Maybe you should parameter-encode the parameters (e.g. UserID=#{CGI.escape user} instead of UserID=#{user})?
Are you calculating the SHA1 correctly (maybe you should strip
whitespace off the body)?
These just off the top of my head. Also, we could help you better if
you provided the URL of the API. Also, consider using RestClient or
some other sensible means of consuming APIs (standard Net::HTTP is
quite low-level).
I’m sure everything works fine. Via the browser I have tried the actual
gets and those work. I also just tried it with the mechanize gem and got
it to work the way I wanted. This is the code I used with mechanize :
agent = Mechanize.new
challenge = agent.get(site_url + ‘__GetChallenge’)
result = Digest::SHA1.hexdigest(challenge.body + password.upcase)