My company has a simple oauth server at https://auth.vitalvu.com
I'm developing a rails app that needs to make requests to that server (via the omniauth-oauth2 gem). When I try to run the app on Heroku I get the error:
Faraday::Error::ConnectionFailed: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I've tested it as described here.
From the app's rails console on my local machine
connection = Faraday::Connection.new 'https://auth.vitalvu.com'
connection.get '/ping.json'
works just fine.
However, after pushing the app to Heroku, heroku run rails console
connection = Faraday::Connection.new 'https://auth.vitalvu.com'
connection.get '/ping.json'
results in the faraday error and
connection = Faraday::Connection.new 'https://auth.vitalvu.com', :ssl => {:ca_file => '/usr/lib/ssl/certs/ca-certificates.crt'}
connection.get '/ping.json'
results in the faraday error and
connection = Faraday::Connection.new 'https://auth.vitalvu.com', :ssl => {:ca_path => "/etc/ssl/certs"}
connection.get '/ping.json'
results in the faraday error
I'm not sure what else to try. Suggestions?
I run heroku restart three times - and than finally is starts to work.
Related
I'm having an error with gmail gem while trying to send a mail, this is working fine on local, and was working fine on heroku, but now im moving this app to a VPS server. This is the error:
e = g.compose do
to 'test#gmail.com'
subject 'testasea'
body 'test'
end
=> #<Mail::Message:25450040, Multipart: false, Headers: <From: .......>
e.deliver!
=> OpenSSL::SSL::SSLError: hostname does not match the server certificate
I've added this into an initializer file, without any luck:
ActionMailer::Base.smtp_settings = {
:enable_starttls_auto => true,
:openssl_verify_mode => 'none' # I've tested with 0 and false,
}
I tried to monkey path the class
OpenSSL::SSL::SSLSocket.class_eval do
def post_connection_check(hostname)
return true
end
end
with no luck, when I do that i receive a 535 Incorrect authentication data, however I know data is ok because i can do
g.inbox.count :read
And it returns me the right number.
I would like to know:
the incorrect certificate is the one my server (smtp client) is sending? or the one that is received by gmail smtp server?
why it works in local?
Why if i monkey path the class I received an authentication error?
Is there any workaround? i dont care if is not safe, is just a tenting application,.
This is only a guess, but if you are in a WHM VPS there is a function that restricts outgoing SMTP connections, you can find it in Tweak Settings.
Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)
It redirects all SMTP connections, If this is enabled you will receive your server self-signed ssl certificate, and if you bypass it using the monkey patch or setting configuration to dont check ssl certificate you will probably found an authentication error as you are in fact connecting to the LOCAL SMTP server.
Just disable it and test again.
I have a Rails 4 app running omniauth-facebook & omniauth-twitter, but all attempts to login are met with a Faraday::SSLError -- SSL_connect returned=1 errno=0 state=SSLv3 read server key exchange B: bad ecpoint (for Facebook) and an OpenSSL::SSL::SSLError -- SSL_connect returned=1 errno=0 state=SSLv3 read server key exchange B: bad ecpoint (for Twitter.)
I have tried to disable SSL Peer verification completely with the following, but to no avail:
config/initializers/omniauth.rb
if Rails.env.development?
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
end
I've also tried a bunch of root certificate solutions, such as:
sudo port install curl-ca-bundle
but to no avail.
Any suggestions? Thanks.
http://ga.be/blog/2013/10/02/fixing-rubygems-ssl-issues-certificate-verify-failed/
The above link might help you just have a look.
It is just the error of SSL certificate.
The key to the solution is to search for the "bad ecpoint" error message. These search results point to an integration problem between Ruby und OpenSSL and will show you how to resolve the issue:
Why do I get "bad ecpoint" with OpenSSL::SSL::SSLError Stripe transaction?
"bad ecpoint" SSL error on fresh RVM Ruby 1.9.3 install on OSX Mountain Lion
I am trying to establish a connection using the SOAP gem, called Savon. I can't make sense from the documentation on the website, I have this URL: "https://www.example.com/loginWeb/rvu.aspx", and this credentials username: "user", password: "pass".
