SSL error on Heroku when using OAuth - ruby-on-rails

I am using the OAuth gem to do two-legged oauth verification, but when I try to use the access token I get the following error:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
/usr/ruby1.9.2/lib/ruby/1.9.1/net/http.rb:678:in `connect'
/usr/ruby1.9.2/lib/ruby/1.9.1/net/http.rb:678:in `block in connect'
/usr/ruby1.9.2/lib/ruby/1.9.1/timeout.rb:44:in `timeout'
/usr/ruby1.9.2/lib/ruby/1.9.1/timeout.rb:87:in `timeout'
Here's the code:
uri = construct_uri
consumer = OAuth::Consumer.new("key",
"secret",
:site => "remote site",
:request_token_path => "",
:authorize_path => "",
:access_token_path => "",
:http_method => :get,
:scheme => "query_string"
)
access_token = OAuth::AccessToken.new consumer
response = access_token.request(:get, uri)
The error occurs on the last line. This code had been working for a few months and seemed to break overnight. Also what's strange is this code works when I execute it in the local rails console. From what I've read I think it has to do with the OAuth gem not being able to find the file path to my certificates, although I'm not sure where to start debugging this on heroku. On heroku we're using SNI SSL.
There's a workaround detailed here: https://github.com/intridea/omniauth/issues/404
Put OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE in an initializer. Apparently this is a bug with the OAuth gem that's since been fixed.

There's a workaround detailed here: https://github.com/intridea/omniauth/issues/404
Put OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE in an initializer. Apparently this is a bug with the OAuth gem that's since been fixed.

Related

Why isn't a self signed SMTP Certificate ignored by Rails ActionMailer 6.1 / Ruby 3.0?

I can't get Rails ActionMailer 6.1 (with Ruby 3.0) to connect to an SMTP Mailer with a self-signed certificate.
All options that could possibly either use no TLS/SSL at all or to not verify the cert are set in config/production.rb and seem to be picked up properly by rails.
Any ideas what I might be missing?
ruby --version
ruby 3.0.3p157 (2021-11-24 revision 3fb7d2cadc) [x86_64-linux-musl]
RAILS_ENV=production myapp rails c
Loading production environment (Rails 6.1.4.6)
irb(main):001:0> mailer = ActionMailer::Base.new
=> #<ActionMailer::Base:0x00000000029c48>
irb(main):002:0> ap mailer.smtp_settings
{
:address => "smtpout.xxxxx.com",
:port => 25,
:enable_starttls => false,
:enable_starttls_auto => false,
:openssl_verify_mode => 0,
:ssl => false,
:tls => false
}
=> nil
irb(main):003:0> mailer.mail(from: 'user1#example.com', to: 'user2#example.com',
subject: 'test', body: "Hello, you've got mail!").deliver
/usr/local/lib/ruby/3.0.0/net/protocol.rb:46:in `connect_nonblock': SSL_connect
returned=1 errno=0 state=error: certificate verify failed (self signed
certificate) (OpenSSL::SSL::SSLError)
This boils down to the following: When I use the settings
enable_starttls_auto: false,
openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE
it does perform TLS transmission and fails with state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError), which is double wrong in my eyes, as it should never even start a TLS handshake and if so, should skip certificate validation.
Rails uses the Mail-Gem to handle these options, which indeed had an incompatible change.
As a workaround in my case, removing the enable_starttls_auto setting completely (thus keeping TLS transmission), only disabling the certificate validation with openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE was helping (but will not help if you have other reasons to avoid TLS than having a bogus certificate).

SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A - Faraday::Error::ConnectionFailed

I've seen many answers here, but none of them has worked.
I'm using omniauth-oauth2 gem to integrate with a third-party customer.
I'm using the setup phase described here but I'm always getting this error:
Authentication failure! failed_to_connect: Faraday::Error::ConnectionFailed, SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
Faraday::Error::ConnectionFailed (SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A):
.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect'
.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
My initializer at config/initializers is:
Rails.application.config.middleware.use OmniAuth::Builder do
client_id = 'my_client_id'
client_secret = 'secret'
ca_file = Rails.root.join('config', 'cacert.pem').to_s
ssl_options = {}
ssl_options[:ca_path] = '/usr/local/etc/openssl'
ssl_options[:ca_file] = ca_file
provider :my_partner_provider, client_id, client_secret, :client_options => {:ssl => ssl_options},
setup: ->(env){
req = Rack::Request.new(env)
site = "https://#{req.params.fetch('shop')}"
env['omniauth.strategy'].options[:client_options][:site] = site
}
end
I've tried with and without ssl options.
To complement, here's my stack: https://gist.github.com/cleytonmessias/11274209
I've typed in terminal openssl s_client -showcerts -connect partnerurl.com:443 <<<OK and it returned this: https://gist.github.com/cleytonmessias/11288646
Does anyone know the solution to this issue?
Thanks to #mislav who give the hint to change SSL version.
I had to change this because my partner has its application built using asp.net and uses this version of SSL. More info at https://mislav.net/2013/07/ruby-openssl/
So the final code is as follows:
Rails.application.config.middleware.use OmniAuth::Builder do
client_id = 'my_client_id'
client_secret = 'secret'
ssl_options = {}
ssl_options[:version] = :TLSv1
ssl = {}
ssl[:ssl] = ssl_options
provider :partner, client_id, client_secret,
client_options: { connection_opts: ssl} ,
setup: ->(env){
req = Rack::Request.new(env)
token_url = "https://#{req.params.fetch('shop')}"
env['omniauth.strategy'].options[:client_options][:token_url] = token_url
}
end

