-
Notifications
You must be signed in to change notification settings - Fork 998
Setting up SSL certificates
Developers on some systems will see the following error message when performing https requests
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
This error can have 2 causes
-
You do not have the proper SSL certificates on your system. This would be the case if no browser or other system application can view ssl sites.
To test, open uphttps://encrypted.google.com/in a browser. If it loads, your system has SSL certificates available. If not, you may be missing SSL certificates. This seems unlikely as most modern browsers install SSL certificates automatically. -
OpenSSL is unaware of where the SSL certificates are located on your system
###Ubuntu
To locate your SSL certificate folder, type openssl version -a. You should see a response similar to
OpenSSL 0.9.8o 01 Jun 2010
built on: Thu Feb 10 01:47:31 UTC 2011
platform: debian-amd64
options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(ptr2)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
OPENSSLDIR: "/usr/lib/ssl"
Append /certs to the OPENSSLDIR listed, here it would be /usr/lib/ssl/certs.
With this certs directory known, change your Faraday initializer to include this path as the ca_path variable.
connection = Faraday::Connection.new 'https://encrypted.google.com', :ssl => {
:ca_path => "/usr/lib/ssl/certs"
}
HTTP requests using this object should now use that path for SSL certificates
connection.get '/search?q=asdf'
#Solutions to avoid
Some online posts suggest disabling SSL with a command similar to the following:
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
This will eliminate the certificate verify failed error. However, it is strongly discouraged in production code as you're weakening the encryption process by using unchecked security certificates. This will open up your site to multiple types of cryptographic attacks.