Login/Register
Google Oauth SSL error - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Asked Answered
Solved ruby-on-railsoauthgoogle-apigoogle-api-clientgoogle-api-ruby-client
C

3

9

I'm developing rails app with social authorization. Facebook and Twitter logins works fine, but something strange is going with Google...

My initializer for google:

  provider :google_oauth2, OAUTH_CONFIG[:google_api_key], OAUTH_CONFIG[:google_api_secret], {
    :access_type => 'offline',
    :prompt => 'consent',
    :scope => 'userinfo.email, userinfo.profile, youtube.readonly'
  }

My error, which I see when click login with Google:

Faraday::Error::ConnectionFailed
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
/Users/bmalets/.rvm/rubies/ruby-2.1.4/lib/ruby/2.1.0/net/http.rb:920:in `connect'
/Users/bmalets/.rvm/rubies/ruby-2.1.4/lib/ruby/2.1.0/net/http.rb:920:in `block in connect'
/Users/bmalets/.rvm/rubies/ruby-2.1.4/lib/ruby/2.1.0/timeout.rb:76:in `timeout'
/Users/bmalets/.rvm/rubies/ruby-2.1.4/lib/ruby/2.1.0/net/http.rb:920:in `connect'
/Users/bmalets/.rvm/rubies/ruby-2.1.4/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
/Users/bmalets/.rvm/rubies/ruby-2.1.4/lib/ruby/2.1.0/net/http.rb:852:in `start'
/Users/bmalets/.rvm/rubies/ruby-2.1.4/lib/ruby/2.1.0/net/http.rb:1369:in `request'
faraday (0.8.8) lib/faraday/adapter/net_http.rb:75:in `perform_request'
faraday (0.8.8) lib/faraday/adapter/net_http.rb:38:in `call'
faraday (0.8.8) lib/faraday/request/url_encoded.rb:14:in `call'
faraday (0.8.8) lib/faraday/connection.rb:253:in `run_request'
oauth2 (0.8.1) lib/oauth2/client.rb:88:in `request'
oauth2 (0.8.1) lib/oauth2/client.rb:131:in `get_token'
oauth2 (0.8.1) lib/oauth2/strategy/auth_code.rb:29:in `get_token'

What is wrong with SSL certificates? Please, help

In google search results I see many similar answers - update 'openssl' library, reinstall ruby, rvm, update gemsets, bla-bla and many others... I have tried everithing, nothing helps me.

Environment: rails 4.1.6, ruby 2.1.4, OS_X Yosemite

Conditioning answered 7/9, 2015 at 8:37 Comment(0)
H
5

Another answer says to disable OpenSSL's VERIFY_PEER option which means your app is not validating the certificate and you cannot verify you are connecting to Google when you make queries. This is a huge security risk and you should never do this.

There is an issue on the GitHub repo for google-api-ruby-client (https://github.com/google/google-api-ruby-client/issues/253) for the problem you've described. The current workaround is to add this to your application:

ENV['SSL_CERT_FILE'] = Gem.loaded_specs['google-api-client'].full_gem_path+'/lib/cacerts.pem'

For a Rails app, you would add this as a line in config/application.rb.

Hyden answered 30/10, 2015 at 23:53 Comment(2)
when I add the line above to my config file my Rails app my local server fails to start up. Can you provide any more detail on implementation?Introvert
I'm guessing that you don't have the gem 'google-api-client' installed which provides the certificate file that fixes it, you can also point your SSL_CERT_FILE to a different cacerts.pem file if you don't have/want this gem. The details of implementation and why it's a problem that can be fixed are at the github issue, I thought you were using this gem but you apparently are not.Hyden
C
7

I add to my app initialize this not beautiful spike:

if Rails.env.development? 
  OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE 
end

Now login works in development mode.

Conditioning answered 7/9, 2015 at 9:0 Comment(0)
H
5

Another answer says to disable OpenSSL's VERIFY_PEER option which means your app is not validating the certificate and you cannot verify you are connecting to Google when you make queries. This is a huge security risk and you should never do this.

There is an issue on the GitHub repo for google-api-ruby-client (https://github.com/google/google-api-ruby-client/issues/253) for the problem you've described. The current workaround is to add this to your application:

ENV['SSL_CERT_FILE'] = Gem.loaded_specs['google-api-client'].full_gem_path+'/lib/cacerts.pem'

For a Rails app, you would add this as a line in config/application.rb.

Hyden answered 30/10, 2015 at 23:53 Comment(2)
when I add the line above to my config file my Rails app my local server fails to start up. Can you provide any more detail on implementation?Introvert
I'm guessing that you don't have the gem 'google-api-client' installed which provides the certificate file that fixes it, you can also point your SSL_CERT_FILE to a different cacerts.pem file if you don't have/want this gem. The details of implementation and why it's a problem that can be fixed are at the github issue, I thought you were using this gem but you apparently are not.Hyden
G
0

In short, you should do following things:

rvm remove 2.1.4
rvm install 2.1.4 --disable-binary

Here is complete solution with description: https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html

Gunther answered 23/8, 2016 at 12:28 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.