Ruby: Working Around SSL Errors on OS X
Have you ever seen the following error:
After reading a ton of different blog posts, this is the approach that I created for my Rails app:
Hopefully this will be fixed properly soon.
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)Apparently, this is a standard problem for Ruby on OS X. The problem is that Ruby is unable to find the root certificates necessary to verify a given certificate. A typical (and very bad) workaround is to turn off certificate validation using some code that looks something like:
...verify_mode = OpenSSL::SSL::VERIFY_NONEThere's a good blog post called How to Cure Net::HTTP’s Risky Default HTTPS Behavior. It shows you how to force all certificates to be verified, but it doesn't show how to make use of the operating system's most up-to-date list of root certificates.
After reading a ton of different blog posts, this is the approach that I created for my Rails app:
# config/initializers/fix_ssl.rbAs the code says, you'll have to execute "sudo port install curl-ca-bundle" on OS X to install the root certificates. Unfortunately, I don't know what the brew version of that is.
#
# Work around errors that look like:
#
# SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
require 'open-uri'
require 'net/https'
module Net
class HTTP
alias_method :original_use_ssl=, :use_ssl=
def use_ssl=(flag)
# Ubuntu
if File.exists?('/etc/ssl/certs')
self.ca_path = '/etc/ssl/certs'
# MacPorts on OS X
# You'll need to run: sudo port install curl-ca-bundle
elsif File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
self.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
end
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.original_use_ssl = flag
end
end
end
Hopefully this will be fixed properly soon.
Comments
http://martinottenwaelter.fr/2010/12/ruby19-and-the-ssl-error/
http://jimneath.org/2011/10/19/ruby-ssl-certificate-verify-failed.html
http://code.google.com/p/google-plus-ruby-starter/issues/detail?id=3#c6
http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html
http://stackoverflow.com/questions/5074164/google-api-ruby-client-translate-api-examples
Any advice?
Here are the versions I'm using:
$ which ruby
/Users/jjinux/.rvm/rubies/ruby-1.9.2-p290/bin/ruby
$ gem list
*** LOCAL GEMS ***
abstract (1.0.0)
actionmailer (3.0.5)
actionpack (3.0.5)
activemodel (3.0.5)
activerecord (3.0.5)
activeresource (3.0.5)
activesupport (3.0.5)
addressable (2.2.6)
archive-tar-minitar (0.5.2)
arel (2.0.10)
autoparse (0.2.3)
builder (2.1.2)
bundler (1.0.22 ruby)
capybara (1.1.2)
childprocess (0.3.1)
coderay (1.0.5)
columnize (0.3.6)
countries (0.8.1)
crack (0.3.1)
currencies (0.4.0)
diff-lcs (1.1.3)
erubis (2.6.6)
extlib (0.9.15)
factory_girl (2.5.2)
factory_girl_rails (1.6.0)
faraday (0.7.6)
ffi (1.0.11)
google-api-client (0.4.0)
httpadapter (1.0.1)
i18n (0.6.0)
json (1.6.5)
jwt (0.1.4)
launchy (2.0.5)
linecache19 (0.5.12)
mail (2.2.19)
method_source (0.7.0)
mime-types (1.17.2)
multi_json (1.0.4)
multipart-post (1.1.4)
nokogiri (1.5.0)
polyglot (0.3.3)
pry (0.9.8.2)
rack (1.2.5)
rack-mount (0.6.14)
rack-test (0.5.7)
rails (3.0.5)
railties (3.0.5)
rake (0.9.2.2, 0.9.2)
rspec (2.8.0)
rspec-core (2.8.0)
rspec-expectations (2.8.0)
rspec-mocks (2.8.0)
rspec-rails (2.8.1)
ruby-debug-base19 (0.11.25)
ruby-debug19 (0.11.6)
ruby_core_source (0.1.5)
rubyzip (0.9.6.1)
selenium-webdriver (2.19.0)
signet (0.3.2)
slop (2.4.4)
sqlite3 (1.3.5)
thor (0.14.6)
treetop (1.4.10)
tzinfo (0.3.31)
webmock (1.7.10)
will_paginate (3.0.pre)
xpath (0.1.4)
Perhaps if you use the exact same versions, things will work out better for you.