Ruby Webrick 服务器无法验证客户端证书

Question

I am running a sinatra based web application using Webrick. I was able to setup TLS using my self-signed server certificates and webrick starts in TLS mode, but I am not able to make a connection to server using client certificate (cert based authentication).

Server logs says " ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=error: certificate verify failed "

But the same certificates (both server and client) are working with apache server.

def self.run!
    server_options = {
      :Host => '0.0.0.0',
      :Port => 33443,
      :SSLEnable => true,
      :SSLVerifyClient    => OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT | OpenSSL::SSL::VERIFY_PEER,
      :SSLVerifyDepth => 3,
      :SSLCertificate => OpenSSL::X509::Certificate.new(File.open('/Users/cert.pem').read),
      :SSLPrivateKey => OpenSSL::PKey::RSA.new(File.open('/Users/key.pem').read),
      :SSLClientCA => OpenSSL::X509::Certificate.new(File.open('/Users/cai.cer').read)
  }

  Rack::Handler::WEBrick.run self, server_options do |server|
    [:INT, :TERM].each { |sig| trap(sig) { server.stop } }
    server.threaded = settings.threaded if server.respond_to? :threaded=
    set :running, true
  end
end

Answer 1

This issue was fixed by providing the cacert file as :SSLCACertificateFile in server options instead of :SSLClientCA .

server_options = {
    :Host => '0.0.0.0',
    :Port => 443,
    :SSLEnable => true,
    :SSLVerifyClient    => OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT | OpenSSL::SSL::VERIFY_PEER,
    :SSLVerifyDepth => 4,
    :SSLCertificate => OpenSSL::X509::Certificate.new(File.open('/Users/cert.pem').read),
    :SSLPrivateKey => OpenSSL::PKey::RSA.new(File.open('/Users/key.pem').read),
    :SSLCACertificateFile => '/Users/cai.cer'
}