[英]OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I used RVM to install Ruby 1.9.3 on Ubuntu 12.04 by doing 我使用RVM在Ubuntu 12.04上安装Ruby 1.9.3
rvm pkg install openssl
rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr
And then when I try to run something along the lines of: 然后当我尝试按照以下方式运行时:
require 'open-uri'
open('https://www.google.com/')
I get the error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
我收到错误: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
How do I solve this? 我该如何解决这个问题? I have many similar threads where people have this problem in OSX, but how do I resolve it in Ubuntu? 我有许多类似的线程,人们在OSX中有这个问题,但我如何在Ubuntu中解决它?
Thanks for your help. 谢谢你的帮助。
That sometimes happens if the default 'OpenSSL directory' is not set correctly with the native OpenSSL library. 如果未使用本机OpenSSL库正确设置默认的“OpenSSL目录”,则有时会发生这种情况。 open-uri uses OpenSSL::X509::Store#set_default_paths
in order to tell OpenSSL to look in the OpenSSL directory for the file that contains the trusted root certificates that OpenSSL trusts by default. open-uri使用OpenSSL::X509::Store#set_default_paths
告诉OpenSSL在OpenSSL目录中查找包含OpenSSL默认信任的受信任根证书的文件。
In your case, this lookup fails. 在您的情况下,此查找失败。 You can make it succeed by setting an environment variable that overrides the default setting and tells OpenSSL to look in that directory instead: 您可以通过设置覆盖默认设置的环境变量使其成功,并告诉OpenSSL查找该目录:
export SSL_CERT_FILE=/etc/pki/tls/cert.pem
That's the default location for the root CA bundle on my Fedora 16 64 bit, other popular locations are /etc/ssl/ca-bundle.crt etc. In your case, the OpenSSL library used by RVM is located in $rvm_path/usr, so you should look around there for a suitable candidate for the default root CA file. 这是我的Fedora 16 64位上的根CA捆绑的默认位置,其他受欢迎的位置是/etc/ssl/ca-bundle.crt等。在您的情况下,RVM使用的OpenSSL库位于$ rvm_path / usr中,所以你应该四处寻找合适的默认根CA文件候选者。 After the environment variable is set correctly, the call to open-uri will succeed. 正确设置环境变量后,对open-uri的调用将成功。
To make the environment variable permanent, use the usual ways such as defining the export in .bashrc, /etc/profile or whatever fits best in your situation. 要使环境变量成为永久变量,请使用常用方法,例如在.bashrc,/ etc / profile中定义导出或在您的情况下最适合的任何方式。
The cacert.pem file is missing from rvm installed openssl. rvm安装的openssl中缺少cacert.pem文件。
$ cd $rvm_path/usr/ssl
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
$ sudo mv cacert.pem cert.pem
Add the 'certified' gem to your Gemfile. 将“认证”gem添加到您的Gemfile中。
More info: https://rubygems.org/gems/certified 更多信息: https : //rubygems.org/gems/certified
See http://jjinux.blogspot.nl/2012/02/ruby-working-around-ssl-errors-on-os-x.html as an alternative answer to your question, it should work for both Ubuntu and Mac OS X users and it doesn't require a change in the environment variables. 请参阅http://jjinux.blogspot.nl/2012/02/ruby-working-around-ssl-errors-on-os-x.html作为您问题的替代答案,它应该适用于Ubuntu和Mac OS X用户并不需要更改环境变量。
The solution from the above link: 来自以上链接的解决方案:
# config/initializers/fix_ssl.rb
#
# Work around errors that look like:
#
# SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
require 'open-uri'
require 'net/https'
module Net
class HTTP
alias_method :original_use_ssl=, :use_ssl=
def use_ssl=(flag)
# Ubuntu
if File.exists?('/etc/ssl/certs')
self.ca_path = '/etc/ssl/certs'
# MacPorts on OS X
# You'll need to run: sudo port install curl-ca-bundle
elsif File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
self.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
end
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.original_use_ssl = flag
end
end
end
This did now work for me. 这确实对我有用。 Things starting working when I ran "brew doctor", which led me to clues like "unset SSL_CERT_DIR" 当我运行“brew doctor”时开始工作的事情,这让我得到了“未设置SSL_CERT_DIR”的线索
Hit this error on a virtual machine after a long period (1 week) without use. 在长时间(1周)之后在虚拟机上使用此错误而不使用。 Updating my system clock fixed the issue immediately. 更新系统时钟可以立即解决问题。
If you're running ntpd
then ntpdate -b -u pool.ntp.org
will do that for you. 如果您正在运行ntpd
那么ntpdate -b -u pool.ntp.org
将为您执行此操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.