0

I get SSL verify errors when running get calls against an SSL site from the rails console (or in the rails environment in general).

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed

I've traced the entire rails application initialization process from start to finish, going from config.ru all the way through, requiring environment files, etc.

The SSL error only starts happening after I run Rails.application.initialize! in config/environment.rb

I purged all ruby gems from the system and only have the ones installed from the Gemfile so it's impossible to have a different gem version required before/after the initialization process.

I know the short-term fix would be to set my HTTPS calls to not verify the cert it is getting but that is not possible due to security concerns in the production environment.

The problem seems to relate to SNI (Server Name Indication) given that when I run

openssl s_client -connect sub.domain.com:443 -showcerts -servername sub.domain.com

I get the proper CERT, but when I run 

openssl s_client -connect sub.domain.com:443 -showcerts

I get a cert for sub2.domain.com which is why the verify fails. How is this something that is changed by the Rails init process and if so, is there an option to tell rails to use SNI ?

  • Rails v4.2.5.2
  • ruby 2.3.3p222 (2016-11-21 revision 56859) [x86_64-linux]
  • OS: Fedora 25
  • ca-certificates-2017.2.11-1.1.fc25_2017.2.14-1.0.fc25.noarch.drpm: done
Killerpixler
  • 4,200
  • 11
  • 42
  • 82
  • SSL. I feel your pain. Have you looked at this tool: https://github.com/mislav/ssl-tools/blob/8b3dec4/doctor.rb - I found it very helpful (I am in no way related to the developer). I also found this post particularly helpful: http://stackoverflow.com/questions/36966650/ruby-nethttp-responds-with-opensslsslsslerror-certificate-verify-failed/43769753#43769753. Best of luck!!! – jvillian May 10 '17 at 15:04
  • Thanks but unfortunately this doesn't help since the issue here is the fact that the same call (`HTTParty.get('https://...')`) works fine if run in an IRB but after a rails app initializes it gives this SSL error. – Killerpixler May 11 '17 at 10:58

2 Answers2

0

In the end it wasn't a Rails issue but a google-api-client gem issue. In order to work in a Windows environment we loaded the cacerts.pem file from the google api gem via an initializer file.

config/initializers/ga.rb:

cert_path = Gem.loaded_specs['google-api-client'].full_gem_path+'/lib/cacerts.pem'
ENV['SSL_CERT_FILE'] = cert_path

This resolves the CA file to 

"/home/user/appname/vendor/bundle/ruby/2.3.0/gems/google-api-client-0.11.1/lib/cacerts.pem"

And that does not support SNI for SSL certs generated by LetsEncrypt.

Killerpixler
  • 4,200
  • 11
  • 42
  • 82
0

I added the following gem and it worked for me. gem 'certified'

Jovany
  • 35
  • 8