I was using app on two domains:
domain.com,
differentdomain.com
All calls from the app by RestClient was done on differentdomain.com. Right now i'm switching calls to domain.com because there is no need to have two different domains.
So i created subdomain different.domain.com. I have valid SSL certificate (with wildcard), properly set with nginx server.
When i enter different.domain.com in my browser i get page with valid ssl certificate. It's working ok without any bugs.
The problem is when i'm trying to call subdomain via RestClient. I'm getting this error:
RestClient::SSLCertificateNotVerified (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Do i need update cert/key somewhere else ?
Normally this SSL error indicates some issues in the certification installation such as missing intermediate certificate. You could verify your ssl certificate from https://www.ssllabs.com/ssltest/analyze.html
If you saw "Chain Issue: Incomplete", most likely you will need to re-install your intermediate certificate again (https://community.qualys.com/thread/11685)
give it a try.
Related
I have setup FTP server and enabled TLS/SSL to the server following this tutorial. Once the setup was done, I tried to connect to it from FileZilla and it worked. Now I want to do the same with my rails application.
I came across similar questions and there were some solutions. But all the solutions suggested ignoring the verification as:
OpenSSL::SSL::VERIFY_NONE
But this beats the purpose of having FTP server with TLS enabled.
I came across an article that suggested setting ssl: true like:
ftps = Net::FTP.new(
host,
ssl: true,
username: username,
password: password
)
However, this did not work. I get
SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)
I found some references about the parameters but am confused about how to use them.
You have a server with a self signed certificate, SSL will fail to verify that always. Right now you have three ways to solve that:
Change your code so it accepts self signed certificates (you already stated this won't work for you).
Request a valid certificate (Letsencrypt seems like a good option).
Use mkcert to create "valid" certificates for development.
If your FTP server is a public server, you should go with #2. #3 is a big help if you're just doing some experiments or setting a local development server.
I have a Rails app running on a Heroku server and I'm having trouble communicating with an external server using Net::HTTP over HTTPS. The error I'm receiving whenever I attempt to POST to an external proprietary API over HTTPS is:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I've done quite a few hours of Googling around for an answer to the issue I'm encountering, but to no avail. Here's my environment:
Heroku Dyno running Cedar 14 (was running Cedar 10, upgraded to Cedar 14 to see if it would affect the issue - no joy)
Rails 3.2.14rc2
Ruby 2.1.2
"Fixes" I have tried:
Running the certified gem (which has actually seemed to help out with communication via Omniauth and Google's API)
Monkey-patch removing SSLv2, SSLv3 from the list of verification methods. When I attempt this in the console on Heroku's server, it appears to work well enough for GET methods, but appears ignore the adjustments completely when attempting to Run Net::HTTP::Post.new instead of Net::HTTP::Get.new
Manually overriding the certificate file location. I've specified it to use the authority file of the operating system (which on the Cedar-14 stack is up-to-date), but still no dice.
I have also tried manually specifying in on the Net::HTTP object to use ssl_version="TLSv1_2" with no luck (it even keeps reporting the same SSLv3 related error)
The communication appears to be working just fine when run locally in development (I've used the RVM override method suggested here), but the moment I try things on the Heroku server, I'm out of luck.
UPDATE: It appears this is not working locally either even with the RVM update.
Last, but not least, here is an abstracted variant of the code I'm running:
uri = URI.parse("https://api.mysite.com/api/v1")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = (uri.scheme == "https")
request = Net::HTTP::Post.new(uri.path, {'Content-Type' =>'application/json'})
request_body = "{\"post_body\": \"data1\"}"
response = http.request(request)
Anyone have any advice on what else I should be looking at?
Heroku can't verify your server's certificate is validly signed by a CA root it recognizes. This can be because either:
Your cert isn't signed by a CA or intermediate (ie, self-signed)
Your cert is signed by a CA that Heroku doesn't know about (unlikely)
The API server isn't providing the correct intermediate certs to help Heroku connect it to a valid CA root. (likely)
Try openssl s_client -showcerts -connect your-api-host.com:443 from your shell. You should see something like:
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.coffeepowered.net
verify return:1
You're specifically looking to make sure that all certs in the chain return verify return: 1. If this works from your shell, then your machine likely has root certs installed that your Heroku instance doesn't.
