`

OpenSSL Errors and Rails – Certificate Verify Failed

阅读更多
Update:11/09/2012
有同鞋求摘要如下:
遇到类似错误,在使用或调用SSL的API时候, RVM怎么用呢
引用

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B


解决方案:
$ rvm remove 1.9.3 (or whatever version of ruby you are using)
$ rvm pkg install openssl
$ rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr

#If you are using rvm and Homebrew, try;

$ rvm remove 1.9.3
$ brew install openssl
$ rvm install 1.9.3 --with-openssl-dir=`brew --prefix openssl`

#You may have to link your certs directory with /etc/ssl/certs:

$ rmdir $rvm_path/usr/ssl/certs
$ ln -s /etc/ssl/certs $rvm_path/usr/ssl


还没解决问题的,继续读吧,我的问题解决了
OpenSSL Errors and Rails – Certificate Verify Failed – Gem::RemoteFetcher::FetchError


Are you getting an error “OpenSSL certificate verify failed” with Ruby?

Or an error “Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0”?

Here are suggestions.

This is a note for developers using the starter apps from the Rails Apps repository. Many others have found it helpful as well.
Error

You may have received an error message if you’ve tried to create a new Rails application.

For example, you may have entered:

$ rails new myapp

or created a new Rails application using an application template:

$ rails new myapp -m https://raw.github.com/RailsApps/rails-composer/master/composer.rb

and seen the following error message:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

or

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B

The error is not likely to occur when simply using gem install. (Does it? Leave a comment below.)

Here is an explanation and suggested solutions.
What is Happening

When creating a new Rails application, the Ruby language interpreter uses OpenSSL to connect to https://rubygems.org/. The Gemfile installed by the rails new command specifies https://rubygems.org/ as the source for gems and requires an SSL connection.

In the case of a new application generated from an application template hosted on GitHub, the Ruby language interpreter uses OpenSSL to connect to GitHub. GitHub requires all connections to be made using SSL.

The error message indicates the connection failed because OpenSSL was unable to verify the server certificate.

Prior to 20 April 2012, the error likely resulted when the certificate file on your computer was out of date, missing, or couldn’t be found.

On 20 April 2012, Ruby 1.9.3-p194 was released incorporating RubyGems 1.8.23 which included two security fixes:

    verification of server SSL certs is required when RubyGems connects to an https server
    RubyGems no longer allows redirects from https to http servers

This is the commit to RubyGems that implemented the security fixes: Insecure connection to SSL repository. Following the release, an issue was reported for an SSL_connect failure when running ‘rails new’.

Following the release of RubyGems 1.8.23, the RubyGems team identified a problem with misconfiguration of SSL certificates on the https://rubygems.org/ server. The RubyGems team fixed the SSL certificates on 24 April 2012.

RubyGems 1.8.23 was supposed to install a .pem file containing current SSL certificates but didn’t do so, according to this isse: 1.8.23 actually does not install pem file. This commit Install the .pem files properly fixed the problem and was released on 27 April 2012 with RubyGems 1.8.24 (RubyGems changelog). The 1.8.24 release also eliminated a problematic dependency on OpenSSL for http connections.

At the current time (after 1 May 2012), if you are seeing an error when you create a new Rails application, it is likely that you need to update OpenSSL or certificate files on your computer. Users of older versions of Mac OS X and Ubuntu operating systems are likely to see these errors. Upgrading your OS will resolve the issues. Alternatively, you can update OpenSSL as described below.

Check RubyGems issues on GitHub and look for recent updates to the issue SSL_connect failure when running ‘rails new’. You may find more information on Stack Overflow, especially this discussion: Bundle install fails with SSL certificate verification error. And please read the comments below.
Diagnosis

What’s your operating system version?

$ uname -srv

You may need to upgrade if older than Mac OS X 10.7.3 (Lion) or Ubuntu 12.04 (Precise Pangolin).

Be sure you are using Ruby 1.9.3-p194 or newer:

$ ruby -v
ruby 1.9.3p194

Be sure you are using RubyGems 1.8.24 or newer:

$ gem -v
1.8.24

Update RubyGems if necessary:

$ gem update --system

Check your OpenSSL version:

$ openssl version

You should see OpenSSL 1.0.1 or newer. If not, try updating OpenSSL (see below).

A curl -I command should show that the rubygems.org file host is available and responding:

$ curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem
HTTP/1.0 200 OK
...

Try executing remote_fetcher directly to download a gem from the rubygems.org file host:

$ ruby -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'
Fetching: rake-0.9.2.2.gem (100%)

If you’ve updated OpenSSL or upgraded your OS, and you’re still getting the error “SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure”, run the diagnostic below and add your report to the issue SSL_connect failure when running ‘rails new’. Please supply details: OS version, Ruby version, RubyGems version, OpenSSL version, error message.

