How do I turn off certificate verification in a gem like jiraSOAP. the verification is inbuilt, but I really don't need that verification since the server & client are my properties. It should be doable to tweak the gem to stop this verification.
https://github.com/Marketcircle/jiraSOAP/blob/master/lib/jiraSOAP.rb
This cert verification error is stopping me moving on to my project. I have tried other solutions from forums, to upgrade my /etc/ssl/cert, adding OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE to my project. But none of them worked.
require 'jiraSOAP'
jira = JIRA::JIRAService.new "https://server/rpc/soap/jirasoapservice-v2?wsdl"
jira.login username, password
/usr/local/rvm/rubies/ruby-1.9.3-p125/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
I was able to solve it modifying the Handsoap gem to ignore cert check only for my host.
File to modify in the gems path -
handsoap-1.1.8/lib/handsoap/http/drivers/net_http_driver.rb
Modify after this new http client -
http_client = Net::HTTP.new(url.host, url.port)
Add this -
#Added these new lines below
if url.host == "server" #ignore cert check only for this host
http_client.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
Related
I am running a knife solo cook and started getting this error below. Did some searching and it seems it is due to the LetsEncrypt SSL ca needing updates. I updated these on the server and can wget the URL below just fine. But I still get this error w/ chef. I wasn't sure if there was some cache (I did clear out the local-mode-cache dir) or something I am missing here. Any help would be great! Thanks.
================================================================================
Error executing action add on resource 'postgresql_repository[pg repo]'
================================================================================
OpenSSL::SSL::SSLError
----------------------
apt_repository[postgresql_org_repository] (/home/ubuntu/chef-solo/local-mode-cache/cache/cookbooks/postgresql/resources/repository.rb line 76) had an error: OpenSSL::SSL::SSLError: remote_file[/home/ubuntu/chef-solo/local-mode-cache/cache/https___download_postgresql_org_pub_repos_apt_ACCC4CF8_asc] (/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.1.1/lib/chef/provider/apt_repository.rb line 199) had an error: OpenSSL::SSL::SSLError: SSL Error connecting to https://download.postgresql.org/pub/repos/apt/ACCC4CF8.asc - SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
Resource Declaration:
---------------------
# In /home/ubuntu/chef-solo/local-mode-cache/cache/cookbooks/rails_app/recipes/postgresql_server_single.rb
Update - I was able to solve this by editing /opt/chef/embedded/ssl/certs/cacert.pem on the server and removing the DST Root CA X3 certificate.
I have a Rails 4 app running omniauth-facebook & omniauth-twitter, but all attempts to login are met with a Faraday::SSLError -- SSL_connect returned=1 errno=0 state=SSLv3 read server key exchange B: bad ecpoint (for Facebook) and an OpenSSL::SSL::SSLError -- SSL_connect returned=1 errno=0 state=SSLv3 read server key exchange B: bad ecpoint (for Twitter.)
I have tried to disable SSL Peer verification completely with the following, but to no avail:
config/initializers/omniauth.rb
if Rails.env.development?
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
end
I've also tried a bunch of root certificate solutions, such as:
sudo port install curl-ca-bundle
but to no avail.
Any suggestions? Thanks.
http://ga.be/blog/2013/10/02/fixing-rubygems-ssl-issues-certificate-verify-failed/
The above link might help you just have a look.
It is just the error of SSL certificate.
The key to the solution is to search for the "bad ecpoint" error message. These search results point to an integration problem between Ruby und OpenSSL and will show you how to resolve the issue:
Why do I get "bad ecpoint" with OpenSSL::SSL::SSLError Stripe transaction?
"bad ecpoint" SSL error on fresh RVM Ruby 1.9.3 install on OSX Mountain Lion
I am trying to establish a connection using the SOAP gem, called Savon. I can't make sense from the documentation on the website, I have this URL: "https://www.example.com/loginWeb/rvu.aspx", and this credentials username: "user", password: "pass".
