Rails 3, mail and OpenSSL problems - ruby-on-rails

I keep getting this error in my production enviroment
OpenSSL::SSL::SSLError (hostname was not match with the server certificate)
I really don't know much about certificates. I have configured rails to use sendmail. Sendmail is working well in other php applications on the server.
I use Phusion Passenger.
I also have a redmine-app which uses sendmail and also works fine (but it runs rails 2.x)
Any idea how to solve this?

This means the SSL Certificate installed on the mail server did not match its hostname.
You can disable these exceptions, but then you are vulnerable to man-in-the-middle attacks.
The other option is to get a proper SSL Certificate (or install it correctly) for your mail server.
For more on SSL Certs I suggest superuser.com

Related

Error! Could not verify Stripe's SSL certificate.

I am trying to use Stripe with my Ruby app and keep getting this error:
Error! Could not verify Stripe's SSL certificate. Please make sure that your network is not intercepting certificates. (Try going to https://api.stripe.com/v1 in your browser.) If this problem persists, let us know at support#stripe.com. (Network error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed).
Why am I getting this? Any help would be greatly appreciated.
Thanks!
Stripe's Ruby bindings verify the HTTPS certificate on Stripe's servers (api.stripe.com) to ensure you're really communicating with Stripe and not with a malicious third-party (a.k.a. a "man-in-the-middle attack").
There are a number of reasons that can cause this error. First, you should make sure you're using the latest versions of the following:
the stripe-ruby gem
the rest-client gem
Ruby
OpenSSL
If you're working in a corporate environment, it's possible your firewall replaces HTTPS certificates in order to be able to decrypt HTTPS traffic. (This is essentially the same thing as a man-in-the-middle attack.)
If you're still having this issue, you can disable the SSL verification by including this line:
Stripe.verify_ssl_certs = false
However, I would strongly advise against doing this. It might be okay in a development environment, but you should never do this in a production environment.
EDIT: We're currently investigating this issue -- it seems it might have been introduced in a recent version of the stripe-ruby gem. For now, it seems downgrading to version 1.34.0 will fix the "Could not verify Stripe's SSL certificate" issue.
Open terminal.
Run command $curl -v https://api.stripe.com
For intermittent issue like I had you may have to run this command 10 to 20 times back to back. Then stop and start again until you see the error.
The IP address it attempts to connect to should match an IP address of the domain you are trying to access. For stripe you can check valid ip addresses here https://stripe.com/docs/ips
If the IP address does not match or if the IP address is the same as your network then you could be experiencing man in the middle attack.
In my case I was experiencing this issue with aws and stripe because they use curl to connect. Returning error 60 no alternative certificate subject name matches target host name.
A workaround is to edit /etc/hosts file.
Hard code an IP address of the endpoint
XXX.XXX.X.X api.stripe.com
This will stop the issue, but should be revisited because your application will fail in the future if the IP address for the endpoint is changed or removed.

Rails app is using SSL even though I don't want it to

I followed this tutorial "Rails with SSL in Development The Simple Way" and successfully set up SSL for a Rails app. Now I created a second Rails app and it is trying to use SSL even though I didn't configure it to.
I am wondering why this is happening and what I can do to stop it.
I did manage to get the second app working by following the steps in the tutorial, but I didn't intend to make it use SSL. Before doing that, it was throwing errors about invalid HTTP format, parsing fails and my browser said SSL connection error - ERR_SSL_PROTOCOL_ERROR. I even made sure that config.force_ssl was set to false in in application.rb
The command to start the thin SSL server is thin start --ssl --ssl-key-file server.key --ssl-cert-file server.crt
which is slightly different than the deprecated command in the tutorial.
I'm on Linux Mint by the way.

