3

I'm pretty sure I've tried everything under the sun. Here is the code i'm trying to run

require 'rubygems'
require 'rest-client'
require 'json'

def vipr_session(viprurl, username, password)
  vipr_session_link = RestClient::Resource.new(viprurl + '/login', username, password)
  vipr_session_response = vipr_session_link.get
  myvar = 'x_sds_auth_token'
  @mysession = vipr_session_link.headers[myvar.to_sym]
end

@username = 'root'
@password = 'mypw'
@viprurl = 'https://192.168.50.141:4443'

print " Logging into ViPR..."
  vipr_session(@viprurl, @username, @password)
print "Success! \n\n\n"
puts @mysession
storagesystems = JSON.parse(RestClient.get(@viprurl + '/vdc/storage-systems', :x_sds_auth_token => @mysession, :content_type => :json, :accept => :json))
puts storagesystems

Here is the error

kcoleman-mbp:vipr_scripts kcoleman$ ruby storage_systems.rb
 Logging into ViPR.../Users/kcoleman/.rvm/gems/ruby-2.1.2/gems/rest-client-1.7.2/lib/restclient/request.rb:445:in `rescue in transmit': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (RestClient::SSLCertificateNotVerified)
    from /Users/kcoleman/.rvm/gems/ruby-2.1.2/gems/rest-client-1.7.2/lib/restclient/request.rb:350:in `transmit'
    from /Users/kcoleman/.rvm/gems/ruby-2.1.2/gems/rest-client-1.7.2/lib/restclient/request.rb:176:in `execute'
    from /Users/kcoleman/.rvm/gems/ruby-2.1.2/gems/rest-client-1.7.2/lib/restclient/request.rb:41:in `execute'
    from /Users/kcoleman/.rvm/gems/ruby-2.1.2/gems/rest-client-1.7.2/lib/restclient/resource.rb:51:in `get'
    from storage_systems.rb:8:in `vipr_session'
    from storage_systems.rb:18:in `<main>'

I can make this work by setting verify_ssl: false in the RestClient but this code had been working previously and all of a sudden it's no longer.

Here is what I've done to try and fix:

rvm osx-ssl-certs update all
brew install openssl
brew link openssl --force
brew tap raggi/ale
brew install openssl-osx-ca
rvm pkg install openssl
curl http://curl.haxx.se/ca/cacert.pem -o /usr/local/etc/openssl/cert.pem

Here are my current configs

kcoleman$ which openssl
/usr/local/bin/openssl
kcoleman$ openssl version
OpenSSL 1.0.1i 6 Aug 2014

I ran into this article SSLError and Rubyist, sitting in a tree and this is the output of the doctor.rb script. 

kcoleman-mbp:ssl-tools kcoleman$ ruby doctor.rb 192.168.50.141:4443
/Users/kcoleman/.rvm/rubies/ruby-2.1.2/bin/ruby (2.1.2-p95)
OpenSSL 1.0.1g 7 Apr 2014: /etc/openssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""

HEAD https://192.168.50.141:4443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

The server presented a certificate that could not be verified:
  subject: /CN=192.168.50.140
  issuer: /CN=192.168.50.140
  error code 18: self signed certificate

It looks like ruby is using a different version of OpenSSL that is packaged with RVM. Verified by running openssl install on rvm.

kcoleman-mbp:vipr_scripts kcoleman$ rvm pkg install openssl

Beware, 'rvm pkg ...' is deprecated, read about the new autolibs feature: 'rvm help autolibs'.

Checking requirements for osx.
Certificates in '/usr/local/etc/openssl/cert.pem' are already up to date.
Requirements installation successful.
Fetching openssl-1.0.1g.tar.gz to /Users/kcoleman/.rvm/archives
Extracting openssl to /Users/kcoleman/.rvm/src/openssl-1.0.1g....
Configuring openssl in /Users/kcoleman/.rvm/src/openssl-1.0.1g.......................
Compiling openssl in /Users/kcoleman/.rvm/src/openssl-1.0.1g...........................................................................................-
Installing openssl to /Users/kcoleman/.rvm/usr

If you have any ideas of what to try, it's greatly appreciated.

Kenny Coleman
  • 186
  • 1
  • 13
  • I think Steffen nailed it with the mismatched IP. Generate a new self signed certificate. See [Certificate with Extended Key Usage only works in Firefox](http://stackoverflow.com/questions/25259867/certificate-with-extended-key-usage-only-works-in-firefox) for instructions and a sample configuration file. – jww Aug 20 '14 at 10:52

1 Answers1

5
HEAD https://192.168.50.141:4443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

The server presented a certificate that could not be verified:
  subject: /CN=192.168.50.140
  issuer: /CN=192.168.50.140
  error code 18: self signed certificate

There are several things wrong with your certificate which make the verification fail:

  • The certificate is self-signed and thus could not be checked against a local trust anchor. Accepting such a certificate is equivalent to accepting any passport somebody created for itself instead of only passports issued by trusted governments.
  • The certificates subject does not match the name you used to connect to it. The certificate is for 192.168.50.140, but you access the host as 192.168.50.141 (It might still by that there are more IP in the certificate as subject alternative name which are not shown here). Not checking the name in the certificate is equivalent of not checking the photo in the passport against the presenter of the passport.
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • i guess the problem is stemming from what can be seen in this image [ViPR Setup Image](http://theruddyduck.typepad.com/.a/6a01901e94bb15970b01a3fd2e64da970b-800wi). 192.168.50.140 is the server IP while 141 is the UI/REST IP. I just generated a new self-signed cert and firefox made me accept the new self-signed cert. However, the doctor.rb file still shows the same. – Kenny Coleman Aug 20 '14 at 15:23
  • Because your script has no way to make you accept the self-signed cert. You have to somewhere specify that this certificate is trusted, like you did after Firefox presented you with the certificate warning. I'm not familiar with ruby, but looking at http://www.rubydoc.info/github/rest-client/rest-client/RestClient/Request `SSLOptionList` `ca_file` and `ca_path` are the relevant settings. – Steffen Ullrich Aug 20 '14 at 16:57
  • 1
    thanks... i just need to pipe in ssl_verify: false to the methods and it corrects itself. I don't know how this was working before, but this is a fix. Thanks for the help – Kenny Coleman Aug 21 '14 at 22:45
  • 1
    No, this isn't a fix, just a bad workaround. If you just disable verification of the certificate you open yourself against man-in-he-middle attacks. – Steffen Ullrich Aug 22 '14 at 01:55
  • @KennyColeman thanks for the ssl_verify tip-- minor correction, it is actually verify_ssl:false – fredw Sep 30 '14 at 17:39
  • @fredw technically either works https://github.com/rest-client/rest-client/blob/master/lib/restclient/request.rb#L139-L140 – JakeRobinson Nov 19 '14 at 03:49
  • 2
    @KennyColeman "i don't know how this was working before" - rest-client <1.7 did not do ssl verification by default. Is it possible you were using an older version before? https://github.com/rest-client/rest-client/commit/f27084433937577087cf184e993050d96464f6ef – JakeRobinson Dec 01 '14 at 16:16