OpenSSL certificate verify failed

Ruby JRuby
1

Hi there,

I’m getting a “certificate verify failed” error when attempting to
connect
via SSL to Facebook (I’m using the Omniauth gem to implement external
authentication. I’ve searched high and low for solutions to this issue,
and
they all seem to lead back to the but that’s already been filed in Jira:
http://jira.codehaus.org/browse/JRUBY-5010. The problem is that I can’t
seem to get that workaround to work in my case.

Here’s the situation:

  1. I’m running a Rails 3.0.5 application in Torquebox on Ubuntu
    10.10.
    I’m running JRuby 1.6 final via RVM, and my app is running in 1.8.7
    mode
    right now.
  2. I’m using the Omniauth Gem to attempt connection to Facebook.
  3. This gem works just fine if I use the MRI (1.8.7 or 1.9.2).
  4. The test case listed in 5010 in the first comment is reproducible
    on
    my system, and indeed, prepending the SSL_CERT_DIR to the command
    does
    resolve the issue. However, Omniauth isn’t using open-uri either,
    from what
    I can tell, its calling the basic Net::Http code. I’ve posted a stack
    trace
    below.
  5. However, when I set the environment variable in Torquebox, or at
    the
    global level for the system, or manually set it in my
    config/environments/development.rb (or anywhere else in the global
    rails
    configuration, for that matter) I still get the “certificate verify
    failed”
    error when attempting to connect to Facebook. I’ve verified that I
    can
    access the ENV[‘SSL_CERT_DIR’] variable in Rails when I’ve set it in
    these
    various locations.
  6. If I disable verification of certificates for OpenSSL, this makes
    the
    error go away, but is obviously a gaping security hole.
  7. On my system, the location /usr/lib/ssl/certs (to match
    /usr/bin/openssl path, per the 5010 comments) is symlinked to
    /etc/ss/certs.

Is there anything else I can try to resolve this issue? Is there any
logs I
should be looking for to gather more information? Thanks for any help
that
anyone can provide! I can move forward with development by disabling
verification, but can’t afford to deploy to production with disabled
certificates.


Regards,

Chris C.
Carter Ventures, LLC

2

I’m running into the sane problem.
I wonder how did u disable the SSL certificate verification?

3

I added an initializer to Rails with one line in it:

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

This disables certificate verification, which is a huge security hole.
You
can probably get away with it during development, but when you deploy to
production you’re opening yourself up to a lot of issues if you talk to
external sites.

I’ve noticed there are a few other issues with OpenSSL on JRuby, so I
may
need to defer my implementation of projects on that stack for a little
while, until they can finish off 1.9 support, with OpenSSL in
particular.

On Thu, Apr 7, 2011 at 1:12 AM, Boris S. [email protected] wrote:


Regards,

Chris C.
Carter Ventures, LLC