My code is this (rails console):
client = Savon::Client.new("https://www.example.com/loginWeb/rvu.aspx")
client.wsse.credentials 'user', 'pass'
I get this: (event trying with "digest")
HTTPI executes HTTP GET using the net_http adapter
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I downloaded SoapUI and I get this error when I try to connect to the URL:
Error loading [http://www.example.com/loginWeb/rvu.aspx?WSDL]: org.apache.xmlbeans.XmlException: org.apache.xmlbeans.XmlException: error: Unexpected character encountered (lex state 3): '&
So what is going on ? Any help?
I suppose it's the same issue as here: you're trying to access a site with self-signed SSL certificate.
One way to fix it is to prevent Savon checking it:
client = Savon::Client.new("https://www.example.com/loginWeb/rvu.aspx")
client.http.auth.ssl.verify_mode = :none
client.wsse.credentials 'user', 'pass'
Rails: 3.0.5
Ruby: 1.9.2
apn_on_rails: 0.5.1
Suddenly started receiving Exception: "sslv3 alert certificate revoked" from apn_on_rails gem. However the notifications are still sent out to devices and the certificates are valid until 2013.
To Reproduce:
rails console.
create notification to one of existing devices.
not1 = APN::Notification.create(:device_id => devices[0].id, :sound => true, :badge => 1, :alert => "Testing")
Execute APN::App.send_notifications. (Note: APN::Notification.send_notifications is not at all sending any notifications and in turn calls APN::App.send_notifications)
Expected Output: Notification to be sent to device. No Exception thrown.
Actual Output: Notification sent to device. Exception thrown. Full stack trace of exception below:
ruby-1.9.2-p0 > APN::App.send_notifications
SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert certificate revoked
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert certificate revoked
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/libs/connection.rb:59:in `connect'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/libs/connection.rb:59:in `open'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/libs/connection.rb:23:in `open_for_delivery'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/app/models/apn/app.rb:48:in `send_notifications_for_cert'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/app/models/apn/app.rb:36:in `send_notifications'
As the stack trace indicates - the issue was within /gems/apn_on_rails-0.5.1/lib/apn_on_rails/app/models/apn/app.rb
In App.rb, in method self.send_notifications method:
def self.send_notifications
apps = APN::App.all
apps.each do |app|
app.send_notifications
end
if !configatron.apn.cert.blank?
global_cert = File.read(configatron.apn.cert)
send_notifications_for_cert(global_cert, nil)
end
end
Note: (if !configatron.apn.cert.blank?) The code checks for global certificate, whether you have defined this or not, it will check for "config/apple_push_develpment_certification.pem" and send notification with this certificate.
In my case, i had this file "config/apple_push_develpment_certification.pem" and i also add two different certificates for my iPhone and iPad apps defined by two configatron variables. Hence i encountered the certificate revoked issue and also my notifications were sent to devices.
To fix this:
define "configatron.apn.cert" to point to your new certificate in development.rb and production.rb files
I have a rake task that pulls and parses JSON data over an SSL connection from an external API.
I use a gem that wraps this external API and have no problems running locally, but the task fails when run on heroku with #<Curl::Err::SSLCaertBadFile: Curl::Err::SSLCaertBadFile>
I installed the piggyback SSL add-on, hoping it might fix it, but no dice.
Any ideas?
UPDATE
I managed to fix it by disabling ssl verification on the curl request previously set by the following two fields:
request.ssl_verify_peer
request.ssl_verify_host
I don't know enough about SSL to know exactly why the error was caused by these settings in a heroku environment or what the implications of disabling this are, aside from reduced security.
It is a bad idea to disable certificate checking. See http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html, http://jamesgolick.com/2011/2/15/verify-none..html and associated references for more on that topic.
The issue is that your HTTP client doesn't know where to find the CA certificates bundle on heroku.
You don't mention what client you are using, but here is an example for using net/https on heroku:
require "net/https"
require "uri"
root_ca_path = "/etc/ssl/certs"
url = URI.parse "https://example.com"
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = (url.scheme == "https")
if (File.directory?(root_ca_path) && http.use_ssl?)
http.ca_path = root_ca_path
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_depth = 5
end
request = Net::HTTP::Get.new(url.path)
response = http.request(request)
Here is an example using Faraday:
Faraday.new "https://example.com", ssl: { ca_path: "/etc/ssl/certs" }
Good luck.