Forum: Ruby on Rails using certificates with ActiveResource

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
8310c5a7c769345114597bcdef111488?d=identicon&s=25 Ben Munat (Guest)
on 2007-03-29 11:04
(Received via mailing list)
I'm trying to hack ActiveResource to use a self-signed certificate when
connecting to my RESTful rails app (seems like a pretty glaring hole
that it doesn't offer this out of the box... though I guess it is alpha
software).

I started out going through the ActiveResource code looking for
somewhere I could set the cert and key. Didn't find it, so I took the
approach of overriding Net::HTTP#cert and Net::HTTP#key to return my
cert and key:

(environment.rb)
require 'net/https'

class Net::HTTP
   def cert
     OpenSSL::X509::Certificate.new(File.read(RAILS_ROOT +
"/config/certs/client_signed.pem"))
   end
   def key
     OpenSSL::PKey::RSA.new(File.read(RAILS_ROOT +
"/config/certs/client.key"))
   end
end

That still wasn't working... I think I was getting an SSL error. So, I
took a detour off to write a standalone ruby script to do the connection
using the cert and key. After much trial and error, I finally got Apache
to accept the cert. I wasn't able to get the actual data from the REST
service because my xml input gets url-encoded, but that's ok... I really
want to get this working with ActiveResource, not by using Net:HTTP
directly.

The solution that ultimately made Apache happy with that standalone code
was to also set Net::HTTP.verify_mode to OpenSSL::SSL::VERIFY_PEER and
to provide the certificate authority file that I used to sign the cert
to Net:HTTP and Apache.

So, I added these things to environment.rb, giving me:

class Net::HTTP
   def cert
     OpenSSL::X509::Certificate.new(File.read(RAILS_ROOT +
"/config/certs/client_signed.pem"))
   end
   def key
     OpenSSL::PKey::RSA.new(File.read(RAILS_ROOT +
"/config/certs/client.key"))
   end
   def ca_file
     RAILS_ROOT + "/config/certs/cacert.pem"
   end
   def verify_mode
     OpenSSL::SSL::VERIFY_PEER
   end
end

But ActiveResource gives me no love... or rather Apache once again gives
me the error I was getting before I added the CA stuff to my standalone
script:

SSL Library Error: 336105671 error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs known to server for verification?

I've put debug statements in ActiveResource::Connection right before it
makes the call and it is ssl, it is verify peer, it has my cert, my key
and my cert authority... but it doesn't work.

Any help, ideas, suggestions... anything would be great.

Ben
This topic is locked and can not be replied to.