Rails/Ubuntu: SSLv3 read server certificate B: certificate verify failed
Question
Two days ago, I started seeing this error on the production server of my app (on staging everything works fine). I found a lot of topics here on SO, but none of them solved this issue for me.
Here's the piece of code that's causing this error message:
@client = Savon.client(wsdl: wsdl_url)
#@client = Savon.client(wsdl: wsdl_url, ssl_verify_mode: :none) # this sovles the problem, but I don't want to skip the verification
On SO, I also found that a possible solution might be to create an initializer file and put there the following:
require 'open-uri'
require 'net/https'
module Net
class HTTP
alias_method :original_use_ssl=, :use_ssl=
def use_ssl=(flag)
#self.ca_path = Rails.root.join('lib/ca-bundle.crt').to_s
self.ssl_version = :TLSv1_2 # added
self.ca_file = '/etc/ssl/certs/ca-certificates.crt' # the file exists
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.original_use_ssl = flag
end
end
end
But this, unfortunately, didn't solve the error. I also tried to reinstall the certificate on the production Ubuntu (14.04) server
sudo apt-get install openssl ca-certificates
The package has been upgraded, but the error is unfortunately still here.
Any tips what could I do yet and get rid of the error?
EDIT: How or where should I start debugging?
2 answers
solution1
0 2018-03-07 17:02:15
I also started getting this error a few days ago.
Removing geocoder fixed the issue.
Per Heroku support, sometimes these errors occur when an external provider changes their SSL configuration.
Reply to comment:
Nothing in logs specifically saying geocoder, but I saw in my error reports (via exception notifier gem) that the app crashed, with this error, on lines making a request to geocoder.
I also had a callback on the users model, and noticed the app crashed anytime a user was saved/updated.
Lucky guess I suppose.
solution2
0 2018-03-07 21:54:17
Run openssl s_client -showcerts -connect server_you_are_connecting_to.com:443 and examine the certificate. After this you should find yourself in one of the following situations:
The certificate is valid (has valid expiry date and common name), but it is signed by the certificate authority (CA) that isn't trusted by your system. If that's the case, you would need to add the CA's certificate to the trusted store or update the ca-bundle package on your system.
The certificate is invalid (is expired or has the wrong common name). If disabling peer SSL certificate verification isn't an option for you, then you can implement your own certificate verification callback, for example as described here -- in this case the code wouldn't be relying on system's trusted store, but rather check that the peer server uses a specific certificate.
Hope this helps.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.