I have a few questions regarding deploying a Rails application with an SSL certificate.
Background:
As per, https://gist.github.com/fnichol/867550 , Windows clients using Ruby net/http
do not trust the certificate on the Ubuntu severs. I assume this is becuase the SSL_CERT_FILE
environment variable is not set (despite the fact the internal root certificates are installed on the Ubuntu servers and deployed to Windows clients by Group Policy..?)
I want to be able to run the following code snippet from any client of my app (Windows or Ubuntu)
require 'net/http'
uri = URI.parse('https://ubuntu-server.internal.com/')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.start { |agent| agent.get(uri.path) }
Should i bundle the internal CA root certificate (and intermediate certificate, and the rest of the CURL cert bundle) with the app and then set ENV['SSL_CERT_FILE']
in code?)
Should i include only the internal CA root certificate in the app and use an initializer to setup net/http before use? This seems to be the approach of the RubyInstaller https://github.com/oneclick/rubyinstaller/blob/master/rake/contrib/uri_ext.rb#L287-295 but i don't really know how i would go about coding this?
Something else?
Option 2 seems the best to me so far, but as I say i dont know how i would go about setting
http.use_ssl = true
http.ca_file = "#{Rails.root}/config/internal-ca.crt"
in a Rails initializer.
Any help / advice would be greatly appreciated.
Thanks
So, with some further Googling i've come up with the following solution:
# /config/initializers/ssl.rb
require 'open-uri'
require 'net/https'
module Net
class HTTP
alias_method :original_use_ssl=, :use_ssl=
def use_ssl=(flag)
store = OpenSSL::X509::Store.new
store.set_default_paths
store.add_cert(OpenSSL::X509::Certificate.new(File.read("#{Rails.root}/config/ssl/root.crt")))
store.add_cert(OpenSSL::X509::Certificate.new(File.read("#{Rails.root}/config/ssl/intermediate.crt")))
self.cert_store = store
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.original_use_ssl = flag
end
end
end
Sources
This seems to work for me, but i am open to other suggestions.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.