I'm writing a little utility script that deals with some RESTful API's over HTTPS using Ruby's Net::HTTP module on Windows. I consistently get this error:
C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:74:in `timeout'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:852:in `start'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:1375:in `request'
According to this post I'm missing the default CA Certs. I ran his "ssl doctor" script and it gave me this diagnostic:
C:\Users\Megaflux\Documents\GitHub\Github_Backup> ruby doctor.rb
C:/Ruby22-x64/bin/ruby (2.2.2-p95)
OpenSSL 1.0.1l 15 Jan 2015: C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://status.github.com:443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The server presented a certificate that could not be verified:
subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
error code 20: unable to get local issuer certificate
Possible causes:
`C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/cert.pem' does not exist
`C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/certs/' is empty
I'm fine downloading some root CA certificates and installing them at that directory, which isn't hard. But who is Justin? I don't have that user on my machine, and I'd rather not create those folders if I don't have to. Does anyone know how to change the default ssl certificate directory?
Many thanks.
Edit: For completeness, I'll throw the script that was generating the error down here
require 'open-uri'
open("https://www.google.com/") {|f|
f.each_line {|line| p line}
}
RubyInstaller issue #153
OpenSSL::X509::DEFAULT_CERT_FILE with personal hardcoded path
The problem is OpenSSL that has hardcoded values. Search to closed issues and also RubyInstaller group and will see this happens from time to time.
OpenSSL needs to be fixed, but no patch to solve this issue has proposed to OpenSSL itself. See oneclick/rubyinstaller#47
cert.pem is already provided by RubyGems and is included, please take a look here:
https://github.com/ruby/ruby/tree/ruby_2_0_0/lib/rubygems/ssl_certs
That is part of Ruby and thus, RubyInstaller release.
RubyGems is capable of installing gems from rubygems.org, however, like you pointed in the Bundler issue, you need a list of other CAs so connect to the private/custom RubyGems server works.
For that you need to set
SSL_CERT_FILE
environment variable pointing to the CA certs file.See oneclick/rubyinstaller#86 and oneclick/rubyinstaller#148
tl;dr: Justin is the person who compiled your OpenSSL binary.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With