[英]SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I am using Authlogic-Connect for third party logins.我正在使用Authlogic-Connect进行第三方登录。 After running appropriate migrations, Twitter/Google/yahoo logins seem to work fine but the facebook login throws exception:
运行适当的迁移后,Twitter/Google/yahoo 登录似乎工作正常,但 facebook 登录引发异常:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The dev log shows开发日志显示
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
app/controllers/users_controller.rb:37:in `update'
Please suggest..请建议..
I ran into a similar problem when trying to use the JQuery generator for Rails 3我在尝试使用 Rails 3 的 JQuery 生成器时遇到了类似的问题
I solved it like this:我是这样解决的:
Get the CURL Certificate Authority (CA) bundle.获取 CURL 证书颁发机构 (CA) 包。 You can do this with:
你可以这样做:
sudo port install curl-ca-bundle
[if you are using MacPorts] sudo port install curl-ca-bundle
[如果你使用的是 MacPorts]wget http://curl.haxx.se/ca/cacert.pem
wget http://curl.haxx.se/ca/cacert.pem
Execute the ruby code that is trying to verify the SSL certification: SSL_CERT_FILE=/opt/local/etc/certs/cacert.pem rails generate jquery:install
.执行试图验证 SSL 证书的 ruby 代码:
SSL_CERT_FILE=/opt/local/etc/certs/cacert.pem rails generate jquery:install
。 In your case, you want to either set this as an environment variable somewhere the server picks it up or add something like ENV['SSL_CERT_FILE'] = /path/to/your/new/cacert.pem
in your environment.rb file.在您的情况下,您希望将其设置为服务器在某处获取它的环境变量,或者在您的 environment.rb 文件中添加类似
ENV['SSL_CERT_FILE'] = /path/to/your/new/cacert.pem
。
You can also just install the CA files (I haven't tried this) to the OS -- there are lengthy instructions here -- this should work in a similar fashion, but I have not tried this personally.你也可以在CA文件(我没有试过)安装到操作系统-有冗长的说明在这里-这应该以类似的方式工作,但我还没有尝试过这种个人。
Basically, the issue you are hitting is that some web service is responding with a certificate signed against a CA that OpenSSL cannot verify.基本上,您遇到的问题是某些 Web 服务正在使用针对 OpenSSL 无法验证的 CA 签名的证书进行响应。
If you're using RVM on OS X, you probably need to run this:如果你在 OS X 上使用 RVM,你可能需要运行这个:
rvm osx-ssl-certs update all
More information here: http://rvm.io/support/fixing-broken-ssl-certificates更多信息: http : //rvm.io/support/fixing-broken-ssl-certificates
And here is the full explanation: https://github.com/wayneeseguin/rvm/blob/master/help/osx-ssl-certs.md这是完整的解释: https : //github.com/wayneeseguin/rvm/blob/master/help/osx-ssl-certs.md
On Ruby 2.2, you may have to reinstall Ruby from source to fix this.在 Ruby 2.2 上,您可能必须从源代码重新安装 Ruby 才能解决此问题。 Here's how (replace
2.2.3
with your Ruby version):方法如下(用您的 Ruby 版本替换
2.2.3
):
rvm reinstall 2.2.3 --disable-binary
Credit to https://stackoverflow.com/a/32363597/4353 and Ian Connor .归功于https://stackoverflow.com/a/32363597/4353和Ian Connor 。
Here's how you can fix it on Windows: https://gist.github.com/867550 (created by Fletcher Nichol)以下是在 Windows 上修复它的方法: https : //gist.github.com/867550 (由 Fletcher Nichol 创建)
Excerpt:摘抄:
The Manual Way (Boring)
手动方式(无聊)
Download the
cacert.pem
file from http://curl.haxx.se/ca/cacert.pem .从http://curl.haxx.se/ca/cacert.pem下载
cacert.pem
文件。 Save this file toC:\\RailsInstaller\\cacert.pem
.将此文件保存到
C:\\RailsInstaller\\cacert.pem
。Now make ruby aware of your certificate authority bundle by setting
SSL_CERT_FILE
.现在通过设置
SSL_CERT_FILE
使 ruby 知道您的证书颁发机构包。 To set this in your current command prompt session, type:要在当前的命令提示符会话中进行设置,请键入:
set SSL_CERT_FILE=C:\\RailsInstaller\\cacert.pem
To make this a permanent setting, add this in your control panel .
