3

I'm having a bit of a nightmare trying to get REE playing nicely with SSL.

Whenever I connect to an SSL site:

require 'open-uri'
open 'https://www.google.com'

I get the following error:

/Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/net/http.rb:586:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from /Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/net/http.rb:586:in `connect'
from /Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/net/http.rb:553:in `do_start'
from /Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/net/http.rb:542:in `start'
from /Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/open-uri.rb:242:in `open_http'
from /Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/open-uri.rb:616:in `buffer_open'
from /Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/open-uri.rb:164:in `open_loop'
from /Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/open-uri.rb:162:in `catch'
from /Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/open-uri.rb:162:in `open_loop'
from /Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/open-uri.rb:132:in `open_uri'
from /Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/open-uri.rb:518:in `open'
from /Users/jon/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/open-uri.rb:30:in `open'

It works fine under Ruby 1.9.2 or the regular 1.8.7. I tried repackaging OpenSSL and installing ree to link against that, as mentioned on the RVM OpenSSL page, but it had no effect. I'm on OS X 10.6.7, but I'm seeing the same problem with our OpenSolaris REE installation.

Any suggestions would be massively appreciated.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
Jonathan del Strother
  • 2,552
  • 19
  • 32

1 Answers1

3

It sounds like it isn't correctly picking up the the location of the trusted CA certificates - REE must have a different compiled-in default location, which is incorrect for your system.

For posterity:

The OP's problem was solved by downloading http://curl.haxx.se/ca/cacert.pem and copying it to /opt/local/etc/openssl/cert.pem.

caf
  • 233,326
  • 40
  • 323
  • 462
  • Yeah, I've been trying to add certificates to the /opt/local/etc/openssl directory, but can't persuade ruby to see them. Not quite sure what I'm missing. – Jonathan del Strother May 24 '11 at 20:43
  • @jdelStrother: Have you used the `c_rehash` utility in that directory to create the hash links? That's necessary. – caf May 24 '11 at 22:40
  • 1
    Yep. I should be able to just grab cacerts.pem from, eg, http://curl.haxx.se/ca/cacert.pem, copy it to /opt/local/etc/openssl, run c_rehash to create the symlink, and it ought to start working...right? Or do I need to somehow break cacert.pem out into separate certificates? – Jonathan del Strother May 25 '11 at 08:13
  • 1
    @jdelStrother: OpenSSL can have a default CA *path*, and/or a default CA *file*. `cacert.pem` would be for the latter - you should just have to rename it (or create a symlink pointing to it) to the single name that REE is using for the default CAfile. `/opt/local/etc/openssl` may be the default CApath, in which case you would need broken-out certificates - you could get those from the [Debian `ca-certificates` package source file](http://packages.debian.org/source/squeeze/ca-certificates). – caf May 25 '11 at 10:02
  • Thanks for the pointer about CAfile vs CApath - I finally realised that it wasn't actually searching for all certificates in that directory, so it needed a particular name. Moving that cacert.pem bundle to /opt/local/etc/openssl/cert.pem has finally fixed things, I think. – Jonathan del Strother May 25 '11 at 10:53