Rails.application.initialize之后,Rails SSL证书验证失败
[英]Rails ssl certificate verify failed after Rails.application.initialize
问题描述
I get SSL verify errors when running get calls against an SSL site from the rails console (or in the rails environment in general). 
从Rails控制台(或通常在Rails环境中)对SSL站点运行get调用时,我收到SSL验证错误。
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
I've traced the entire rails application initialization process from start to finish, going from config.ru all the way through, requiring environment files, etc. 我已经从头到尾跟踪了整个Rails应用程序的初始化过程,从config.ru一直到需要环境文件等。
The SSL error only starts happening after I run Rails.application.initialize! 仅在我运行Rails.application.initialize!之后才开始发生SSL错误Rails.application.initialize! in config/environment.rb 在config/environment.rb
I purged all ruby gems from the system and only have the ones installed from the Gemfile so it's impossible to have a different gem version required before/after the initialization process. 我从系统中清除了所有红宝石宝石,并且仅从Gemfile安装了这些Gemfile因此不可能在初始化过程之前/之后需要使用其他宝石版本。
I know the short-term fix would be to set my HTTPS calls to not verify the cert it is getting but that is not possible due to security concerns in the production environment. 我知道短期的解决方法是将HTTPS调用设置为不验证其获得的证书,但是由于生产环境中的安全问题,这是不可能的。
The problem seems to relate to SNI (Server Name Indication) given that when I run 鉴于我运行时,该问题似乎与SNI(服务器名称指示)有关
openssl s_client -connect sub.domain.com:443 -showcerts -servername sub.domain.com
I get the proper CERT, but when I run 我得到了正确的CERT,但是当我运行时
openssl s_client -connect sub.domain.com:443 -showcerts
I get a cert for sub2.domain.com which is why the verify fails. 我获得了sub2.domain.com的证书,这就是验证失败的原因。 How is this something that is changed by the Rails init process and if so, is there an option to tell rails to use SNI ? Rails初始化过程如何更改此内容,如果有,是否可以告诉Rails使用SNI?
- Rails v4.2.5.2 Rails v4.2.5.2
- ruby 2.3.3p222 (2016-11-21 revision 56859) [x86_64-linux] ruby 2.3.3p222(2016-11-21修订版56859)[x86_64-linux]
- OS: Fedora 25 操作系统:Fedora 25
- ca-certificates-2017.2.11-1.1.fc25_2017.2.14-1.0.fc25.noarch.drpm: done ca-certificates-2017.2.11-1.1.fc25_2017.2.14-1.0.fc25.noarch.drpm:已完成
2 个解决方案
解决方案1
0 2017-05-11 14:23:25
In the end it wasn't a Rails issue but a google-api-client gem issue. 最后,这不是Rails问题,而是google-api-client gem问题。 In order to work in a Windows environment we loaded the cacerts.pem file from the google api gem via an initializer file. 为了在Windows环境中工作,我们通过初始化程序文件从google api gem加载了cacerts.pem文件。
config/initializers/ga.rb : config/initializers/ga.rb :
cert_path = Gem.loaded_specs['google-api-client'].full_gem_path+'/lib/cacerts.pem'
ENV['SSL_CERT_FILE'] = cert_path
This resolves the CA file to 这会将CA文件解析为
"/home/user/appname/vendor/bundle/ruby/2.3.0/gems/google-api-client-0.11.1/lib/cacerts.pem"
And that does not support SNI for SSL certs generated by LetsEncrypt. 而且这不支持LetsEncrypt生成的SSL证书的SNI。
解决方案2
0 2018-11-24 18:53:54
I added the following gem and it worked for me. 我添加了以下宝石,它对我有用。 gem 'certified' 宝石“认证”
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.