要使其成为永久设置,请将其添加到您的控制面板中。
Ruby can't find any root certificates to trust. Ruby 找不到任何可信任的根证书。
Take a look at this blog post for a solution: " Ruby 1.9 and the SSL error ".请查看此博客文章以获取解决方案:“ Ruby 1.9 和 SSL 错误”。
The solution is to install the
curl-ca-bundle
port which contains the same root certificates used by Firefox:解决方案是安装
curl-ca-bundle
端口,其中包含与 Firefox 使用的相同的根证书:sudo port install curl-ca-bundle
and tell your
https
object to use it:并告诉您的
https
对象使用它:https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
Note that if you want your code to run on Ubuntu, you need to set the
ca_path
attribute instead, with the default certificates location/etc/ssl/certs
.请注意,如果您希望代码在 Ubuntu 上运行,则需要使用默认证书位置
/etc/ssl/certs
来设置ca_path
属性。
The reason that you get this error on OSX is the rvm-installed ruby.在 OSX 上出现此错误的原因是 rvm 安装的 ruby。
If you run into this issue on OSX you can find a really broad explanation of it in this blog post:如果你在 OSX 上遇到这个问题,你可以在这篇博文中找到一个非常广泛的解释:
http://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html http://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
The short version is that, for some versions of Ruby, RVM downloads pre-compiled binaries, which look for certificates in the wrong location.简而言之,对于某些 Ruby 版本,RVM 下载预编译的二进制文件,它们会在错误的位置查找证书。 By forcing RVM to download the source and compile on your own machine, you ensure that the configuration for the certificate location is correct.
通过强制 RVM 下载源代码并在您自己的机器上编译,您可以确保证书位置的配置正确。
The command to do this is:执行此操作的命令是:
rvm install 2.2.0 --disable-binary
if you already have the version in question, you can re-install it with:如果您已经有了有问题的版本,您可以使用以下命令重新安装它:
rvm reinstall 2.2.0 --disable-binary
(obviously, substitute your ruby version as needed). (显然,根据需要替换您的 ruby 版本)。
The issue is that ruby can not find a root certificate to trust.问题是 ruby 找不到要信任的根证书。 As of 1.9 ruby checks this.
从 1.9 开始,ruby 会检查这一点。 You will need to make sure that you have the curl certificate on your system in the form of a pem file.
您需要确保系统上有 pem 文件形式的 curl 证书。 You will also need to make sure that the certificate is in the location that ruby expects it to be.
您还需要确保证书位于 ruby 期望的位置。 You can get this certificate at...
您可以在...
http://curl.haxx.se/ca/cacert.pem
If your a RVM and OSX user then your certificate file location will vary based on what version of ruby your using.如果您是 RVM 和 OSX 用户,那么您的证书文件位置将根据您使用的 ruby 版本而有所不同。 Setting the path explicitly with :ca_path is a BAD idea as your code will not be portable when it gets to production.
使用 :ca_path 显式设置路径是一个坏主意,因为您的代码在投入生产时将不可移植。 There for you want to provide ruby with a certificate in the default location(and assume your dev ops guys know what they are doing).
因为您想在默认位置为 ruby 提供证书(并假设您的开发人员知道他们在做什么)。 You can use dtruss to work out where the system is looking for the certificate file.
您可以使用 dtruss 找出系统正在寻找证书文件的位置。
In my case the system was looking for the cert file in在我的情况下,系统正在寻找证书文件
/Users/stewart.matheson/.rvm/usr/ssl/cert.pem
however MACOSX system would expect a certificate in但是 MACOSX 系统需要一个证书
/System/Library/OpenSSL/cert.pem
I copied the downloaded cert to this path and it worked.我将下载的证书复制到此路径并且它起作用了。 HTH
HTH
The new certified gem is designed to fix this:新认证的 gem 旨在解决这个问题:
https://github.com/stevegraham/certified https://github.com/stevegraham/certified
Just add gem 'certified' in your gemfile and run bundle install.只需在您的 gemfile 中添加 gem 'certified' 并运行 bundle install。
On Mac OS X Lion with the latest macport:在装有最新 macport 的 Mac OS X Lion 上:
sudo port install curl-ca-bundle
export SSL_CERT_FILE=/opt/local/share/curl/curl-ca-bundle.crt
Then, rerun the failed job.然后,重新运行失败的作业。
Note, the cert file location seems to have changed since Eric G answered on May 12.请注意,自 Eric G 于 5 月 12 日回答以来,证书文件位置似乎已更改。
A one liner fixes it for Windows in an Admin prompt一个班轮在管理员提示中为 Windows 修复它
choco install wget
(first see chocolatey.org ) choco install wget
(首先参见Chocolatey.org )
wget http://curl.haxx.se/ca/cacert.pem -O C:\cacert.pem && setx /M SSL_CERT_FILE "C:\cacert.pem"
Or just do this:或者只是这样做:
gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/
Milanio's method: Milanio的方法:
gem sources -r https://rubygems.org
gem sources -a http://rubygems.org
gem update --system
gem sources -r http://rubygems.org
gem sources -a https://rubygems.org
gem install [NAME_OF_GEM]
Well this worked for me嗯,这对我有用
rvm pkg install openssl
rvm reinstall 1.9.2 --with-openssl-dir=$rvm_path/usr
Something is wrong with openssl implementation of my ubuntu 12.04我的 ubuntu 12.04 的 openssl 实现有问题
Here's another option for debugging purposes.这是用于调试目的的另一个选项。
Be sure never to use this in any production environment, as it will negate benefits of using SSL in the first place.一定不要在任何生产环境中使用它,因为它首先会抵消使用 SSL 的好处。 It is only ever valid to do this in your local development environment.
