[英]OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
There are a ton of posts about this.有很多关于这个的帖子。 I have looked at so many of them.
我看过很多。 Zero of the fixes seem to work.
零个修复程序似乎有效。
(main)> PayPal::SDK::Subscriptions::Plan.all
Request[post]: https://api.sandbox.paypal.com/v1/oauth2/token
Request.body=grant_type=client_credentials request.header={"User-Agent"=>"PayPalSDK/PayPal-Subscriptions-Ruby-SDK 0.3.1 (paypal-sdk-core 1.7.4; ruby 2.6.6p146-x86_64-linux;OpenSSL 1.1.1d 10 Sep 2019)", "Content-Type"=>"application/x-www-form-urlencoded", "Authorization"=>"Basic xxx"}
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
from /usr/local/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock'
I have tried rvm 2.6.6, 2.7.0, and Debian Buster system ruby.我试过 rvm 2.6.6、2.7.0 和 Debian Buster 系统 ruby。
I followed all of these: https://bundler.io/v2.0/guides/rubygems_tls_ssl_troubleshooting_guide.html#troubleshooting-certificate-errors我遵循了所有这些: https://bundler.io/v2.0/guides/rubygems_tls_ssl_troubleshooting_guide.html#troubleshooting-certificate-errors
I ran the automated SSL check and everything is roses: https://bundler.io/v2.0/guides/rubygems_tls_ssl_troubleshooting_guide.html#automated-ssl-check我运行了自动 SSL 检查,一切顺利: https://bundler.io/v2.0/guides/rubygems_tls_ssl_troubleshooting_guide.html#automated-ssl-check
root@19ab47f15632:/usr/src/app# curl -Lks 'https://git.io/rg-ssl' | ruby
Here's your Ruby and OpenSSL environment:
Ruby: 2.6.6p146 (2020-03-31 revision 67876) [x86_64-linux]
RubyGems: 3.0.3
Bundler: 2.1.2
Compiled with: OpenSSL 1.1.1d 10 Sep 2019
Loaded version: OpenSSL 1.1.1d 10 Sep 2019
SSL_CERT_FILE: /usr/lib/ssl/cert.pem
SSL_CERT_DIR: /usr/lib/ssl/certs
With that out of the way, let's see if you can connect to rubygems.org...
Bundler connection to rubygems.org: success ✅
RubyGems connection to rubygems.org: success ✅
Ruby net/http connection to rubygems.org: success ✅
Hooray! This Ruby can connect to rubygems.org. You are all set to use Bundler and RubyGems. 👌
I tried gem update --system
, bundler is updated.我试过
gem update --system
,捆绑器已更新。
I tried curling the new CA to the location of ruby's default SSL file:我尝试将新 CA 卷曲到 ruby 的默认 SSL 文件的位置:
curl -fsSL curl.haxx.se/ca/cacert.pem -o "$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')"
I checked that my system's time was accurate (it's accurate to UTC).我检查了我的系统时间是否准确(准确到 UTC)。
I have no earthly idea what to do from here.我不知道从这里做什么。 The PayPal SDK subscription gem is using.net/http under the covers because it relies on the core PayPal SDK gem.
PayPal SDK 订阅 gem 在幕后使用 .net/http,因为它依赖于核心 PayPal SDK gem。 I tried increasing the loglevel to DEBUG but it prints out no additional details as it appears to fail in the same exact place, and I can't figure out where that failure actually is.
我尝试将日志级别提高到 DEBUG,但它没有打印出任何额外的详细信息,因为它似乎在同一个确切的地方失败了,而且我无法弄清楚那个失败到底在哪里。
I'm at a loss.我不知所措。 Short of disabling SSL verification, I don't know what to do.
除了禁用 SSL 验证,我不知道该怎么做。 Is there some way to get more traceback / more error here to troubleshoot further?
有没有办法在此处获得更多回溯/更多错误以进一步排除故障? Using.net/http directly against the PayPal API works fine (no SSL error).
直接对 PayPal API 使用 .net/http 工作正常(没有 SSL 错误)。 So it's something that happens after the initial request
所以这是在初始请求之后发生的事情
Its possible to fix this by using the server's own CA file.可以通过使用服务器自己的 CA 文件来修复此问题。
Try setting ssl_options: { ca_file: nil }
.尝试设置
ssl_options: { ca_file: nil }
。
This causes the paypal.crt
CA file bundled with the paypal-sdk gem to be ignored.这会导致与 paypal-sdk gem 捆绑在一起的
paypal.crt
CA 文件被忽略。
PayPal::SDK.configure(
mode: ...,
client_id: ...,
client_secret: ...,
# Deliberately set ca_file to nil so the system's Cert Authority is used,
# instead of the bundled paypal.crt file which is out-of-date due to:
# https://www.paypal.com/va/smarthelp/article/discontinue-use-of-verisign-g5-root-certificates-ts2240
ssl_options: { ca_file: nil }
)
In config/paypal.yml
or wherever your config file is located:在
config/paypal.yml
或您的配置文件所在的任何位置:
ssl_options:
ca_file: null
I'm leaving this here, but the answer by RidingRails is what I consider "correct".我把它留在这里,但 RidingRails 的回答是我认为“正确”的。 It is the proper solution to dealing with this longer-term, although the real solution is to move to PayPal's newer gem.
