Forum: JRuby OpenSSL::SSL::SSLError: certificate verify failed - JRuby, Mac OSX, and OpenSSL

Hi All,

I'm hoping someone can help me squash an issue I'm running into in my
development environment.  I'm running the test suite for a particular
project, geocoder (https://github.com/alexreisner/geocoder).  The 
project
nominally supports JRuby, but the test suite didn't even load (much less
run green) under JRuby.

I've managed to update the code such that all tests except for one run
green.  That test, which makes an HTTPS connection to an external 
server,
fails with the following error:

OpenSSL::SSL::SSLError: certificate verify failed
    org/jruby/ext/openssl/SSLSocket.java:180:in `connect'

Doing a Google search indicated that this is likely a configuration 
issue,
where the JRuby code can't find the operating system's CA certs.  With 
that
guidance I was able to add an environment variable to my travis.yml 
file,
and get the test green in my CI environment (Ubuntu 11.10).  But I can't
find similar instructions/guidance for a Mac OSX environment.  So I'm in
the annoying position of having a test that is green in CI, but fails in
development.

I've got the following development environment:

Mac OSX Mountain Lion
JRuby 1.6.7.2 (managed via rbenv)
openssl 1.0.1c (installed via homebrew)

Can anyone point me to the solution for this problem on Mac OSX?  Or 
give
me a clue as to the relevant environment variables and likely settings?

Thanks in advance.

Best,

Peter

Hi Peter,

All you need to do is:
export SSL_CERT_FILE=/opt/local/etc/openssl/cert.pem

good luck,
Maciek

Maciej S. <lists <at> ruby-forum.com> writes:

>
> Hi Peter,
>
> All you need to do is:
> export SSL_CERT_FILE=/opt/local/etc/openssl/cert.pem
>
> good luck,
> Maciek
>

Hi Maciek, i got the same problem Peter had, where in my
proeject should put this line ¨export
SSL_CERT_FILE=/opt/local/etc/openssl/cert.pem¨ in?
 In my method??? in my class???

Tks in advance

Pricilla wrote in post #1072286:
> Maciej S. <lists <at> ruby-forum.com> writes:
>
>>
>> Hi Peter,
>>
>> All you need to do is:
>> export SSL_CERT_FILE=/opt/local/etc/openssl/cert.pem
>>
>> good luck,
>> Maciek
>>
>
> Hi Maciek, i got the same problem Peter had, where in my
> proeject should put this line ¨export
> SSL_CERT_FILE=/opt/local/etc/openssl/cert.pem¨ in?
>  In my method??? in my class???
>
> Tks in advance

Hi Pricilla,

1. You have to verify that file is there: 
/opt/local/etc/openssl/cert.pem (else google for cacert.pem file and 
download to some/location)
2. Add new line:  export SSL_CERT_FILE=/opt/local/etc/openssl/cert.pem 
or some/location/cacert.pem
to your's:
~/.bashrc
or
~/.bash_profile
or like me to .rvmrc file in my project directory (but I've heard it't 
not the best solution - but good for me) .

regards,
Maciek

I'm going to post my experience so that perhaps no one else has to waste
an entire day trying to get around this problem.

On Mac OS X Mountain Lion, I was using JRuby 1.6.7.2, managed under RVM,
with jruby-openssl-0.7.7 gem installed.

I had the following code in a Rails 3.2.12 application:

 def HttpsPoster.post(mpg_request)
    http = Net::HTTP.new(@@uri.host,@@uri.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
    http.ca_file = "lib/cacert.pem"

    response = RespMod::Response.new

    http.start {
      http.request_post("/gateway2/servlet/MpgRequest",mpg_request.to_xml,
{'User-Agent' => 'RUBY - 2.5.0 - Resolver'}) {|res|
        response.from_xml(res.body)
      }
    }

    return response
  end
end


Everytime JRUBY hit the line loading the certificate file (http.ca_file
=), the app choked with this error:

OpenSSL::SSL::SSLError
ib/cacert.pem
  org/jruby/ext/openssl/SSLContext.java:227:in `setup'

Not a particularly helpful message... it sure doesn't indicate what the
real problem is, and I still do not know. I may never know.

I tried different paths, I tried VERIFY_PEER, I tried different
jrubies; Man, I tried it all.

After hours and hours and hours of experimentation, I found that with
the tip listed above (downloading cacert.pem from
http://curl.haxx.se/ca/cacert.pem, and setting a shell environment
variable SSL_CERT_FILE to point to its location), my code worked again,

***BUT***

I had to comment out the line loading the certificate file (http.ca_file
=), and just let JRUBY load it using the path specified in the
environment variable.

Of course.

Hope that helps someone else out there with a hacking-induced neck ache.

Tim