0

Before attempting to solve this, I had no clue how certs or SSL worked, so please bear with my n00b-ness.

I'm currently using the Savon gem (v. 0.9.9) to try and connect to a SOAP-based web-service over HTTPS. However, I'm having a difficult time making successful calls.

As I understand the SSL/TSL protocol, the client sends the initial 'client hello' message to the server, to which the server responds with a 'server hello', which includes the server's digital certificate. The client will check that cert's chain against the local Cert Authority bundle to see if said cert can be trusted. That being said, here's what I've tried.

  1. Update RVM CA certs: At first, I was getting the same error described in this SO thread, and I learned that Ruby checks the CA certs. I also found these instructions on updating the CA certs that RVM uses. So I ran the following in iTerm:

        rvm osx-ssl-certs status all

    and I got the following output:

    Certificates for /Users/user-name/.rvm/usr/ssl/cert.pem: Up to date.

    However, this still didn't allow me to successfully make SOAP calls over HTTPs.

  2. Check if remote server's SSL cert is valid: I learned about the openssl CI tool from here, and so I figured perhaps the issue isn't me. Perhaps the issue is with the certificate itself. So I ran the following command in iTerm:

    openssl s_client -connect [HOST]:[PORT] -showcerts

    In addition to the certificate itself, I got the following in the output:

    Verify return code: 18 (self signed certificate)

    As I understand it, since this cert is self-signed, then unless it itself was a trusted CA, then of course it could never be verified. So the issue isn't with the certificate, the problem is with my local CA bundle.

  3. Update local CA bundle: As I understand it, cert.pem is a list of trusted CA certs. I actually found two such files on my local machine:

    /Users/user-name/.rvm/usr/ssl/cert.pem

    and

    /System/Library/OpenSSL/cert.pem

    I wasn't sure which one I should update, so I ended up copying one of those files into my app's directory, copied & pasted the certificate into new local cert.pem, and tried again. Unfortunately I now get the following:

    OpenSSL::SSL::SSLError:
hostname does not match the server certificate

At this point, I'm not really sure what to do since as far as I can tell, the certificate should now be treated as a trusted certificate. Here's my code at the moment:

    $SOAP_CORE = Savon::Client.new do |wsdl, http|
        http.auth.ssl.ca_cert_file = path_to_local_cert.pm
        http.auth.ssl.verify_mode = :peer
        wsdl.document = path_to_remote_wsdl_over_https
    end
Community
  • 1
  • 1
elefont
  • 151
  • 1
  • 7

1 Answers1

-1

As I understand it, since this cert is self-signed, then unless it itself was a trusted CA, then of course it could never be verified. So the issue isn't with the certificate, the problem is with my local CA bundle.

I'm confused how you come to this conclusion. A self-signed certificate isn't going to verify, so the issue is with the certificate. Updating your CA bundle won't help unless the self-signer ends up in there, which seems silly.

Try turning off verification.

http.auth.ssl.verify_mode = :none
Nick Veys
  • 23,458
  • 4
  • 47
  • 64
  • I suppose I just thought that any cert (self-signed or otherwise) would need to be listed as a "trusted cert". Adding the self-signer didn't seem that silly to me, but like I said I'm very new to working with SSL & certificates. I tried turning off the verification, but now I'm getting the following as output: (S:Server) Access Denied – elefont Mar 26 '14 at 20:06
  • Is the authentication information you need to be supplying to access this site? – Nick Veys Mar 26 '14 at 22:04