How to get rid of OpenSSL::SSL::SSLError

Question

I am trying to authenticate users with Facebook using OmniAuth. Initially, it was working, but along the way it just stopped working and started to give me this error message:

OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

The same code works well for Twitter and I can't seem to understand why it doesn't work for Facebook. I have looked online for help, but I haven't been successful.

This is the link to the website I am building: http://www.bestizz.com/
And this url would give you the error message: http://www.bestizz.com/auth/facebook

We can't tell you what code to change if you don't show us the code you already have. :) Perhaps [this helps](http://www.ruby-forum.com/topic/176626#773356)? — Michelle Tilley, Apr 19 '11 at 04:06
Sorry, this is a link to my code and details of the problem [link](http://www.ruby-forum.com/topic/1538936#993973) @brandonTilley — Eugene, Apr 20 '11 at 10:26
are you getting a stack trace? There are a few libraries down the stack (OmniAuth, OAuth2, Faraday, etc.) and if you have a stack trace it would probably help a lot. — Michelle Tilley, Apr 20 '11 at 14:56
@brandonTilley, sorry, for going round and round. New to this forum, by the way, this is a link to my framework stack trace. [link](http://www.ruby-forum.com/topic/1538936#994260) — Eugene, Apr 21 '11 at 10:31

RAJ · Answer 1 · 2016-09-28T07:09:29.033

27

Ruby cannot find any root certificates. Here is an option for debugging purposes. Put following code at the begining of your script:

   require 'openssl'
   OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

edited Sep 28 '16 at 07:09

answered Aug 20 '12 at 06:11

RAJ

9,697
1
33
63

28

This should not be considered an option. Fix it properly or don't even bother using SSL. – Joshua Pinter Jul 27 '14 at 02:40
3

As noted, this is for debugging or development ONLY. Do NOT use this code in production. – eltiare Apr 09 '15 at 19:01
1

Indeed, _for debugging_, when I'm communicating with servers I haven't installed certs on, I do this. On my Ruby, I get a dynamic constant assignment error, so I monkey patched it instead, so something like `module OpenSSL; module SSL; VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE; end; end` – sameers Jul 21 '15 at 22:56
2

I definitely think that in your answer you should include why that is very insecure. – thesecretmaster Aug 09 '15 at 20:00
Not just that is a security violation, it's even useless to the point that it doesn't tell WHERE to put this code. – igraczech Mar 07 '16 at 09:21
1

The code is meant to go at the very beginning of the script. – SophiaAP Sep 27 '16 at 20:36

score 9 · Answer 2 · answered Aug 01 '12 at 05:22

9

Add the following code to config/initializers/fix_ssl.rb

require 'open-uri'
require 'net/https'

module Net
  class HTTP
    alias_method :original_use_ssl=, :use_ssl=

    def use_ssl=(flag)
      self.ca_file = "/etc/pki/tls/certs/ca-bundle.crt"  # for Centos/Redhat
      self.verify_mode = OpenSSL::SSL::VERIFY_PEER
      self.original_use_ssl = flag
    end
  end
end

Note:

Many operating systems already come with a supplied certificate bundle. For example in Red Hat Enterprise Linux and CentOS it's installed in:

/etc/pki/tls/certs/ca-bundle.crt

For Ubuntu its at:

/etc/ssl/certs/ca-certificates.crt

answered Aug 01 '12 at 05:22

Amal Kumar S

15,555
19
56
88

I can't find initializers directory in my .config directory (I'm on ubuntu), could you help me with it? – Evgenia Karunus Jul 19 '14 at 09:26
2

config/initializers directory comes under your Rails application folder structure. This solution is for Rails application. – Amal Kumar S Jul 21 '14 at 05:38
3

For me it was enough to set environmet variable in redhat `export SSL_CERT_FILE='/etc/pki/tls/certs/ca-bundle.crt'` – Cherry Dec 10 '14 at 10:33
the line `self.ca_file = "/etc/pki/tls/certs/ca-bundle.crt` helped me with my ruby console app. None of the other solution worked. I guess, ssls wasn't able to know, which certificate file to use. – Zeeshan Jul 22 '16 at 08:08

score 7 · Answer 3 · edited Jun 20 '20 at 09:12

I've been facing the same problem after updating Ruby running on Yosemite, but while trying to authenticate with Google.

Following this: https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html seemed to solve my problem.