NET::HTTP call fails from ssl when in rails envrionment

I have some code that makes a few Net::HTTP calls some over https This code works fine when used in irb
however, when used from rails or the rails console I get an error:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
from /Users/kevzettler/.rbenv/versions/2.0.0-p353/lib/ruby/2.0.0/net/http.rb:918:in `connect'
I avoided the issue by passing a SSL verification manually like following code.
uri = URI(#url)
req = Net::HTTP::Get.new(uri.path)
response = Net::HTTP.start(
uri.host, uri.port,
:use_ssl => uri.scheme == 'https',
:verify_mode => OpenSSL::SSL::VERIFY_NONE) do |https|
https.request(req)
end
Quoted from here: https://github.com/matsubo/web_update_checker/blob/master/lib/web_update_checker.rb#L44

Error when I try to authenticate through Facebook with omniauth

I followed Ryan Bates Omniauth Part1 railscats http://railscasts.com/episodes/235-omniauth-part-1 . I put twitter and Facebook authentication with their secret numbers and when I try to authenticate through Facebook (auth/facebook) I get this error:
{
"error": {
"message": "Invalid redirect_uri: Given URL is not allowed by the Application configuration.",
"type": "OAuthException"
}
}
And when I try to authenticate through twitter (auth/twitter) I get this 401 Unauthorized response. I don't know how I can correct it
Thanks I corrected entering http://127.0.0.1:3000 in twitter URL callback field and in facebook my website field. But now when I try to authenticate with facebook I get this error:
OpenSSL::SSL::SSLError
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed
How can I solve it? I solved putting OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE in development.rb
That error appears when your server runs on http protocol. You need to add this piece of code in your_project/script/rails before APP_PATH
require 'rubygems'
require 'rails/commands/server'
require 'rack'
require 'webrick'
require 'webrick/https'
module Rails
class Server < ::Rack::Server
def default_options
super.merge({
:Port => 3000,
:environment => (ENV['RAILS_ENV'] || "development").dup,
:daemonize => false,
:debugger => false,
:pid => File.expand_path("tmp/pids/server.pid"),
:config => File.expand_path("config.ru"),
:SSLEnable => true,
:SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE,
:SSLPrivateKey => OpenSSL::PKey::RSA.new(
File.open("/path_to_your/privatekey.pem").read),
:SSLCertificate => OpenSSL::X509::Certificate.new(
File.open("/path_to_your/servercert.crt").read),
:SSLCertName => [["CN", WEBrick::Utils::getservername]]
})
end
end
end
To generate self-signed certificates read this tutorial http://www.akadia.com/services/ssh_test_certificate.html (steps 1 to 4) or this www.tc.umn.edu/~brams006/selfsign.html
After updating your rails script change the url from http://127.0.0.1:3000 to https://127.0.0.1:3000
I get this problem fairly often with Twitter in development.
The issue is likely your callback url in your app settings. Try setting it to:
http://127.0.0.1
And try again. If it doesn't work from http://localhost:3000 then try it from http://127.0.0.1:3000
The problem with Facebook is also likely to be the callback URL in the app settings. For Facebook, my site url setting is: http://localhost:3000/

Foursquare & Heroku: certificate verify failed

I obtained a key/secret for userless access at the foursquare developer site and now I want to fetch data with the use of the foursquare2 gem:
#foursquare = Foursquare2::Client.new(:client_id => 'xxx', :client_secret => 'yyy')
This works fine on localhost but on Heroku I get the following error:
ActionView::Template::Error (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)
I didn't set up any SSL or Omniauth within the app.
Update: Found the solution! You have to pass in a ssl hash with the path to heroku's certificates path.
#foursquare = Foursquare2::Client.new(:client_id => 'xxx',
:client_secret => 'yyy',
:ssl => { :verify => OpenSSL::SSL::VERIFY_PEER, :ca_file => '/usr/lib/ssl/certs/ca-certificates.crt' })
I also mentioned that problem under ruby 1.9.3. After downgrading to ruby 1.9.2 I didn't get that error anymore...

Resources