I am trying to configure a Rails 4.2.6 app to connect over SSL to a MongoDB cluster on compose.io. The app uses the mongo 2.4.1 and mongoid 5.1.5 gems. Compose.io MongoDB clusters use self-signed SSL certificates so I downloaded the CA certificate from compose.io and placed it in lib/certs/mongo-ca-bundle.pem.
My mongoid.yml file looks like this (redacted):
development:
clients:
default:
uri: mongodb://myuser:mypassword#some-host.dblayer.com:1111,some-other-host.dblayer.com:2222/mydb?ssl=true
options:
ssl_ca_cert: /path/to/myapp/lib/certs/mongo-ca-bundle.pem
The above configuration works perfectly when I run rails console and I can successfully run queries against collections in the compose.io database.
However, when I try to run rails server it crashes after 30 seconds with a "No server is available" error message:
[..]/mongo/server_selector/selectable.rb:115:in `select_server': No server is available matching preference: #<Mongo::ServerSelector::Primary:0x47167439625640 tag_sets=[] max_staleness=nil> using server_selection_timeout=30 and local_threshold=0.015 (Mongo::Error::NoServerAvailable)
[..]/mongo/cluster.rb:226:in `next_primary'
When I enable debug logging for mongoid it indicates that the problem is with the SSL handshake:
DEBUG -- : MONGODB | Server some-host.dblayer.com:1111 initializing.
DEBUG -- : MONGODB | SSL handshake failed. MongoDB may not be configured with SSL support.
I used to get the same error in the rails console until I added the ssl_ca_cert configuration. I did manage to get the server to connect by specifying ssl_verify: false but I don't consider that a valid workaround. How can I fix this? How come the console works but the server doesn't?
It seems I was missing a certificate in the CA-bundle causing the connection to fail. With the proper CA cert in the bundle, rails server can connect just fine.
The reason that rails console worked seems to be that it connects to the local mongodb instance even if I specify a different URL in mongoid.yml. This seems buggy to me, but I haven't investigated further.
Been banging my head against this and need to bounce thoughts against someone else. I keep getting locally:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
I get on heroku:
openssl::ssl::sslerror: ssl_connect returned=1 errno=0 state=sslv3 read server certificate b: certificate verify failed
My discourse instance has a SSL certificate from DNSimple, so that is all working perfectly. On heroku, since I just have a rails API, I opted not to get an SSL cert for that since heroku already provides you with one, and just use the URL from your heroku instance.
Now, I am able to use a Advanced Rest Client (Chrome extension) and make requests to my discourse instance no problem. Here is some code that I am using with the discourse_api gem.
discourse_client = DiscourseApi::Client.new('https://community.desta.co')
discourse_client.api_key = ENV['COMMUNITY_API_KEY']
# path to heroku cert, which I verified exists through `heroku run bash`
discourse_client.ssl(ca_file: '/usr/lib/ssl/certs/ca-certificates.crt')
discourse_client.api_username = 'system'
Maybe I'm misunderstanding certificates? Please help! Thanks
For anyone that may have this issue, I was able to fix it. I tested my SSL config at https://www.ssllabs.com/ssltest/analyze.html and realized I didn't have any intermediate certificates along with my primary certificate :(. Definitely overlooked that one, hope it helps anyone.
I have the problem that my development machine does not want to connect to my IMAP accounts any more. I know I must have changed something, but cannot think of anything relevant. But what I found is, that with ruby 2.1.0 and 2.1.2 my application works, but with 2.1.5 and 2.2.1 [edit: 2.2.2 failing, too] it does not work.
So I started debugging and extracted the parts that actually connect and throw the SSL error. The shortened script is the following:
require 'net/imap'
#imap = nil
begin
#imap = Net::IMAP.new("mail.example.com", {port: 143})
#imap.starttls({}, true)
#imap.login("username", "password")
rescue => e
puts e
end
The result with 2.0.0 and 2.1.2 is empty, so it worked. But with 2.1.5 and 2.2.1 [edit: and 2.2.2] I get the following error:
SSL_write: certificate verify failed
Of course I immediately checked the server's keychain, but it seems okay. It results in
Verify return code: 0 (ok)
though it has the line
verify error:num=20:unable to get local issuer certificate
but I read that this error is "normal". I cannot explain this error, as I included the certificates correctly with my dovecot server, but when searching the web it looks like everyone else is getting this line with most certificates, too, and it works. Also, like mentioned before, the verify return code is 0, so everything should work.