仅在您的本地开发环境中执行此操作才有效。
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
While knowing it's rather a lame solution, I'm still sharing this because it seems like very few people answering here use Windows , and I think some of Windows users (me included) would appreciate a simple and intuitive approach.虽然知道这是一个相当蹩脚的解决方案,但我仍然分享这个,因为似乎很少有人在这里回答使用Windows ,而且我认为一些 Windows 用户(包括我在内)会喜欢一种简单而直观的方法。
require 'openssl'
puts OpenSSL::X509::DEFAULT_CERT_FILE
That tells where your openssl is looking for the cert file.这会告诉您的 openssl 在哪里寻找证书文件。 My name is not Luis, but mine was
C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0l/ssl/cert.pem
.我的名字不是 Luis,但我的是
C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0l/ssl/cert.pem
。 The path may be different depending on each own environments (eg openknapsack
instead of luislavena
).路径可能因每个环境而
luislavena
(例如openknapsack
而不是luislavena
)。
The path didn't change even after set SSL_CERT_FILE=C:\\foo\\bar\\baz\\cert.pem
via the console, so... I created the directory C:\\Users\\Luis\\Code\\luislavena\\knap-build\\var\\knapsack\\software\\x86-windows\\openssl\\1.0.0l\\ssl
in my local disk and put a cert file into it.即使在通过控制台
set SSL_CERT_FILE=C:\\foo\\bar\\baz\\cert.pem
后,路径也没有改变,所以......我创建了目录C:\\Users\\Luis\\Code\\luislavena\\knap-build\\var\\knapsack\\software\\x86-windows\\openssl\\1.0.0l\\ssl
在我的本地磁盘中并将证书文件放入其中。
Lame as it is, this will surely work.跛脚,这肯定会奏效。
I've try install curl-ca-bundle
with brew
, but the package is no available more:我尝试使用
brew
安装curl-ca-bundle
,但该软件包不再可用:
$ brew install curl-ca-bundle
Error: No available formula for curl-ca-bundle
Searching formulae...
Searching taps...
The solution that worked to me on Mac was:在 Mac 上对我有用的解决方案是:
$ cd /usr/local/etc/openssl/certs/
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
Add this line in your ~/.bash_profile
(or ~/.zshrc
for zsh):在你的
~/.bash_profile
(或~/.zshrc
for zsh)中添加这一行:
export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cacert.pem
Then update your terminal:然后更新您的终端:
$ source ~/.bash_profile
I had this same issue while working on a Ruby project.我在处理 Ruby 项目时遇到了同样的问题。 I am using Windows 7 64bit.
我正在使用 Windows 7 64 位。
I resolved this by:我通过以下方式解决了这个问题:
source: https://gist.github.com/fnichol/867550来源: https : //gist.github.com/fnichol/867550
The most straightforward answer which worked for me was this对我有用的最直接的答案是这个
sudo apt-get install openssl ca-certificates
And voila!!!瞧!!!
