Sentry is asking for Certificate on Rails Production - ruby-on-rails

Im using rails 5 with sentry installed, I have tested it locally and it already works, however moving to production I am getting a certificate error when I boot up console and test Sentry.capture_message("new test 2") with the following error:
Event sending failed: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
Unreported Event: new test 2
exception happened in background worker: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
My code is as follows
Sentry.init do |config|
config.dsn = ENV["SENTRY_DNS"]
config.breadcrumbs_logger = [:active_support_logger, :http_logger]
config.traces_sample_rate = 0.25
config.enabled_environments = %[ staging ]
end

Your issue is that your server is attempting to verify the ssl cert when connecting to sentry. For
Sentry.init do |config|
config.transport.ssl_verification = false
config.dsn = ENV["SENTRY_DNS"]
config.breadcrumbs_logger = [:active_support_logger, :http_logger]
config.traces_sample_rate = 0.25
config.enabled_environments = %[ staging ]
end
When attempting to send to sentry your server is failing to verify the SSL certificate correctly. You can cancel verification by adding the above option. This is a bit of a security hole so the more correct way would be to set:
config.transport.ssl_ca_file = 'path to a valid local cert file'
instead.

Related

Rails SSL certificate error on valid certificate

I have small Rails app that performs various checks on our platform and sends me an email in case of an issue. Everything was running fine until today i started getting alerts about the following error:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
Now the problem is the certificate in question is valid, it gets automatically renewed (Let's encrypt) and this code has been untouched for a couple of years and never had any issues before and suddenly this started to happen.
The code that throws the exception:
def get_request url
uri = URI.parse(url)
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
#more than 10 seconds this is too slow
http.open_timeout = 10
http.read_timeout = 10
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
if response.code.to_i == 200
return true
else
puts "Failed to GET #{url}: #{response.code.to_i}"
return false
end
end
If i open the site in the browser, it shows the secure connection without issues and shows that is using a valid certificate, furthermore if i check with certbot i get the following: Expiry Date: 2021-11-22 17:48:58+00:00 (VALID: 52 days) so clearly the certificate is valid, why suddenly rails is throwing a tantrum about it?
Note that i have restarted Nginx just in case, that didn't help.
Additional info: Ubuntu 16.04.5, OpenSSL 1.0.2g 1 Mar 2016, Rails 4.2, Ruby 2.6.5
EDIT:
This error also happens with a different url, which also has a valid certificate.
EDIT 2:
I've isolated the problem, it is related to Let's Encrypt DST Root CA X3 that has expired. A lot of people are dealing with this issue, i'll report my solution once i find one.
So after reading through this long thread of the Let's Encrypt community, the solution for my case ended up being to remove the DST Root CA X3 certificate:
sudo rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
sudo update-ca-certificates
After that no more errors from openssl.

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)

I know there are lots of discussion regarding this error but sorry to say that I'm unable to find any working solution over there.
I'm developing a ecommerce site using ShareTribe.I'm trying to implement Paypal as payment gateway.So I'm using Activemerchant.
Everything works fine on development machine but when I deploy my rails app to production It throws
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)
I'm initializing my Activemerchant as
config.after_initialize do
ActiveMerchant::Billing::Base.mode = :test
paypal_options = {
login: "bla bla",
password: "bla bla",
signature: "bla bla",
appid: "APP-80W284485P519543T"
}
::EXPRESS_GATEWAY = ActiveMerchant::Billing::PaypalExpressGateway.new(paypal_options)
end
I'm trying to add Paypal Pem certificates on production but don't have any idea how to link this file with Activemerchant.Any Appreciation will be appreciated.
Thank you
Create a file active_merchant.rb in initializers & put the below code:
ActiveMerchant::Billing::Base.mode = :test
GATEWAY = ActiveMerchant::Billing::PaypalGateway.new(
:login => "bla-bla",
:password => "bla-bla",
:signature => "bla-bla"
)
SSLv3 was proven to be insecure with the POODLE vulnerability. You should make sure that your system has the latest version of OpenSSL so that you can use TLSv1.2.