% ruby -d -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'
% ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))'
% ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")'

You can try several workarounds to isolate the error conditions. Please don’t rely on a workaround for anything other than a temporary solution. Attempt the suggested resolutions (below) and file an issue report if they don’t work.
Workaround #1

Try changing your Gemfile to use an http connection for your gem source. Instead of source 'https://rubygems.org' use:

source 'http://rubygems.org'

This workaround is not an option if you are running rails new because the Gemfile is produced automatically from a template in the Rails library.
Workaround #2

Use the --skip-bundle when you generate a new Rails application:

rails new myapp --skip-bundle

This workaround is not an option if you are using an application template to generate a new Rails application as most application templates will run commands that require a successful bundle install.
Workaround #3

Try toggling off the requirement to verify the SSL security certificate.

Create or modify the file called .gemrc in your home path and add the line:

:ssl_verify_mode: 0

For Mac OS and Linux, “home path” means ~/.gemrc. You can also create /etc/gemrc if you prefer. For Windows XP, “home path” means C:\Documents and Settings\All Users\Application Data\gemrc. For Windows 7, C:\ProgramData\gemrc. (Suggested by Andrew Fallows in a Stack Overflow discussion).

This is only a workaround. It opens a possible security vulnerability (discussed here).

Be sure to try possible solutions suggested below. Please leave a comment if they work (or don’t).
Solutions for rvm

If you are using Wayne Seguin’s rvm, the Ruby Version Manager, there is an option to install Ruby with an OpenSSL package. You may not need to upgrade your OS. Try:

$ rvm remove 1.9.3 (or whatever version of ruby you are using)
$ rvm pkg install openssl
$ rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr

If you are using rvm and Homebrew, try;

$ rvm remove 1.9.3
$ brew install openssl
$ rvm install 1.9.3 --with-openssl-dir=`brew --prefix openssl`

You may have to link your certs directory with /etc/ssl/certs:

$ rmdir $rvm_path/usr/ssl/certs
$ ln -s /etc/ssl/certs $rvm_path/usr/ssl

Doesn’t work for you? Please add to the comments below.
Solutions for Mac OS

Mac OS 10.7 (Lion) has a current version of OpenSSL and certificate files and you are not likely to see an error (please leave a comment if you do). If you can update to Mac OS X 10.7.3, please do so.

Mac OS 10.6.8 and earlier versions are likely to have outdated versions of OpenSSL or certificate files.

Try updating your OpenSSL library using MacPorts. You’ll need to install MacPorts first.

$ sudo port sync; sudo port selfupdate; sudo port install openssl
...
$ openssl version
OpenSSL 1.0.1a 19 Apr 2012

If you don’t want to install MacPorts, you can compile OpenSSL from source:

curl -L -O http://www.openssl.org/source/openssl-1.0.1b.tar.gz.asc
curl -L -O http://www.openssl.org/source/openssl-1.0.1b.tar.gz
gpg --verify openssl-1.0.1b.tar.gz.asc
tar xvzf openssl-1.0.1b.tar.gz
cd openssl-1.0.1b
perl ./Configure shared zlib --prefix=/opt/local darwin64-x86_64-cc
make
make test
sudo make install

Alternatively, some developers have suggested to download an updated certificate file. This assumes you are using MacPorts and have a directory /opt/local/etc/openssl:

$ cd /opt/local/etc/openssl
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
$ sudo mv cacert.pem cert.pem

If you find that the problem is not resolved by updating OpenSSL, please leave a comment below.

Doesn’t work for you? Please add to the comments below.
Solution for Windows

Fletcher Nichol shows how to download a cacert.pem file and set an environment variable to install the certificate authorities needed by the OpenSSL library.

You can also try hacking the open-uri source: How to Use an Application Template from Github when You’re Developing in Rails on Windows

Any advice to offer? Please add to the comments below.
Solution for Ubuntu

Ubuntu’s custom build of OpenSSL failed with the SSL server configuration used for the Cloudfront service (Amazon Web Services) used for RubyGems file hosting.

For Ubuntu 12.04, the openssl 1.0.1-4ubuntu5 package fixes the problem. The problem should be resolved when you install the update.

Newer versions of Ubuntu should not have the problem.