My code is this (rails console):
client = Savon::Client.new("https://www.example.com/loginWeb/rvu.aspx")
client.wsse.credentials 'user', 'pass'
I get this: (event trying with "digest")
HTTPI executes HTTP GET using the net_http adapter
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I downloaded SoapUI and I get this error when I try to connect to the URL:
Error loading [http://www.example.com/loginWeb/rvu.aspx?WSDL]: org.apache.xmlbeans.XmlException: org.apache.xmlbeans.XmlException: error: Unexpected character encountered (lex state 3): '&
So what is going on ? Any help?
I suppose it's the same issue as here: you're trying to access a site with self-signed SSL certificate.
One way to fix it is to prevent Savon checking it:
client = Savon::Client.new("https://www.example.com/loginWeb/rvu.aspx")
client.http.auth.ssl.verify_mode = :none
client.wsse.credentials 'user', 'pass'
Rails: 3.0.5
Ruby: 1.9.2
apn_on_rails: 0.5.1
Suddenly started receiving Exception: "sslv3 alert certificate revoked" from apn_on_rails gem. However the notifications are still sent out to devices and the certificates are valid until 2013.
To Reproduce:
rails console.
create notification to one of existing devices.
not1 = APN::Notification.create(:device_id => devices[0].id, :sound => true, :badge => 1, :alert => "Testing")
Execute APN::App.send_notifications. (Note: APN::Notification.send_notifications is not at all sending any notifications and in turn calls APN::App.send_notifications)
Expected Output: Notification to be sent to device. No Exception thrown.
Actual Output: Notification sent to device. Exception thrown. Full stack trace of exception below:
ruby-1.9.2-p0 > APN::App.send_notifications
SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert certificate revoked
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert certificate revoked
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/libs/connection.rb:59:in `connect'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/libs/connection.rb:59:in `open'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/libs/connection.rb:23:in `open_for_delivery'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/app/models/apn/app.rb:48:in `send_notifications_for_cert'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/app/models/apn/app.rb:36:in `send_notifications'
As the stack trace indicates - the issue was within /gems/apn_on_rails-0.5.1/lib/apn_on_rails/app/models/apn/app.rb
In App.rb, in method self.send_notifications method:
def self.send_notifications
apps = APN::App.all
apps.each do |app|
app.send_notifications
end
if !configatron.apn.cert.blank?
global_cert = File.read(configatron.apn.cert)
send_notifications_for_cert(global_cert, nil)
end
end
Note: (if !configatron.apn.cert.blank?) The code checks for global certificate, whether you have defined this or not, it will check for "config/apple_push_develpment_certification.pem" and send notification with this certificate.
In my case, i had this file "config/apple_push_develpment_certification.pem" and i also add two different certificates for my iPhone and iPad apps defined by two configatron variables. Hence i encountered the certificate revoked issue and also my notifications were sent to devices.
To fix this:
define "configatron.apn.cert" to point to your new certificate in development.rb and production.rb files
I have a rake task that pulls and parses JSON data over an SSL connection from an external API.
I use a gem that wraps this external API and have no problems running locally, but the task fails when run on heroku with #<Curl::Err::SSLCaertBadFile: Curl::Err::SSLCaertBadFile>
I installed the piggyback SSL add-on, hoping it might fix it, but no dice.
Any ideas?
UPDATE
I managed to fix it by disabling ssl verification on the curl request previously set by the following two fields:
request.ssl_verify_peer
request.ssl_verify_host
I don't know enough about SSL to know exactly why the error was caused by these settings in a heroku environment or what the implications of disabling this are, aside from reduced security.
It is a bad idea to disable certificate checking. See http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html, http://jamesgolick.com/2011/2/15/verify-none..html and associated references for more on that topic.
The issue is that your HTTP client doesn't know where to find the CA certificates bundle on heroku.
You don't mention what client you are using, but here is an example for using net/https on heroku:
require "net/https"
require "uri"
root_ca_path = "/etc/ssl/certs"
url = URI.parse "https://example.com"
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = (url.scheme == "https")
if (File.directory?(root_ca_path) && http.use_ssl?)
http.ca_path = root_ca_path
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_depth = 5
end
request = Net::HTTP::Get.new(url.path)
response = http.request(request)
Here is an example using Faraday:
Faraday.new "https://example.com", ssl: { ca_path: "/etc/ssl/certs" }
Good luck.