[英]Rails/Ubuntu: SSLv3 read server certificate B: certificate verify failed
Two days ago, I started seeing this error on the production server of my app (on staging everything works fine). 两天前,我开始在我的应用的生产服务器上看到此错误(暂存一切正常)。 I found a lot of topics here on SO, but none of them solved this issue for me.
我在这里找到了很多关于SO的主题,但是没有一个主题能为我解决这个问题。
Here's the piece of code that's causing this error message: 这是导致此错误消息的代码段:
@client = Savon.client(wsdl: wsdl_url)
#@client = Savon.client(wsdl: wsdl_url, ssl_verify_mode: :none) # this sovles the problem, but I don't want to skip the verification
On SO, I also found that a possible solution might be to create an initializer file and put there the following: 在SO上,我还发现一种可能的解决方案可能是创建一个初始化程序文件,并在其中放置以下内容:
require 'open-uri'
require 'net/https'
module Net
class HTTP
alias_method :original_use_ssl=, :use_ssl=
def use_ssl=(flag)
#self.ca_path = Rails.root.join('lib/ca-bundle.crt').to_s
self.ssl_version = :TLSv1_2 # added
self.ca_file = '/etc/ssl/certs/ca-certificates.crt' # the file exists
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.original_use_ssl = flag
end
end
end
But this, unfortunately, didn't solve the error. 但是,不幸的是,这并没有解决错误。 I also tried to reinstall the certificate on the production Ubuntu (14.04) server
我还尝试在生产Ubuntu(14.04)服务器上重新安装证书
sudo apt-get install openssl ca-certificates
The package has been upgraded, but the error is unfortunately still here. 该软件包已升级,但是不幸的是错误仍然存在。
Any tips what could I do yet and get rid of the error? 有什么提示我该怎么办才能摆脱错误?
EDIT: How or where should I start debugging? 编辑:如何或应该在哪里开始调试?
I also started getting this error a few days ago. 几天前我也开始收到此错误。
Removing geocoder
fixed the issue. 删除
geocoder
此问题。
Per Heroku support, sometimes these errors occur when an external provider changes their SSL configuration. 在Heroku的支持下,当外部提供商更改其SSL配置时,有时会发生这些错误。
Reply to comment: 回复评论:
Nothing in logs specifically saying geocoder, but I saw in my error reports (via exception notifier gem) that the app crashed, with this error, on lines making a request to geocoder. 日志中没有特别说明Geocoder的内容,但是我在错误报告中(通过异常通知程序gem)看到,应用程序在向Geocoder请求的行上因该错误而崩溃。
I also had a callback on the users model, and noticed the app crashed anytime a user was saved/updated. 我还对用户模型进行了回调,并注意到只要保存/更新用户,应用程序就会崩溃。
Lucky guess I suppose. 我猜是幸运的。
Run openssl s_client -showcerts -connect server_you_are_connecting_to.com:443
and examine the certificate. 运行
openssl s_client -showcerts -connect server_you_are_connecting_to.com:443
并检查证书。 After this you should find yourself in one of the following situations: 之后,您将发现自己处于以下情况之一:
The certificate is valid (has valid expiry date and common name), but it is signed by the certificate authority (CA) that isn't trusted by your system. 证书有效(具有有效的到期日期和通用名称),但是由系统不信任的证书颁发机构(CA)签名。 If that's the case, you would need to add the CA's certificate to the trusted store or update the ca-bundle package on your system.
如果是这种情况,则需要将CA的证书添加到受信任的存储中,或更新系统上的ca-bundle软件包。
The certificate is invalid (is expired or has the wrong common name). 证书无效(已过期或通用名称错误)。 If disabling peer SSL certificate verification isn't an option for you, then you can implement your own certificate verification callback, for example as described here -- in this case the code wouldn't be relying on system's trusted store, but rather check that the peer server uses a specific certificate.
如果您不能选择禁用对等SSL证书验证,则可以实现自己的证书验证回调,例如此处所述-在这种情况下,代码将不依赖于系统的受信任存储,而是检查对等服务器使用特定的证书。
Hope this helps. 希望这可以帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.