Any advice to offer? Please add to the comments below.
分享到:
评论

相关推荐

    前端开源库-openssl-self-signed-certificate

    本主题将深入探讨"前端开源库-openssl-self-signed-certificate",并讲解如何使用OpenSSL生成自签名证书。 自签名证书在开发环境中非常常见,因为它们允许开发者在没有权威证书颁发机构(CA)认证的情况下测试HTTPS...

    test_rsa.rar_RSA_verify_openssl_rsa_rsa verify_verify_rsa

    标题中的“test_rsa.rar_RSA_verify_openssl_rsa_rsa verify_verify_rsa”表明这是一个关于RSA公钥密码体制在OpenSSL环境中验证签名的示例或教程。在描述中提到的“openssl rsa pubkey verify”则指使用OpenSSL工具...

    openSSL 0.9.8 and openSSH 6.0 for AIX 5 AIX 6 AIX 7

    AIX上最新的openSSL和openSSH 安装方法 1.通过FTP(传送模式要选择二进制方式)上传安装包 2.解压缩安装包 uncompress OpenSSH_6.0.0.6102.tar.Z tar -xvf OpenSSH_6.0.0.6102.tar uncompress openssl-0.9.8.2500....

    基于openssl的RSA的加密,解密,签名和验证签名

    `openssl dgst -verify`命令可用于验证,如`openssl dgst -sha256 -verify public_key.pem -signature signature.bin message.txt`。 5. **RsaPro可能的使用场景**:`RsaPro`可能是一个包含示例代码或者工具的...

    openssl_lib_and_dll_debug_release

    标题“openssl_lib_and_dll_debug_release”指向的是OpenSSL在Windows平台上的不同构建版本,包括静态库和动态库,以及它们的Debug和Release模式。 首先,让我们来理解OpenSSL的静态库(lib)和动态库(dll)。静态...

    OpenSSL 解析P12格式证书文件

    openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes ``` 这里的`certificate.p12`是输入的P12文件名,`certificate.pem`是输出的PEM文件名,`-nodes`参数表示不加密私钥,如果希望对私钥进行加密,...

    openssl source and build.zip

    这个“openssl source and build.zip”压缩包显然包含了OpenSSL的源代码以及构建OpenSSL的相关文档。在深入探讨之前,先了解一些基本概念: 1. **源代码**:源代码是程序员用高级编程语言编写的程序,它是可读的...

    nginx 离线安装包 openssl and zlib

    本文将深入探讨如何离线安装Nginx,并结合openssl和zlib这两个关键组件进行详细讲解。 首先,openssl是开源的SSL/TLS协议实现,用于提供加密通信和身份验证。它支持多种加密算法,包括RSA、DSA、ECDH等,是构建安全...

    用OpenSSL把二进制的Cer证书转换程Base64格式的PEM格式的证书.docx

    PEM格式:PEM格式的证书通常以`.pem`或`.crt`为扩展名,内容以“—–BEGIN CERTIFICATE—–”开头,以“—–END CERTIFICATE—–”结尾,中间是Base64编码的证书数据。这种格式便于在文本文件中读取和传输。 转换...

    Windows版本 OpenSSL工具

    4. **查看证书信息**:`openssl x509 -in certificate.crt -text -noout` 可以查看证书的详细信息。 5. **导出PEM格式公钥**:`openssl rsa -pubout -in private_key.pem -out public_key.pem` 从私钥文件中提取公钥...

    openssl和openssl-devel离线rpm安装包.zip_OPENSSL 库_openssl_openssl-deve

    `openssl-devel` 是OpenSSL的开发库,包含了头文件和静态链接库,用于编译和链接到OpenSSL功能的应用程序。开发人员在编写需要使用OpenSSL的软件时,需要安装这个包,以便在编译时可以正确地引用OpenSSL的函数和结构...

    openssl_1.1.1-1ubuntu2.1_18.04.6_amd64.deb

    apt update报错Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification.可能用到

    openssl使用指南

    - 解决常见的 SSL/TLS 连接错误,如“handshake failure”或“certificate verify failed”。 - 使用 `openssl s_client` 和 `openssl s_server` 输出进行问题分析。 通过深入学习这些内容,你将能够熟练地使用 ...

    openssl 1.0.0 天涯浪子

    The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. OpenSSL is based on the ...

    openssl(include and lib )

    标题中的"openssl (include and lib)"指的是OpenSSL库的头文件(include)和编译库文件(lib),它们是开发者在构建支持SSL/TLS功能的应用程序时必不可少的部分。 **1. OpenSSL的头文件(include)** 头文件包含了...

    安装openssl和openssl-develd 的依赖包

    这里我们关注的是“openssl”和“openssl-devel”这两个关键组件,它们是实现安全套接字层(SSL)和传输层安全(TLS)协议的基础。SSL/TLS协议用于加密网络通信,确保数据在传输过程中不被窃取或篡改。 **openssl**...

    OpenSSL 3.0 Demo

    例如,你可以使用`SSL_CTX_new`创建一个SSL上下文,然后用`SSL_CTX_load_verify_locations`加载信任的证书,接着用`SSL_CTX_use_PrivateKey_file`和`SSL_CTX_use_certificate_file`设置服务器的私钥和证书。...

Global site tag (gtag.js) - Google Analytics