After switching to Ruby 1.9 on Mac OS X 10.6, the following code which makes a https request to encrypted.google.com:
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.request_get('/')
fails with the following error:
/opt/local/lib/ruby1.9/1.9.1/net/http.rb:677: in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
The problem comes from the fact that the new Ruby 1.9 installation doesn’t find the certification authority certificates (CA Certs) used to verify the authenticity of secured web servers.
The solution is to install the curl-ca-bundle port which contains the same root certificates used by Firefox:
sudo port install curl-ca-bundle
and tell your https object to use it:
https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
Note that if you want your code to run on Ubuntu, you need to set the ca_path attribute instead, with the default certificates location /etc/ssl/certs.
In the end, that’s what will work on both Mac OS X and Ubuntu:
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_path = '/etc/ssl/certs' if File.exists?('/etc/ssl/certs') # Ubuntu
https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt' if File.exists?('/opt/local/share/curl/curl-ca-bundle.crt') # Mac OS X
https.request_get('/')
I faced the same issue on Ruby 1.8.7 and rbx-1.8.7 on Ubuntu 10.10. The fix you suggested (setting https.ca_path) works.
Thanks!
is there a chance of this solution on windows?
I don’t have a Windows box to test, but you can manually download the latest certificates from curl http://curl.haxx.se/ca/cacert.pem and have https.ca_file point to that file on your disk.
This was a great help. The missing piece was how to use this easily in my app, which uses devise and omniauth. I found an example elsewhere and am copying it in here for others:
config.omniauth :facebook, ‘xxx’, ‘yyy’, :scope => ‘xxxxx’, :client_options => {:ssl => {:ca_path => “/etc/ssl/certs”}}
That happens to be the path to my certs, YMMV.
HTH
[...] is loads and loads of advice to fix the message, which also tends to revolve around finding/installing the correct [...]
[...] 参考页面:http://martinottenwaelter.fr/2010/12/ruby19-and-the-ssl-error/ 十月 28th, 2011 in ruby | tags: post, ruby, ssl, 人人网 [...]
I have a solution here (http://jjinux.blogspot.com/2012/02/ruby-working-around-ssl-errors-on-os-x.html) that monkey patches Net::HTTP#use_ssl= in order to do what was suggested above so that it “just works”.