Reputation: 623
Ruby https with ca certification does not work while it worked with curl
In ruby, I try to do a ssl connection to a nginx server I setup locally, with an auto-signed certificate. My code is :
require "net/http"
require "net/https"
require "openssl"
require "uri"
require "pp"
request = Net::HTTP::Get.new("/")
response = Net::HTTP.start(
"localhost",
443,
{
:use_ssl => true,
:key => OpenSSL::PKey::RSA.new(File.read("/home/gg/crt/client.key")),
:cert => OpenSSL::X509::Certificate.new(File.read("/home/gg/crt/client.crt")),
:ca_file => "/home/gg/crt/ca.pem",
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
:verify_depth => 5,
}
) do |http|
http.request(request)
end
puts response.inspect
puts response.body
When I run it it return
/home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError)
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/timeout.rb:74:in `timeout'
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:923:in `connect'
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:852:in `start'
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:583:in `start'
from testso.rb:8:in `<main>'
But I have the correct result if I run it with curl:
curl https://localhost --key crt/client.key --cert crt/client.crt --cacert crt/ca.pem
What am i doing wrong?
Upvotes: 5
Views: 3208
Answers (2)
Reputation: 57
To possibly help others, here is a working solution with Ruby 2.0, for an HTTP GET.
require "net/http"
uri = URI.parse('https://your_url.com')
http = Net::HTTP.new(uri.host, uri.port)
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ssl_version]=nil
http.use_ssl = true
http.ca_path='/etc/pki/tls/certs/'
http.ca_file='/etc/pki/tls/certs/YOUR_CERT_CHAIN_FILE'
http.cert = OpenSSL::X509::Certificate.new(File.read("YOUR_CERT)_FILE"))
http.key = OpenSSL::PKey::RSA.new(File.read("YOUR_KEY_FILE"))
#SSLv3 is cracked, and often not allowed
http.ssl_version = :TLSv1_2
#### This is IMPORTANT
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
#Crete the GET request
request = Net::HTTP::Get.new(uri.request_uri)
#Add Headers, if needed
request.add_field 'X_REMOTE_USER', 'USER_NAME'
request.add_field 'Accept', '*'
#Get Response
response = http.request(request)
#Review Response
puts response.body
Upvotes: 0
Reputation: 623
I feel dumb but figured out the problem.
When generating the different certificates I left some fields blank. It seems that openssl detected this certificate as "looking" autosigned.
Thus if we use OpenSSL::SSL::VERIFY_PEER the connection fails
So to be sure that the certificate is well generated using the CA you can do :
openssl verify -CAfile ca.crt server.crt
(and same command with client.crt)
if we get
error 18 at 0 depth lookup:self signed certificate
OK
The certificate is detected as autosigned and it fails
if we get
Signature ok
It should work
Upvotes: 1
Related Questions
- How do I resolve this error while increasing eager loading? "ERROR ThreadError: Attempt to unlock a mutex which is locked by another thread"
- Ruby SSL Error working with Evernote API (Mac, El Capitan)
- Rake db:migrate SQLite3::IOException: disk I/O error
- LoadError when creating ruby gem
- Test suite before upgrade to rails 4.2 from rails 3.2
- Ruby - Watir webdriver Timeout after browser.goto(url) even though URL is successfully loaded
- Ruby omniauth-oauth2 - A Errno::ENETUNREACH -Network is unreachable - connect(2)
- Why can't Net::FTP connect to server?
- How would I do a while statement with net/http if it keeps timing out?