ruby (2.3.0-p0)
OpenSSL 1.0.2g 1 Mar 2016: /usr/lib/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://host:443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
The server presented a certificate that could not be verified:
subject: <redacted>
issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
error code 20: unable to get local issuer certificate
In a separate terminal, I went into my certs directory: 在一个单独的终端中,我进入了我的certs目录:
$ cd /etc/ssl/certs
And did (using COMODO_RSA_Organization_Validation_Secure_Server_CA
derived from the issuer
text, above): 并且(使用从上面的
issuer
文本派生的COMODO_RSA_Organization_Validation_Secure_Server_CA
):
<redacted>:/etc/ssl/certs$ openssl x509 -in COMODO_RSA_Organization_Validation_Secure_Server_CA.pem -noout -text
Error opening Certificate COMODO_RSA_Organization_Validation_Secure_Server_CA.pem
140455648364184:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('COMODO_RSA_Organization_Validation_Secure_Server_CA.pem','r')
140455648364184:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
I went to the COMODO site where the COMODO RSA Organization Validation Secure Server CA pem is located. 我去了COMODO RSA组织验证安全服务器CA pem所在的COMODO站点。 I copied the certificate into a new file called
COMODO_RSA_Organization_Validation_Secure_Server_CA.crt
on my desktop (some instructions say to use crt
extension instead of pem
even though you need the pem
certicate content). 我将证书复制到我桌面上名为
COMODO_RSA_Organization_Validation_Secure_Server_CA.crt
的新文件中(即使您需要pem
certicate内容,一些说明也会使用crt
扩展而不是pem
)。
Then, following these instructions , I did: 然后,按照这些说明 ,我做了:
<redacted>:~/Desktop$ sudo cp COMODO_RSA_Organization_Validation_Secure_Server_CA.crt /usr/share/ca-certificates/COMODO_RSA_Organization_Validation_Secure_Server_CA.crt
<redacted>:~/Desktop$ sudo dpkg-reconfigure ca-certificates
Then I did: 然后我做了:
sudo dpkg-reconfigure ca-certificates
And then: 然后:
<redacted>:~/Desktop$ ruby doctor.rb host:443
/home/<redacted>/.rvm/rubies/ruby-2.3.0/bin/ruby (2.3.0-p0)
OpenSSL 1.0.2g 1 Mar 2016: /usr/lib/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://host:443
OK
After which my code ran fine. 之后我的代码运行正常。 Thank you, thank you, thank you!
谢谢你,谢谢你,谢谢你!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.