certificate Error SSL_connect returned=1 errno=0 state=error: certificate verify failed
Question
I am using a ruby/rails application which recieves some information by rest/API from another ruby/rails app.
Second rails app has address like: https://railsapp2.domain.org (This is the authorized url which I am using in my first app)
But I get error when job runs on my first app.
Error is: SSL_connect returned=1 errno=0 state=error: certificate verify failed
and i believe issue is because of this code in my app:
def self.fetch(url)
authorized_url = RemoteRequestBuilder.authorize_and_decorate!(url)
RestClient.get(authorized_url, { accept: :json }) { |response, request, result, &block|
raise SparcApiError unless response.code == 200
@response = response
}
Yajl::Parser.parse @response
end
I looked for some answers and found that I can use verify_ssl: false , but I don't know where to use it. And also how can I make it work using verify_ssl : true.
I also installed certified gem but it does not change anything in output.
i am using centOS7.
EDIT
so I did this
RestClient::Resource.new(
authorized_url,
:ssl_client_cert => OpenSSL::X509::Certificate.new(File.read("/etc/certs/mycert.pem")),
:ssl_client_key => OpenSSL::PKey::RSA.new(File.read("/etc/private/mykey.key")),
:ssl_ca_file => "/etc/certs/mycert.pem",
:verify_ssl => OpenSSL::SSL::VERIFY_PEER
).get(authorized_url, { accept: :json }) { |response, request, result, &block|
raise SparcApiError unless response.code == 200
@response = response
}
and now it gives me error wrong number of arguments in get.
| wrong number of arguments (2 for 0..1) /home/capistrano/opt/shared/bundle/ruby/2.1.0/gems/rest-client-2.0.2/lib/restclient/resource.rb:49:in `get'
so I removed authorized_url argument from get and then it started giving me the error cerificate verification failed.
so I put
:verify_ssl => OpenSSL::SSL::VERIFY_NONE
and Now it's giving me error: Connection reset by peer - SSL_connect
1 answers
solution1
1 ACCPTED 2018-02-08 06:52:18
As per the documentation of Rest-Client gem
RestClient::Resource.new(
'https://example.com',
:ssl_client_cert => OpenSSL::X509::Certificate.new(File.read("cert.pem")),
:ssl_client_key => OpenSSL::PKey::RSA.new(File.read("key.pem"), "passphrase, if any"),
:ssl_ca_file => "ca_certificate.pem",
:verify_ssl => OpenSSL::SSL::VERIFY_PEER
).get
can be used to specify ca-certificate and verify them. In case you do not want to verify it, modify the verify-ssl key to OpenSSL::SSL::VERIFY_NONE
As per the RestClient gem source code for RestClient.get() and RestClient::Resource.new(...).get , both these methods call Request.execute() . Therefore your arguments will remain the same except you'll need to pass authorized url to the .new 's argument. So your code will become like this:
my_client = RestClient::Resource.new(
authorized_url,
:ssl_client_cert => OpenSSL::X509::Certificate.new(File.read("cert.pem")),
:ssl_client_key => OpenSSL::PKey::RSA.new(File.read("key.pem"), "passphrase, if any"),
:ssl_ca_file => "ca_certificate.pem",
:verify_ssl => OpenSSL::SSL::VERIFY_PEER
)
my_client.get({ accept: :json }) { |response, request, result, &block|
raise SparcApiError unless response.code == 200
@response = response
}
This way, you can re-use the my_client object to send GET/POST/PUT/PATCH/DELETE requests with same ssl options and url. eg my_client.post(...){...}
NOTE :
- Verifying ssl certificate shouldn't be skipped in production. This should be used in dev/test environment only, otherwise you will be susceptible to the man in the middle attacks.
- If you trust the CA certificate then you should add it to your host's installed certificates bundle.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.