Monday, January 6, 2014

Solved a different cause of SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

You get SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) or similar error when trying to request to a https endpoint but no any other people solutions you have found through googling seems to be able to fix it.

What I have found is that those blog posts and stackoverflow answers led me to the wrong direction. The problem is neither Ruby's false nor you misconfigured it. Instead, missing intermediate CA certificate is the cause of the problem.

To verify that you are having the same cause of problem that I had, try running these command and compare the results
$ ruby -rnet/http -e "puts Net::HTTP.get(URI('https://github.com'))"
$ ruby -rnet/http -e "puts Net::HTTP.get(URI('https://your_webserver'))"
If you get back proper result for the first command and get the same error for the second command. That's the same problem I had. If you get errors on both commands, this post won't help solving you problem.

What's happening is that Ruby doesn't have a certificate of the intermediate CA that is used to issue certificate of the server you are requesting to

Compare Certificate chain section of the result of these 2 commands
$ openssl s_client -connect github.com:443
$ openssl s_client -connect your_webserver.com:443
In github's server case, you will get 0 and 1. On the other hand, in your web server case, you probably get only 0. SSL certificate chains section of this nginx documentation page has a good explanation of the chain.

If you own that web server or has an access to it, go fix that and your ssl issue should be resolved. For nginx web server, the fix is described in the previous link.

Good luck.

No comments:

Config number of file descriptors on Linux

Check file descriptor limit for a process. Vary depending on owner of the process $ cat /proc/{process-id}/limits Check current number of...