SSL_CERT errors when trying to talk to a hosted api

Question

SSL_CERT errors when trying to talk to a hosted api

Closed this issue 8 years ago · 6 comments

OS: Windows
Artifactory: Hosted
Mission: Upload an artifact using the artifactory api

When I try to upload, I get the following stack trace:

C:/bin/ruby21/lib/ruby/2.1.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
        from C:/bin/ruby21/lib/ruby/2.1.0/net/http.rb:923:in `block in connect'
        from C:/bin/ruby21/lib/ruby/2.1.0/timeout.rb:76:in `timeout'
        from C:/bin/ruby21/lib/ruby/2.1.0/net/http.rb:923:in `connect'
        from C:/bin/ruby21/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
        from C:/bin/ruby21/lib/ruby/2.1.0/net/http.rb:852:in `start'
        from C:/bin/ruby21/lib/ruby/gems/2.1.0/gems/artifactory-2.3.0/lib/artifactory/client.rb:247:in `request'

The only other time I've seen this error is when trying to use gem with authenticated gem hosts. In that case I had to download cacert.pem and tell gem where to find it. I see that you (helpfully) have an ssl_pem_file property in the global config. I set it like this:

config.ssl_pem_file= File.join(My::Gem.root, 'config/cacert.pem')

Now I get this error:

C:/bin/ruby21/lib/ruby/gems/2.1.0/gems/artifactory-2.3.0/lib/artifactory/client.rb:234:in `initialize': Neither PUB key nor PRIV key: nested asn1 error (OpenSSL::PKey::RSAError)

For giggles, I set ssl_verify=false just to see if I had the artifact, urls, and locations set correctly. The file was uploaded like a champ when I did that. I understand that this is a huge security risk, so being satisfied that I've configured everything else correctly, I'm confident that the issue is SSL communication in Ruby on Windows.

I'm hoping you'll be able to tell me something that will help me get past this.

Thanks.

Answer 1 · 2015-09-02T20:36:14.000Z

So config.ssl_pem_file isn't for setting the CA cert bundle. You'll want to make that config globally in your Ruby install. Try moving that cacert.pem file to C:\PATH_TO_YOUR_RUBY\ssl\certs

Answer 2 · 2015-09-02T22:31:46.000Z

Thanks for getting back to me so fast. :)

I just ran the following command and I'm still getting the same error:

C:\bin\ruby21\lib\ruby\site_ruby\2.1.0\rubygems\ssl_certs>curl http://curl.haxx.se/ca/cacert.pem -o cacert.pem

`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

Any other ideas?

Answer 3 · 2015-09-03T14:06:14.000Z

@crmckenzie Looking at your output/command you still do not have things configured correctly. The cacerts.pem file should be installed at: C:\bin\ruby21\ssl\certs\cacert.pem. As an alternative you can also set the SSL_CERT_FILE environment variable to the fully qualified path to your cacert.pem file.

Answer 4 · 2015-09-03T16:56:19.000Z

I issued the following commands:

mkdir C:\bin\ruby21\ssl\certs
curl http://curl.haxx.se/ca/cacert.pem -o C:\bin\ruby21\ssl\certs\cacert.pem

At this point I get the same failure.

If I set the SSL_CERT_FILE environment variable, the gem works. (YAY!)

I wonder why the first solution doesn't work though.

Anyway, I've captured this knowledge in a powershell module I've been writing to manage my ruby environments on windows.

I can't thank you enough for your help.

Answer 5 · 2017-01-26T15:08:30.000Z

Is there a documentation fix to be made here or should this issue be closed with "nothing to fix"?

Answer 6 · 2017-01-27T15:21:48.000Z

Per the comments above using the SSL_CERT_FILE environment variable fixes the issue.