Without knowing exactly what certs your API server is returning, it's hard to answer this definitively, but you probably need to be serving an intermediate cert bundle along with the SSL cert itself. This intermediate cert bundle will be provided by your SSL certificate signer, and can be provided in Apache via SSLCertificateChainFile, or in nginx by concatening the intermediates with your cert (per this documentation).
If you can't alter the configuration of the API server, then your "Manually overriding the certificate file location" solution is probably very close to correct (it's the same thing as the server providing the intermediate cert, except the client does it), but you are likely not providing the correct certificate chain bundle for your API server's certificates. Make sure that you have the correct intermediate certificate chain provided to OpenSSL, and it should work as desired.
I was using iOS to connect to a server using a certificate whose CN (commonname) and FQDN (fully qualified domain name) is server.myexample.com. The server certificate was signed by my own Root CA (whose certificate I added to my anchor certs via SecTrustSetAnchorCertificates and verified via the method described here using NSURLAuthenticationChallenge).
With my iOS client, I was attempting to connect my REST service located at: server.myexample.com/Path1/service1, but I kept receiving the following error:
The certificate for this server is invalid. You might be connecting to a server
that is pretending to be “server.myexample.com” which could put your confidential
information at risk.
Error occurred while fetching https://server.myexample.com/Path1/service1: Error
Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid.
You might be connecting to a server that is pretending to be “server.myexample.com”
which could put your confidential information at risk."
I get additional messages with the same info but specifying the errors: NSErrorFailingURLStringKey and NSURLErrorFailingURLPeerTrustErrorKey.
I found that I could also call the service with server.myexample.com/service1 and removed Path1 from my request URL, and the server certificate verification worked correctly. Why is this? I was under the impression that the server only needed 1 certificate, meaning any services it hosts would also be using that same certificate. Maybe you need a separate server certificate per path? I was not aware the paths after the server ip address/domain needed to have their own certificate.
To summarize:
iOS client app with Root CA certificate in the anchor certs
Server server1's certificate signed by Root CA has a CN of server.myexample.com and whose FQDN is https://server.myexample.com.
Server server.myexample.com hosts service1 which can be accessed by web browser via:
https://server.myexample.com/service1 (passes iOS client's authentication of server)
https://server.myexample.com/Path1/service1 (FAILS iOS client's authentication of server)
CA and server certificates were created via OpenSSL
Thanks in advance!
I am trying to test my app with the Demo DocusignAPI at using the endpoint https://demo.docusign/net/restapi/v2/
Question: Is a self-signed SSL certificate acceptable when using the Demo endpoint?
I ask because when I try to use the create_envelope_from_document call, I get the following error message, and I'm trying to determine if my use of a self-signed certificate is contributing to the error:
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)
I am using ruby 1.9.3 and rails 3.2.13 on Ubuntu 12.04.
Are you talking about including an SSL cert for the event notifications? The only mention I see from their documentation when I search for "SSL" is the
signMessageWithX509Cert
property on the eventNofication object. This can be viewed on several of their api guide pages like this one.
In any case, with all of the comments that have come in on this thread so far I believe your issue is related to your certificates and not with the DocuSign API. Were you able to resolve this yet?
I'm using the acegi security plugin and I run the app -https. The cert is generated but I get a certificate warning when i visit the web page. I have then download the weak ssl plugin and added weakssl.trustAll =true to Config.groovy. But still getting the same warning. Have I left out anything?
The warning is normal. You can just accept the self-signed certificate. The weakssl module allows the Grails server to trust itself even if it provides a self-signed certificate. It has no effect whatsoever on the client. (Think what a horrible security hole it would be if you could just install some code on the server and get a client to accept a self-signed certificate without a warning!)
To solve your problem you need to either
manually tell your browser the certificate is OK by adding the certificate to your truststore
or
get a certificate from a trusted CA (Certificate Authority) a list of trusted CAs is stored in your browser. To get a certififate from a CA you need to proof your identity and pay (a lot) some money.
so I recommend you just accept the untrusted certifcate unless you want to buy a CA certificate.
The config you changed tells only the server to accept all certificates. i.e. if your server is connecting to another server