OS X 10.8.x with Homebrew:带有 Homebrew 的 OS X 10.8.x:
brew install curl-ca-bundle
brew list curl-ca-bundle
cp /usr/local/Cellar/curl-ca-bundle/1.87/share/ca-bundle.crt /usr/local/etc/openssl/cert.pem
This worked for me.这对我有用。 If you using rvm and brew:
如果您使用 rvm 和 brew:
rvm remove 1.9.3
brew install openssl
rvm install 1.9.3 --with-openssl-dir=`brew --prefix openssl`
I ran into this issue and the suggested fix of rvm osx-ssl-certs update all
did not work despite that I am an RVM user on OSX.我遇到了这个问题,尽管我是 OSX 上的 RVM 用户,但建议的
rvm osx-ssl-certs update all
不起作用。
The fix that worked for me was re-installing the latest version of openssl:对我有用的修复是重新安装最新版本的 openssl:
brew update
brew remove openssl
brew install openssl
If you are running your rails app locally then just add this line at the bottom of application.rb.如果你在本地运行你的 rails 应用程序,那么只需在 application.rb 的底部添加这一行。
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
After this you can use the app without any issues.在此之后,您可以毫无问题地使用该应用程序。 You may call it a hack but it is not recommended.
您可以称其为黑客,但不建议这样做。 Use only when you need to run locally
仅在需要在本地运行时使用
Then, as this blog post suggests,然后,正如这篇博文所暗示的那样,
" How to Cure Net::HTTP's Risky Default HTTPS Behavior " " 如何解决 Net::HTTP 默认的有风险的 HTTPS 行为"
you might want to install the always_verify_ssl_certificates
gem that allow you to set a default value for ca_file
.您可能想要安装
always_verify_ssl_certificates
gem,它允许您为ca_file
设置默认值。
OSX solution: OSX 解决方案:
install latest rvm stable version安装最新的rvm稳定版本
rvm get stable
use rvm command to solve the certificates automatically使用 rvm 命令自动解决证书问题
rvm osx-ssl-certs update all
If you have a symbolic link in the /usr/local/etc/openssl pointing to cert.pem try to do this:如果 /usr/local/etc/openssl 中有指向 cert.pem 的符号链接,请尝试执行以下操作:
ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE" (should be /usr/local/etc/openssl)
cd /usr/local/etc/openssl
wget http://curl.haxx.se/ca/cacert.pem
ln -s cacert.pem 77ee3751.0 (77ee3751.0 is my symbolic link, should depend on the openssl version)
What worked for me is a combination of answers, namely:对我有用的是答案的组合,即:
# Reinstall OpenSSL
brew update
brew remove openssl
brew install openssl
# Download CURL CA bundle
cd /usr/local/etc/openssl/certs
wget http://curl.haxx.se/ca/cacert.pem
/usr/local/opt/openssl/bin/c_rehash
# Reinstall Ruby from source
rvm reinstall 2.2.3 --disable-binary
Here's what I did that helped if you are specifically having a problem on Leopard.如果您在 Leopard 上遇到特殊问题,以下是我所做的帮助。
My cert was old and needed to be updated.我的证书很旧,需要更新。 I downloaded this:
我下载了这个:
http://curl.haxx.se/ca/cacert.pem http://curl.haxx.se/ca/cacert.pem
Then replaced my cert which was found here on Leopard:然后替换了我在 Leopard 上找到的证书:
/usr/share/curl/curl-ca-bundle.crt
Reload whatever you have that's accessing it and you should be good to go!重新加载您访问它的任何内容,您应该很高兴!
Just because instructions were a slight bit different for what worked for me, I thought I add my 2 cents:仅仅因为说明对我有用的东西略有不同,我想我加了 2 美分:
I'm on OS X Lion and using macports and rvm我在 OS X Lion 上使用 macports 和 rvm
I installed curl-ca-bundle:我安装了 curl-ca-bundle:
sudo port install curl-ca-bundle
Then I adjusted my omniauth config to be this:然后我将我的 omniauth 配置调整为:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, APP_CONFIG['CONSUMER_KEY'], APP_CONFIG['CONSUMER_SECRET'],
:scope => 'https://www.google.com/m8/feeds https://www.googleapis.com/auth/userinfo.profile',
:ssl => {:ca_path => "/share/curl/curl-ca-bundle.crt"}
end
Sometime it's not always rvm's problem in MAC OSX,if you remove .rvm,the problem still(espcially while you backup data from timemachine) ,you can try this way.有时在 MAC OSX 中并不总是 rvm 的问题,如果您删除 .rvm,问题仍然存在(尤其是从 timemachine 备份数据时),您可以尝试这种方式。
1.brew update
2.brew install openssl
将gem 'certified', '~> 1.0'
到我的Gemfile
并运行bundle
为我解决了这个问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.