Rails: local server handling SSL

I'm very surprised to find such little documentation on this topic which quite many developers must have faced before me.
We're changing our app to 100% HTTPS/SSL (as partial SSL doesn't make sense).
That's cool but before that, we need to migrate to it, hence to test it. Of course I found some basic information (here and here).
As I'd like my local environment to be as close as possible to the other ones in order to avoid unexpected errors, those solutions are not satisfying to me : they are ok for short time testing a feature, not more.
Here are the problems/questions I have:
Can I get a valid certificate for my local machine, to avoid the ugly warning step I can't even accept definitively on chrome?
Booting server with thin (thin start --ssl --ssl-verify --ssl-key-file server.key --ssl-cert-file server.crt), can I get same log messages as from rails server?
Can't I keep using rails server as a booting command (except by writing an dirty ALIAS ...)
Summary question is can I make a config so that it is transparent for anybody to run the instance of our app locally in https?
I mean, absolutely everything's done in rails to make development easy, and production robust, but here, there would be such a lack of good tools? I hardly can believe it ... or let's do it now!
Thanks for support! I'm using rails 3.2 with ruby 1.9.
Can I get a valid certificate for my local machine, to avoid the ugly
warning step I can't even accept definitively on chrome?
This depends if you're using the actual certificate for your domain (eg. example.com), or generating one just for development. If you are using the actual certificate from production, you could simply edit your hosts file to have example.com resolve to localhost. Then visiting https://example.com should load your Rails app.
You'll probably also need to include this in your application.rb:
config.force_ssl = true
If you're generating your own certificate you'll need to go through the motions of creating a private Certificate Authority to avoid the SSL warning in Chrome. This is a lot more work and probably not worth it.
Booting server with thin (thin start --ssl --ssl-verify --ssl-key-file
server.key --ssl-cert-file server.crt), can I get same log messages as
from rails server?
You should be able to tail -f log/development.log from the root of your Rails app.
Can't I keep using rails server as a booting command (except by
writing an dirty ALIAS ...)
This one is trickier as the server that runs when using rails s is WebBrick. You could try what's listed in this post here: Configuring WEBrick to use SSL in Rails 4
As an aside the typical setup for a Rails app is to proxy it behind say an SSL terminated nginx server. This way your Rails app doesn't need to know anything about SSL, as well as giving you a number of other benefits like being able to serve assets from nginx, load-balancing, virtual hosts etc.
If you're interested in setting up an environment that is identical to production I'd look into Vagrant.

Ruby on rails: force_ssl not redirecting from http to https when using thin start --ssl

I have been trying to configure my rails project to use SSL (as application wide) with thin (by adding thin gem and placing config.force_ssl = true to application.rb) but as a result, I have an annoying problem.
When I start my rails server using rails s and try to access http://localhost:3000 it redirects to https://localhost:3000 which is correct, however it will complain about missing SSL certification..
SSL connection error
Unable to make a secure connection to the server. This may be a
problem with the server, or it may be requiring a client
authentication certificate that you don't have.
On the other hand, If I start my application using thin start --ssl and try to access http://localhost:3000 it doesn't redirect to https://localhost:3000 and complains about this:
No data received
Unable to load the webpage because the server sent no data.
but by accessing https://localhost:3000 it just shows certificate warning but it all works after agreeing to continue.
So my question is, How can I make http to https redirection work when using SSL with thin in (development mode)?
Perfect answer would contain possibility to start server normally by using rails s while SSL would be enabled application wide and accessing http redirects to https and all works! :)
Thanks in advance, have been searching for hours but cant find an answer.
You should install your own openssl signed certificate.
You can find more information on this page
Your PC as (localhost) can self sign SSL certificate and your browser can accept it, but i think that browser will not automatically accept certificate with security on that layer. Maybe to try to add your localhost certificate to the browser ?
Verify config/environments/development.rb has the following line
config.force_ssl = true
Refer the post thin with ssl support and ruby debug and the responses(from nathan and shree) that has more information on this subject:
Use ngrok (https://ngrok.com/). It's free. Installation is easy.
Just start up your server, then in another terminal window run
ngrok http 3000
ngrok will give you an address that loops back to your dev machine - something like http://randomstringhere.ngrok.io
Put that in your browser and you'll see it redirect to https://randomstringhere.ngrok.io, still routing to your server on port 3000
Here is the simplest solution.
https://makandracards.com/makandra/15903-using-thin-for-development-with-ssl

SSL connection error in production mode rails 3.2.3 thin server

I have
config.force_ssl = true
in my environment/production.rb file so as to make every request sequre with ssl and https.
I came to know that SSL can't be enabled in development mode. So, I started my thin web server in production mode and when I went to
https://127.0.0.1:3000
it's the same as the development mode(SSL connection error). Tried almost all the links of first 6 pages fetched by google. Anybody have solution to my problem??
P.S. I'm working on windows and I have client authentication certificate.
The problem you described is related to using a self-signed certificate.
SSL certificates relies on a chain of trust, where the root CA's (Certification Authority) are at the top.
To understand more how it works, the Wikipedia entry on SSL provide a good insight. For Self-Signed certificates there's also an entry at Wikipedia.
To solve you issue you can have a self-signed certificate (be aware of the security issues), but your users will be always prompted for an action.
Another option is to apply for a certificate on CertCA since some Linux distributions have them on root CA's.
The last and most reliable option is to acquire a certificate.

Resources