Do you have an idea if this is a problem with the mentioned line or if it's a bug with newer ruby versions? I could not find any clear search results regarding this.
PS: I need to use starttls, "ssl: true" gives me an unknown protocol error, as I enabled tls only.
edit2: I re-checked again. On the production server, 2.1.5 works. Could it be a problem with CA certificates on the development server or something? But why do older versions work then and newer don't?
--- edit: output as requested ---
I changed my real domain to domain.com in the bin. The host is a sub domain and the certificate a subdomain wildcard certificate from RapidSSL (*.domain.com).
http://pastebin.com/9BGK4w1w
Finally solved it by reinstalling OS X. For some reason it was a problem with my system, though I triple-checked everything from OpenSSL to rvm, Ruby, system-wide installed authority certificates and so on.
Thanks for your help :-)
I have a COMODO wildcard SSL certificate that I am trying to replace my old SSL certificate with.
I followed the guides here:
https://devcenter.heroku.com/articles/ssl-endpoint
http://ryan.mcgeary.org/2011/09/16/how-to-add-a-dnsimple-ssl-certificate-to-heroku/
Based off of these, I combined them in to one .pem:
cat STAR_[domain]_com.crt /
EssentialSSLCA_2.crt /
ComodoUTNSGCCA.crt /
UTNAddTrustSGCCA.crt /
AddTrustExternalCARoot.crt >> STAR_[domain]_com-bundle.pem
I then ran:
heroku certs:update STAR_[domain]_com-bundle.pem server.key
and I receive:
Updating SSL Endpoint hyogo-2759.herokussl.com for [heroku-app]... failed
! Internal server error.
! Run `heroku status` to check for known platform issues.
Thanks for your time
So, the skinny is that Heroku's error messages were not very good and/or were not expecting what I gave them, hence the Internal Server Error lacking any specifics.
Heroku got back to me and said they will look in to better error messages for this, but I doubt that will happen.
The solution:
Instead of using the .pem extension, use .crt
I am trying to use signet for OAuth to Google services. And get this error:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Following these questions:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
OmniAuth & Facebook: certificate verify failed
Seems the solution is either to fix ca_path or to set VERIFY_NONE for SSL.
The ca_path fix posted only works on Linux (port install) and the fix for VERIFY_NONE seems to be for faraday.
Is there a solution for Windows/signet gem?
Actually the best way I found to solve this in windows for Ruby itself, not just one gem, is to do the following:
Download https://curl.haxx.se/ca/cacert.pem into c:\railsinstaller\cacert.pem. Make sure you save it as a .pem file, rather than a text file.
Go to your Computer -> Advanced Settings -> Environment Variables
Create a new System Variable:
Variable: SSL_CERT_FILE
Value: C:\RailsInstaller\cacert.pem
Close all your command prompts, including your Rails server command prompt, etc.
Start a new ruby irb prompt, and try the following:
$irb>require 'open-uri'
$irb>open('https://www.gmail.com')
It should all work now just fine.
Solution for Windows, which I cobbled together from a few different answers:
Download https://curl.haxx.se/ca/cacert.pem and put it in YOUR_APP/lib/assets (or wherever)
In config/initializers/omniauth.rb:
#config/initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
provider :facebook, CUSTOMER_KEY, CUSTOMER_SECRET, {client_options: {ssl: {ca_file: Rails.root.join('lib/assets/cacert.pem').to_s}}}
end
Obviously, restart your server.
Footnotes:
You might be able to cut out a lot of the unnecessary certificates in the cacert.pem file to reduce the size. If you only need this solution for development, you could save the file outside of your project and do a if Rails.env.development? _provider line with the client_options hash_ else _provider line without client_options hash_ end
After too much searching and wasted time, I found a very simple solution to fix this issue in Ruby with Windows.
Two simple steps:
In command prompt write: C:\gem install certified
In your rb file add: require 'certified'
That's it.
Updating the rubygems package management framework solved this issue for me on Windows 7.
https://rubygems.org/pages/download
gem update --system # may need to be administrator or root
yes, I've set the omniouth.rb file in the initializers folder to this:
provider :facebook, FACEBOOK_KEY, FACEBOOK_SECRET, {:client_options => {:ssl => {:verify => false}}}
and this seems to work fine now. But don't use this for production.
Using the http:// URL instead of https:// make this easier to you
Change the gem source to http://rubygems.org/ by using the following line of command on your ruby command line
gem sources -a http://rubygems.org/
Adding onto DevDude's solution, but using Windows Powershell:
Download http://curl.haxx.se/ca/cacert.pem into c:\railsinstaller\cacert.pem
At the powershell prompt:
$env:SSL_CERT_FILE = 'c:\RailsInstaller\cacert.pem'
I was then able to run gem update successfully
Note: you can simply define that environment variable in your profile notepad $profile
Go to the rubygems-update download page: https://rubygems.org/gems/rubygems-update
Click on the Download link, and you'll download a file called rubygems-update-2.6.7.gem. At the command line, navigate to the directory you downloaded the .gem file to and type:
gem install rubygems-update-2.6.7.gem
(or whatever the filename was, if a newer version)
Then type:
update_rubygems
You can verify it's updated with:
gem --version
I had this error whilst trying to setup rails 5 on a windows machine, turns out I had to update the rubygem version to 2.6.7 and then it worked.
step 1 download rubygem from below
https://rubygems.org/downloads/rubygems-update-2.6.7.gem
step 2 - install by pointing to downloaded rubygems
gem install --local C:\rubygems-update-2.6.7.gem
step 3 - check new version is 2.6.7
gem --version
step 4 - now safely un-install rubygems-update gem
gem uninstall rubygems-update -x
step 5 tried to install rails 5 again
gem install rails --version 5.0.0
worked like a charm!
I got info from:
http://guides.rubygems.org/ssl-certificate-update/#installing-using-update-packages
I was able to eliminate the PATH or SYSTEM VARIABLE setting mentioned above by importing the certificate as a Trusted Authority.
Invoke certmgr.msc
Right-click the Trusted Root Certificate Authority folder.
Select "All Tasks"
Select "Import"
Select All Files in file type dropdown and select the cacert.pem file.
You should receive a message "Import Successful"
I believe the correct answer is to update your gem installer: rubygems-update. The explanation for why this is needed is found at: Ssl Certificate Updates
save your cacert.pmp file from https://curl.haxx.se/ca/cacert.pem and then add this file to location yourruby-installation folder\lib\ruby\2.3.0\rubygems\ssl_certs
for example:C:\Ruby23\lib\ruby\2.3.0\rubygems\ssl_certs
This helped me:
https://coderwall.com/p/ubl6iw/fix-ssl_connect-returned-1-errno-0-state-sslv3-read-server-certificate-b-certificate-verify-failed-openssl-ssl-sslerror
My ruby on rails project is posting data to an api internally, and it cannot verify the internal certificate.
These lines helped:
require 'https'
http = Net::HTTP.new('example.com', 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.cert_store = OpenSSL::X509::Store.new
http.cert_store.set_default_paths
http.cert_store.add_file('/path/to/internal.cert.pem')
Hope this can help.
I was also facing this issue when I installed older ruby versions. When I installed the latest Ruby version this problem went away. So basically the SSL certificate needed to be updated.
For people who are using rails 4.
Add this in devise.rb
require "omniauth-google-oauth2"
config.omniauth :google_oauth2, "CLIENT_ID", "CLIENT_SECRET", { access_type: "offline", approval_prompt: "", :client_options => {:ssl => {:verify => false}} }