For the sake of history I'll quote:

So the rvm-installed ruby does look into the wrong directory for certificates whereas the OSX-ruby will look into the correct one. In it's case that is a OSX system-directory.

So the rvm-installed ruby is the problem.

This discussion on Github finally gave the solution: Somehow RVM comes with a precompiled version of ruby that is statically linked against an openssl that looks into /etc/openssl for it's certificates.

What you wanna do is NOT TO USE any of the precompiled rubies and rather have ruby compiled on your local machine, like so: rvm install 2.2.0 --disable-binary

In the end, I had to run:

rvm uninstall ruby-2.2.4
rvm install ruby-2.2.4 --disable-binary
gem pristine --all

Hope this helps

score 6 · Answer 4 · edited May 23 '17 at 11:54

Looks like SSL verification is failing for Facebook. I'm no OpenSSL master, but I think this should work for you.

Assuming you're using an up-to-date version of OmniAuth (>= 0.2.2, I assume you are) and a version of Faraday >= 0.6.1 (the stack trace says you are), you can pass the location of your CA certificates bundle. Modify your OmniAuth setup for Facebook accordingly:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, 'appid', 'appsecret', {:scope => 'publish_stream,email', :client_options => {:ssl => {:ca_path => '/etc/ssl/certs'}}}
  # other providers...
end

and replace '/etc/ssl/certs' with the path to your bundle. If you need one, I believe this file will work for you--just put it somewhere, give it necessary permissions, and point your app at it.

Thanks to Alex Kremer at this SO answer for the detailed instructions.

yeah...@brandon...it works perfectly. Thanks very much. It looks like i developed that problem after i upgraded my gems...Its an issue with Omniauth 0.2.1 - 0.2.2. — Eugene, Apr 21 '11 at 23:32

score 1 · Answer 5 · answered Mar 11 '14 at 00:46

1

This link should work. https://gist.github.com/fnichol/867550 Just follow the instructions. You will need to download Rails installer and run two command line functions.

answered Mar 11 '14 at 00:46

IEnjoyEatingVegetables

968
3
11
30

score 0 · Answer 6 · edited Oct 05 '19 at 20:56

0

An ugly workaround I just did is to override the class in Net::HTTP and set the variable which tells it to not verify ssl certs:

    require 'net/http'
    require 'openssl'

    class Net::HTTP   
        alias_method :orig_connect, :connect

        def connect
          @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
          orig_connect
        end
    end

I did it this way because I don't want to muck with the source code of the gem which calls the gem which calls the gem which calls Net::HTTP. I should really go back and figure out how to nudge it to look at a separate cacert.pem file instead. I can't modify the server's cacert.pem file, or that would be the best route.

edited Oct 05 '19 at 20:56

Duke

3,226
1
18
23

answered Jun 30 '11 at 11:24

JBB

4,543
3
24
25

4

No need to open a class and override a method -- you can change the `verify_mode` directly on the HTTP object you create: `http.verify_mode = OpenSSL::SSL::VERIFY_NONE` – Mike A. Oct 21 '11 at 15:31
2

@MikeA. that only works if you're the one creating the `Net::HTTP` instance. – Kelvin Aug 20 '13 at 19:03
1

—1 for `OpenSSL::SSL::VERIFY_NONE`. – jww Apr 13 '15 at 06:21

score 0 · Answer 7 · edited Apr 13 '15 at 06:32

0

Do this, this will get ride of the certificate error with openssl

sudo curl http://curl.haxx.se/ca/cacert.pem -o /opt/local/etc/openssl/cert.pem

edited Apr 13 '15 at 06:32

Anthon

69,918
32
186
246

answered Oct 12 '11 at 05:25

Raymond Gao

23
2

This looks like it's for a self installed, maybe MacPorts OpenSSL ? any idea for standard Mac OS X or homebrew? – Ivan -Oats- Storck Aug 06 '12 at 16:51
2

This worked for me with RVM on Mountain Lion: `curl http://curl.haxx.se/ca/cacert.pem -o ~/.rvm/usr/ssl/cert.pem` – Lachlan Cotter Sep 13 '12 at 20:54
@Lachlan Cotter, many thanks! I was finally able to get [RailsApps Project](http://railsapps.github.com/) apps working with Rails 3.2.8 on Mountain Lion thanks to this command. – Paul Fioravanti Oct 18 '12 at 14:21

How to get rid of OpenSSL::SSL::SSLError

7 Answers7

Linked