Can't bypass OpenSSL verification - certificate verify failed (OpenSSL::SSL::SSLError)

I am trying to parse an HTTPS XML feed via Nokogiri but I get this OpenSSL error:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
I can also see the SSL_CERT_FILE:
echo $SSL_CERT_FILE
/home/user/certs/cacert.pem
This is how I am trying to parse:
#feed = "https://example.com/feed1.xml"
doc = Nokogiri::XML(open(#feed)
I tried to bypass the OpenSSL verification, but I still get the same error:
doc = Nokogiri::XML(open(#feed,{ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE}))
Can anyone help?
This problem usually appears on Windows.
One quick solution is to pass ssl_verify_mode to open
require 'open-uri'
require 'openssl'
open(some_url, ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE)
Another quick one is overriding OpenSSL::SSL::VERIFY_PEER in the beginning of your script by doing
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
Those who want real solution can try method described on https://gist.github.com/fnichol/867550

Ruby verify the certificate of secure ldap server

I am using https://github.com/ruby-ldap/ruby-net-ldap (net-ldap) gem to verify the authenticity of a user in my rails app. But before passing data to the ldap server, I need to verify that I am talking with the same secure server.
Is there a workaround which allows me to verify the certificate in ruby
Additional details: (things I have tried)
The certificate which is passed on to me is same as the one I see when I run
openssl s_client -showcerts -connect "<host>:<port>" </dev/null 2>/dev/null|openssl x509 -outform PEM
I used http://www.ldapsoft.com/ to connect to client's server
Unless I add the certificate file given to me in Security > Manage server certificates, I get a warning saying unknown security certificate
I tried do it manually first in plain ruby (without gem)
But i get following error
test-ssl.rb:23:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
Code:
cert_store = OpenSSL::X509::Store.new
cert_store.add_file "server-wildcard.crt"
io = TCPSocket.new("SECURELDAP.MYSITE.EDU","636")
ctx = OpenSSL::SSL::SSLContext.new
#ctx.cert = OpenSSL::X509::Certificate.new(File.read("server-wildcard.crt"))
#ctx.client_ca = OpenSSL::X509::Certificate.new(File.read("server-wildcard.crt"))
#ctx.ca_file = "server-wildcard.crt"
#ctx.ca_path = "./"
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
ctx.cert_store = cert_store
conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
conn.connect
I am posting my solution here for the sake of completeness.
net-ldap gem override to support certificate validation
https://gist.github.com/mintuhouse/9931865
Ideal Solution:
Maintain list of trusted root CAs on your server
(If you are lazy like me, have a cron job which will download (weekly maintained by curl) copy from http://curl.haxx.se/ca/cacert.pem)
Override Net::HTTP to always use this trusted certificate list
As of today (late 2016), ruby-net-ldap supports this upstream! However, tls_options needs to be passed with verify_mode set to a value other than the default VERIFY_NONE.
# optional: create/pass your own cert_store
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths # or add your own CAdir, &c.
# attributes documented for OpenSSL::SSL::SSLContext are valid here
tls_options = {
verify_mode: OpenSSL::SSL::VERIFY_PEER
cert_store: cert_store
}
ldap = Net::LDAP.new(
:host => host,
:port => port,
:encryption => {
:method => :simple_tls, # could also be :start_tls
:tls_options => tls_options
}
)

Intermittent SSL certificate verification failures with mechanize and ruby

I have a Rails 3.2.8 app, with Ruby 1.9.3 on Ubuntu 12.04. It uses mechanize to connect to an https web site.
I am seeing this error intermittently:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I do set the CA file:
Mechanize.new do |agent|
agent.ssl_version = "SSLv3"
agent.ca_file = Rails.root.join("lib/cacert.pem").to_s
end
I have also tried using cert_store:
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths
Mechanize.new do |agent|
agent.ssl_version = "SSLv3"
agent.cert_store = cert_store
end
And setting the store explicitly:
cert_store = OpenSSL::X509::Store.new
cert_store.add_file Rails.root.join("lib/cacert.pem").to_s
Mechanize.new do |agent|
agent.ssl_version = "SSLv3"
agent.cert_store = cert_store
end
These errors appear regardless of which method I use to specify the CA/certificates (including relying on default behaviour). When I run the code manually from rails console, it works fine. Which of the above, if any, are correct? What else can I do to debug this?

Resources