After switching to Ruby 1.9 on Mac OS X 10.6, the following code which makes a https request to encrypted.google.com:
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.request_get('/')
fails with the following error:
/opt/local/lib/ruby1.9/1.9.1/net/http.rb:677: in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
The problem comes from the fact that the new Ruby 1.9 installation doesn’t find the certification authority certificates (CA Certs) used to verify the authenticity of secured web servers.
The solution is to install the curl-ca-bundle port which contains the same root certificates used by Firefox:
sudo port install curl-ca-bundle
and tell your https object to use it:
https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
Note that if you want your code to run on Ubuntu, you need to set the ca_path attribute instead, with the default certificates location /etc/ssl/certs.
In the end, that’s what will work on both Mac OS X and Ubuntu:
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_path = '/etc/ssl/certs' if File.exists?('/etc/ssl/certs') # Ubuntu
https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt' if File.exists?('/opt/local/share/curl/curl-ca-bundle.crt') # Mac OS X
https.request_get('/')
I faced the same issue on Ruby 1.8.7 and rbx-1.8.7 on Ubuntu 10.10. The fix you suggested (setting https.ca_path) works.
Thanks!
is there a chance of this solution on windows?
I don’t have a Windows box to test, but you can manually download the latest certificates from curl http://curl.haxx.se/ca/cacert.pem and have https.ca_file point to that file on your disk.
This was a great help. The missing piece was how to use this easily in my app, which uses devise and omniauth. I found an example elsewhere and am copying it in here for others:
config.omniauth :facebook, ‘xxx’, ‘yyy’, :scope => ‘xxxxx’, :client_options => {:ssl => {:ca_path => “/etc/ssl/certs”}}
That happens to be the path to my certs, YMMV.
HTH
[...] is loads and loads of advice to fix the message, which also tends to revolve around finding/installing the correct [...]
[...] 参考页面:http://martinottenwaelter.fr/2010/12/ruby19-and-the-ssl-error/ 十月 28th, 2011 in ruby | tags: post, ruby, ssl, 人人网 [...]
I have a solution here (http://jjinux.blogspot.com/2012/02/ruby-working-around-ssl-errors-on-os-x.html) that monkey patches Net::HTTP#use_ssl= in order to do what was suggested above so that it “just works”.
Solution, get the certified gem
[sudo] gem install certified
add to Gemfile gem ‘certified’
bundle install
https://github.com/stevegraham/certified
Hmm, the certified gem bundles a certificates file which is not a good idea. You want to rely on you system’s certificates, especially on production machines on which you install security updates regularly.
I had this problem with the ‘gist’ executable from Github. Here’s a version of this solution that can be used to ‘monkey patch’ such 3rd party tools.
https://gist.github.com/2659619