这是处理这种长期问题的正确解决方案,尽管真正的解决方案是转移到 PayPal 的更新 gem。
My answer below is to help you quickly get PayPal working again without having to push out an update to your code.我在下面的回答是为了帮助您快速使 PayPal 重新工作,而无需推出代码更新。
This is really ugly, as PayPal packages the certs with their gem.这真的很难看,因为 PayPal 将证书与他们的 gem 打包在一起。 To get up and running, you need to find the gem in your bundle and specifically find the file "paypal.crt".
要启动并运行,您需要在您的包中找到 gem,特别是找到文件“paypal.crt”。 At the end, you need to add the two certificates that are missing.
最后,您需要添加缺少的两个证书。 I am not going to copy/paste them here, but they are easily found.
我不打算在这里复制/粘贴它们,但它们很容易找到。 Actually, they were already on my Ubuntu system in /etc/ssl/certs:
实际上,它们已经在我的 Ubuntu 系统的 /etc/ssl/certs 中:
DigiCert_Global_Root_G2.pem DigiCert_Global_Root_G2.pem
DigiCert_High_Assurance_EV_Root_CA.pem DigiCert_High_Assurance_EV_Root_CA.pem
PayPal provides links here: PayPal 在这里提供链接:
https://www.paypal.com/va/smarthelp/article/discontinue-use-of-verisign-g5-root-certificates-ts2240 https://www.paypal.com/va/smarthelp/article/discontinue-use-of-verisign-g5-root-certificates-ts2240
Steps to fix:修复步骤:
Find the paypal.crt file in the version of the gem that you are using.在您使用的 gem 版本中找到 paypal.crt 文件。 Here's what that looked like for me:
这对我来说是这样的:
cd app/production/shared/bundle cd 应用程序/生产/共享/捆绑包
find.寻找。 -name paypal.crt
-名称 paypal.crt
At this point, I had a file in version 1.7.3 and 1.7.4 of the gem.此时,我在 gem 的 1.7.3 和 1.7.4 版本中有一个文件。 I'm using the 1.7.4 version, so I edited that file.
我使用的是 1.7.4 版本,所以我编辑了那个文件。
Add those two certificates to the bottom.将这两个证书添加到底部。 You should put the name of the certificate on a line, a line with "=" repeated to make a nice separator, and then the entire certificate including the BEGIN and END lines.
您应该将证书的名称放在一行中,一行重复“=”以形成一个很好的分隔符,然后是包括 BEGIN 和 END 行的整个证书。
Restart your application.重新启动您的应用程序。
This is not a long-term solution but will get you back running quickly.这不是一个长期的解决方案,但可以让您快速恢复运行。 Long term - upgrade to the new gem.
长期 - 升级到新的宝石。
Here is what we ended up doing on my team.这是我们最终在我的团队中所做的事情。
We added the 2 certs that Michael mentioned in我们添加了 Michael 在中提到的 2 个证书
config/api.paypal.com.crt
Then in paypal.yml然后在 paypal.yml
ssl_options:
ca_file: config/api.paypal.com.crt
We left the Gem as is.我们按原样离开了宝石。 Initially we tore through the gem looking for answers but ultimately we left the gem as is and added the crt and updated yaml as show above.
最初我们通过 gem 来寻找答案,但最终我们保留了 gem 并添加了 crt 并更新了 yaml,如上所示。
If you don't use PayPal::SDK.configure
.如果您不使用
PayPal::SDK.configure
。 In paypal.yml add在paypal.yml中添加
ssl_options:
ca_file: null
As PayPal has changed TLS, so the easiest way (fastest) was to resolve as monkey patch.由于 PayPal 已更改 TLS,因此最简单(最快)的方法是解析为猴子补丁。 This patch says to use all default settings
这个补丁说要使用所有默认设置
module PayPal::SDK::Core
module Util
module HTTPHelper
def configure_ssl(http)
http.tap do |https|
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
add_certificate(https)
end
end
end
end
end
A similar but slightly less invasive solution than @kritik与@kritik 类似但侵入性略小的解决方案
module PayPal::SDK::Core::Util::HTTPHelper
def default_ca_file
nil # packaged CA file was out of date, use the system file
end
end
This still allows you to change other SSL settings in initializers and only removes the default CA file.这仍然允许您更改初始化程序中的其他 SSL 设置,并且仅删除默认的 CA 文件。
You want to create a file in config/initializers
and put the above code in it.你想在
config/initializers
中创建一个文件,并将上面的代码放入其中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.