证书错误SSL_connect返回= 1 errno = 0状态=错误：证书验证失败

Question

I am using a ruby/rails application which recieves some information by rest/API from another ruby/rails app.

Second rails app has address like: https://railsapp2.domain.org (This is the authorized url which I am using in my first app)

But I get error when job runs on my first app.

Error is: SSL_connect returned=1 errno=0 state=error: certificate verify failed

and i believe issue is because of this code in my app:

 def self.fetch(url)
   authorized_url = RemoteRequestBuilder.authorize_and_decorate!(url)

   RestClient.get(authorized_url, { accept: :json }) { |response, request, result, &block|
    raise SparcApiError unless response.code == 200

    @response = response
  }

  Yajl::Parser.parse @response
end

I looked for some answers and found that I can use verify_ssl: false , but I don't know where to use it. And also how can I make it work using verify_ssl : true.

I also installed certified gem but it does not change anything in output.

i am using centOS7.

EDIT

so I did this

   RestClient::Resource.new(
   authorized_url,
   :ssl_client_cert  => OpenSSL::X509::Certificate.new(File.read("/etc/certs/mycert.pem")),
   :ssl_client_key   =>  OpenSSL::PKey::RSA.new(File.read("/etc/private/mykey.key")),
   :ssl_ca_file      =>  "/etc/certs/mycert.pem",
   :verify_ssl       =>  OpenSSL::SSL::VERIFY_PEER
   ).get(authorized_url, { accept: :json }) { |response, request, result, &block|
  raise SparcApiError unless response.code == 200

  @response = response
}

and now it gives me error wrong number of arguments in get.

| wrong number of arguments (2 for 0..1) /home/capistrano/opt/shared/bundle/ruby/2.1.0/gems/rest-client-2.0.2/lib/restclient/resource.rb:49:in `get'

so I removed authorized_url argument from get and then it started giving me the error cerificate verification failed.

so I put

 :verify_ssl       =>  OpenSSL::SSL::VERIFY_NONE

and Now it's giving me error: Connection reset by peer - SSL_connect

Answer 1

As per the documentation of Rest-Client gem

RestClient::Resource.new(
  'https://example.com',
  :ssl_client_cert  =>  OpenSSL::X509::Certificate.new(File.read("cert.pem")),
  :ssl_client_key   =>  OpenSSL::PKey::RSA.new(File.read("key.pem"), "passphrase, if any"),
  :ssl_ca_file      =>  "ca_certificate.pem",
  :verify_ssl       =>  OpenSSL::SSL::VERIFY_PEER
).get

can be used to specify ca-certificate and verify them. In case you do not want to verify it, modify the verify-ssl key to OpenSSL::SSL::VERIFY_NONE

As per the RestClient gem source code for RestClient.get() and RestClient::Resource.new(...).get , both these methods call Request.execute() . Therefore your arguments will remain the same except you'll need to pass authorized url to the .new 's argument. So your code will become like this:

my_client = RestClient::Resource.new(
  authorized_url,
  :ssl_client_cert  =>  OpenSSL::X509::Certificate.new(File.read("cert.pem")),
  :ssl_client_key   =>  OpenSSL::PKey::RSA.new(File.read("key.pem"), "passphrase, if any"),
  :ssl_ca_file      =>  "ca_certificate.pem",
  :verify_ssl       =>  OpenSSL::SSL::VERIFY_PEER
)

my_client.get({ accept: :json }) { |response, request, result, &block|
    raise SparcApiError unless response.code == 200

    @response = response
  }

This way, you can re-use the my_client object to send GET/POST/PUT/PATCH/DELETE requests with same ssl options and url. eg my_client.post(...){...}

---

NOTE :

1. Verifying ssl certificate shouldn't be skipped in production. This should be used in dev/test environment only, otherwise you will be susceptible to the man in the middle attacks.
2. If you trust the CA certificate then you should add it to your host's installed certificates bundle.