stackoom
  简体   繁体   中英

How to deploy a Rails application with an internally signed SSL certificate (SSL_CERT_FILE and openssl related)

 原文  2014-01-06 09:57:40       ruby-on-rails/ ruby-on-rails-3/ openssl/ ssl-certificate

Question

I have a few questions regarding deploying a Rails application with an SSL certificate.

Background:

  • Rails 3.2.16 / Ruby 1.9.3
  • SAN SSL certificate signed by internal Windows CA server
  • App deployed to Ubuntu 12.04 servers with Apache/Passenger

As per, https://gist.github.com/fnichol/867550 , Windows clients using Ruby net/http do not trust the certificate on the Ubuntu severs. I assume this is becuase the SSL_CERT_FILE environment variable is not set (despite the fact the internal root certificates are installed on the Ubuntu servers and deployed to Windows clients by Group Policy..?)

I want to be able to run the following code snippet from any client of my app (Windows or Ubuntu) 

require 'net/http'
uri = URI.parse('https://ubuntu-server.internal.com/')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.start { |agent| agent.get(uri.path) }

  1. Should i bundle the internal CA root certificate (and intermediate certificate, and the rest of the CURL cert bundle) with the app and then set ENV['SSL_CERT_FILE'] in code?)

  2. Should i include only the internal CA root certificate in the app and use an initializer to setup net/http before use? This seems to be the approach of the RubyInstaller https://github.com/oneclick/rubyinstaller/blob/master/rake/contrib/uri_ext.rb#L287-295 but i don't really know how i would go about coding this?

  3. Something else?

Option 2 seems the best to me so far, but as I say i dont know how i would go about setting 

http.use_ssl = true
http.ca_file = "#{Rails.root}/config/internal-ca.crt"

in a Rails initializer.

Any help / advice would be greatly appreciated.

Thanks

1 answers

solution1
 5 ACCPTED  2014-01-06 11:08:51

So, with some further Googling i've come up with the following solution: 

# /config/initializers/ssl.rb

require 'open-uri'
require 'net/https'

module Net
  class HTTP
    alias_method :original_use_ssl=, :use_ssl=

    def use_ssl=(flag)
      store = OpenSSL::X509::Store.new
      store.set_default_paths

      store.add_cert(OpenSSL::X509::Certificate.new(File.read("#{Rails.root}/config/ssl/root.crt")))
      store.add_cert(OpenSSL::X509::Certificate.new(File.read("#{Rails.root}/config/ssl/intermediate.crt")))

      self.cert_store = store

      self.verify_mode = OpenSSL::SSL::VERIFY_PEER
      self.original_use_ssl = flag
    end
  end
end

Sources

This seems to work for me, but i am open to other suggestions.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Rails and SSL_CERT_FILE OS X Unable to verify certificate - please set 'ENV['SSL_CERT_FILE'] = path_to_file' Who reads the value of ENV['SSL_CERT_FILE']? How can I setup a local SSL certificate and a Rails application? nginx configuration for ssl certificate installation with rails application Rails 3: OpenSSL::SSL::SSLError: hostname was not match with the server certificate Create ssl certificate for rails ActionMailer and a self-signed SSL Cert How to include SSL Certificate in Rails 3 project Rails 3 actionmail OpenSSL::SSL::SSLError
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM