I've run into bit of a problem with setting up my self-signed certificate to test out how it all works. I found a nice gist on GitHub : https://gist.github.com/trcarden/3295935#file-gistfile1-sh-L17
explaining how to do it simply enough.
It errors out on step 3, when entering this command into the Rails console:
$ openssl req -new -key server.key -out server.csr
The problem I run into is the following:
Unable to load config info from /usr/local/ssl/openssl.cnf
This is an output from the Rails console and it seems as a pretty standard error when searching for it on the internet. I've found lots of Q&A threads on various sites but absolutely nothing I've managed to find does the trick.
Any advice on what do try out to solve this ? Thanks
For anyone that has an issue like this, the problem was with using the rails WEBrick library for the server. I'm not sure exactly why, but simply switching to Thin server and using the
thin start --ssl command instead of force_ssl with WEBrick fixed the issue. Feel free to post any additional info if you know of any reasons.
Related
My company seems to have recently made some sort of change to the Cisco Endpoint Ark blah blah blah setup on our corporate Windows laptops, and the SSL configuration has killed the ability of one of my programs to talk to a Postgres server hosted at Azure. E.g.,
C:\Users\xxxxx\Projects\stuff_and_things>rails c
Loading production environment (Rails 6.0.3.4)
irb(main):001:0> User.first
Traceback (most recent call last):
1: from (irb):1
PG::ConnectionBad (SSL SYSCALL error: Connection reset by peer (0x00002746/10054))
For 3 years, just specifying sslmode: require has been all I've needed for the pg gem to connect to my database server. I've played with the various sslmode and sslrootcert keywords in my database.yml file, but nothing I've tried has worked, and I'm not getting any hints or error messages about what the problem actually is. Rails can't get far enough in this process to even give me any messages in the log.
From other things I've read, I think I need to build a new, single cert that includes the whole chain of trust in one file, and specify that as root.crt, but I can't find any reference about how to do that. I know Rails is "old and busted" now, so finding any tips about this has been really difficult.
Does anyone have any clearer insight on how I could make the Rails pg gem happy again, or at least any way I could get better error messages from the process?
I recalled that I've had to work around this kind of SSL issue on our laptops before, to get bundler working. Thanks to that pointer to RubyInstaller's SSL FAQ, I got that to work after adding Cisco's Umbrella root and 2048 cert .pem's to the right place, and run a script that comes with RubyInstaller to rehash the cert stack. Notably, I was helped in this process through bundler's error messages, which told me that I needed those particular certs to satisfy the chain of trust.
Weighing in at 240KB, I finally realized that the .pem file that RubyInstaller's script had produced -- which is still keeping bundler happy -- was, in fact, the complete trust chain I needed to make the pg gem happy as well, so, in my database.yml, I've used:
sslmode: verify-full
sslrootcert: C:\Ruby25-x64\ssl\cert.pem
And this seems to have made Rails happy again. Now I have to figure out how I'm going to keep these settings separate between my Windows and Linux machines hitting the same production server...
I have the problem that my development machine does not want to connect to my IMAP accounts any more. I know I must have changed something, but cannot think of anything relevant. But what I found is, that with ruby 2.1.0 and 2.1.2 my application works, but with 2.1.5 and 2.2.1 [edit: 2.2.2 failing, too] it does not work.
So I started debugging and extracted the parts that actually connect and throw the SSL error. The shortened script is the following:
require 'net/imap'
#imap = nil
begin
#imap = Net::IMAP.new("mail.example.com", {port: 143})
#imap.starttls({}, true)
#imap.login("username", "password")
rescue => e
puts e
end
The result with 2.0.0 and 2.1.2 is empty, so it worked. But with 2.1.5 and 2.2.1 [edit: and 2.2.2] I get the following error:
SSL_write: certificate verify failed
Of course I immediately checked the server's keychain, but it seems okay. It results in
Verify return code: 0 (ok)
though it has the line
verify error:num=20:unable to get local issuer certificate
but I read that this error is "normal". I cannot explain this error, as I included the certificates correctly with my dovecot server, but when searching the web it looks like everyone else is getting this line with most certificates, too, and it works. Also, like mentioned before, the verify return code is 0, so everything should work.
