I’m trying to hack ActiveResource to use a self-signed certificate when
connecting to my RESTful rails app (seems like a pretty glaring hole
that it doesn’t offer this out of the box… though I guess it is alpha
software).
I started out going through the ActiveResource code looking for
somewhere I could set the cert and key. Didn’t find it, so I took the
approach of overriding Net::HTTP#cert and Net::HTTP#key to return my
cert and key:
(environment.rb)
require ‘net/https’
class Net::HTTP
def cert
OpenSSL::X509::Certificate.new(File.read(RAILS_ROOT +
“/config/certs/client_signed.pem”))
end
def key
OpenSSL::PKey::RSA.new(File.read(RAILS_ROOT +
“/config/certs/client.key”))
end
end
That still wasn’t working… I think I was getting an SSL error. So, I
took a detour off to write a standalone ruby script to do the connection
using the cert and key. After much trial and error, I finally got Apache
to accept the cert. I wasn’t able to get the actual data from the REST
service because my xml input gets url-encoded, but that’s ok… I really
want to get this working with ActiveResource, not by using Net:HTTP
directly.
The solution that ultimately made Apache happy with that standalone code
was to also set Net::HTTP.verify_mode to OpenSSL::SSL::VERIFY_PEER and
to provide the certificate authority file that I used to sign the cert
to Net:HTTP and Apache.
So, I added these things to environment.rb, giving me:
class Net::HTTP
def cert
OpenSSL::X509::Certificate.new(File.read(RAILS_ROOT +
“/config/certs/client_signed.pem”))
end
def key
OpenSSL::PKey::RSA.new(File.read(RAILS_ROOT +
“/config/certs/client.key”))
end
def ca_file
RAILS_ROOT + “/config/certs/cacert.pem”
end
def verify_mode
OpenSSL::SSL::VERIFY_PEER
end
end
But ActiveResource gives me no love… or rather Apache once again gives
me the error I was getting before I added the CA stuff to my standalone
script:
SSL Library Error: 336105671 error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs known to server for verification?
I’ve put debug statements in ActiveResource::Connection right before it
makes the call and it is ssl, it is verify peer, it has my cert, my key
and my cert authority… but it doesn’t work.
Any help, ideas, suggestions… anything would be great.
Ben