Reputation: 11
Rails on heroku ActiveRecord::StatementInvalid (PGError: SSL error: cert already in hash table
I build Rails3.2 apps with devise and deployed on heroku.
Does anyone have any solution to solve against following issue?
After sign-in operation, following error is occured and respond http status 500.
2012-10-14T05:29:08+00:00 app[web.1]: : SELECT "users".* FROM "users" WHERE
(lower(username) = '***' OR lower(email) = '***') LIMIT 1):
2012-10-14T05:29:08+00:00 app[web.1]: app/models/user.rb:23:in
find_for_database_authentication'
2012-10-14T05:29:08+00:00 app[web.1]:
2012-10-14T05:29:08+00:00 app[web.1]: ActiveRecord::StatementInvalid (PGError: SSL
error: cert already in hash table
2012-10-14T05:29:08+00:00 app[web.1]:
app/controllers/users/sessions_controller.rb:9:in `create'
2012-10-14T05:29:08+00:00 app[web.1]:
2012-10-14T05:29:08+00:00 heroku[router]: POST agile-cliffs-
6123.herokuapp.com/users/sign_in dyno=web.1 queue=0 wait=0ms service=45ms status=500
bytes=643
Actually, devise registration functions works fine, but sign-in doesn't work. This issue is only occured on production.
Upvotes: 1
Views: 647
Answers (1)
Reputation: 589
Editing my non-answer from before: We finally found the core of the problem!
We're using the ruby-openid-apps-discovery gem because we have our app integrated with GApps Marketplace. We're using the gem in its raw form, but if you're using OmniAuth and have the google_apps strategy enabled, you're also using it.
It comes down to line 255 of http://code.google.com/p/ruby-openid-apps-discovery/source/browse/trunk/lib/gapps_openid.rb
The loading of the additional CA certificates (add_file) pollutes OpenSSL and the current Postgres SSL connection is corrupted
@@store = OpenSSL::X509::Store.new
@@store.set_default_paths
@@store.add_file(ca_bundle_path)
Your only option is to reconnect to Postgres or monkey patch the store() method and remove the call to add_file. The Heroku dyno already has the stock CA certs and that's enough to do the GApps OpenID discovery, apparently.
FYI, I tried doing a clean room repro of this problem with a blank Rails app with just OmniAuth and the google_apps strategy enabled and was unable to repro .. so perhaps it's the combination of this ruby-openid-apps-discovery gem and one other component in our app that's also playing OpenSSL games to contribute to the problem .. I'd file a bug against this gem but the project looks mostly dead and since I can't repro the problem cleanly, I can't say with 100% certainty that its at fault.
Upvotes: 1
Related Questions
- How to get SSL working on Rails app with Heroku?
- Heroku + Rails + PG: ActiveRecord::StatementInvalid (PG::ConnectionBad: PQconsumeInput() SSL connection has been closed unexpectedly
- Heroku Rails Net::HTTP: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
- Heroku + Rails Error ActiveRecord::StatementInvalid
- Postgres + Heroku SSL SYSCALL error
- Untrusted Certs on Heroku
- On Heroku, Cedar, with Unicorn: Getting ActiveRecord::StatementInvalid: PGError: SSL SYSCALL error: EOF detected
- PGError: SSL connection failure, H10 error
- Certificate verify failed Heroku Ruby on Rails 3.2.1 Ruby 1.9.2p290
- rails 3.1, why certificate verify failed when using Heroku logs?