Do you have an idea if this is a problem with the mentioned line or if it's a bug with newer ruby versions? I could not find any clear search results regarding this.
PS: I need to use starttls, "ssl: true" gives me an unknown protocol error, as I enabled tls only.
edit2: I re-checked again. On the production server, 2.1.5 works. Could it be a problem with CA certificates on the development server or something? But why do older versions work then and newer don't?
--- edit: output as requested ---
I changed my real domain to domain.com in the bin. The host is a sub domain and the certificate a subdomain wildcard certificate from RapidSSL (*.domain.com).
http://pastebin.com/9BGK4w1w
Finally solved it by reinstalling OS X. For some reason it was a problem with my system, though I triple-checked everything from OpenSSL to rvm, Ruby, system-wide installed authority certificates and so on.
Thanks for your help :-)
I have a COMODO wildcard SSL certificate that I am trying to replace my old SSL certificate with.
I followed the guides here:
https://devcenter.heroku.com/articles/ssl-endpoint
http://ryan.mcgeary.org/2011/09/16/how-to-add-a-dnsimple-ssl-certificate-to-heroku/
Based off of these, I combined them in to one .pem:
cat STAR_[domain]_com.crt /
EssentialSSLCA_2.crt /
ComodoUTNSGCCA.crt /
UTNAddTrustSGCCA.crt /
AddTrustExternalCARoot.crt >> STAR_[domain]_com-bundle.pem
I then ran:
heroku certs:update STAR_[domain]_com-bundle.pem server.key
and I receive:
Updating SSL Endpoint hyogo-2759.herokussl.com for [heroku-app]... failed
! Internal server error.
! Run `heroku status` to check for known platform issues.
Thanks for your time
So, the skinny is that Heroku's error messages were not very good and/or were not expecting what I gave them, hence the Internal Server Error lacking any specifics.
Heroku got back to me and said they will look in to better error messages for this, but I doubt that will happen.
The solution:
Instead of using the .pem extension, use .crt
I'm having an issue with a gem called private_pub that uses a faye gem and thin server.
This all works fine in development, but on the server I can get everything started up fine but on the page where I'm using private_pub I get an error in the js console (chrome) that says
GET http://myapp.example.com/faye.js 406 (Not Acceptable)
and when I view http://myapp.example.com/faye.js in the browser (url changed) I get an empty screen where in development it displays all the js code. Also I can see in chrome's developer tools I can see in development the type is "Pending" and in production I'm seeing it passed as "text/html"
I've googled and googled and have come up with exactly nothing. Can anyone point me in the right direction.
Is there some special mime-type that is being passed here that I need to configure apache or rails to accept?
Thank you in advance
HAZZAH!
I figured it out.
I jumped through all kinds of hoops and am not 100% sure that the solution I found isn't working because of some of the other things I tried but...
First thing I tried was following a tutorial for installing Thin with a Rails app on Centos, (from Slicehost's docs) Slicehost Articles: CentOS - thin web server for Ruby and did a whole bunch of thin configurations. But I don't believe this was necessary because private_pub/faye is supposed to handle this all for you. (from what I understand)
One important thing is that I know you need to use the startup that private_pub describes, even though you can start thin directly.
RAILS_ENV=production bundle exec rackup private_pub.ru -s thin -D -E production
The '-D' makes sure that it runs as a background process.
In my private_pub.yml:
production:
server: "http://myapp.example.com:9292/faye"
secret_token: "{SECRET_TOKEN HERE}"
signature_expiration: 3600 # one hour
I added in the port# here and it all works now.
I'm working on enabling SSL on a Rails app in a staging environment that uses the Thin gem. It seems like I'm only a few steps away. I've set config.force_ssl = true in config/environments/staging.rb.
Since I haven't told Thin where the SSL certificate and key are, rails puts !! Invalid request. At least I think that's why it's doing that.
I found that Thin can accept arguments to determine the location of the SSL certificate and key files, as in this answer. However, I can't figure out where to tell Rails to start Thin with these arguments. How do I do this?
If you're starting from the command line, you can run thin start --ssl instead of rails server (plus any other options listed in How can I pass SSL options into "rails server" in Rails 3.0?)