Login/Register
How to get rid of OpenSSL::SSL::SSLError
Asked Answered
ruby-on-railsfacebookomniauthomniauth-facebook
D

7

33

I am trying to authenticate users with Facebook using OmniAuth. Initially, it was working, but along the way it just stopped working and started to give me this error message:

OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

The same code works well for Twitter and I can't seem to understand why it doesn't work for Facebook. I have looked online for help, but I haven't been successful.

This is the link to the website I am building: http://www.bestizz.com/
And this url would give you the error message: http://www.bestizz.com/auth/facebook

Doersten answered 19/4, 2011 at 3:12 Comment(5)
We can't tell you what code to change if you don't show us the code you already have. :) Perhaps this helps?Longshoreman
Sorry, this is a link to my code and details of the problem link @brandonTilleyDoersten
are you getting a stack trace? There are a few libraries down the stack (OmniAuth, OAuth2, Faraday, etc.) and if you have a stack trace it would probably help a lot.Longshoreman
@brandonTilley, sorry, for going round and round. New to this forum, by the way, this is a link to my framework stack trace. linkDoersten
No problems ^_^ Added an answer, finally :) Good luckLongshoreman
H
27

Ruby cannot find any root certificates. Here is an option for debugging purposes. Put following code at the begining of your script:

   require 'openssl'
   OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
Habitancy answered 20/8, 2012 at 6:11 Comment(6)
This should not be considered an option. Fix it properly or don't even bother using SSL.Jelks
As noted, this is for debugging or development ONLY. Do NOT use this code in production.Fescennine
Indeed, for debugging, when I'm communicating with servers I haven't installed certs on, I do this. On my Ruby, I get a dynamic constant assignment error, so I monkey patched it instead, so something like module OpenSSL; module SSL; VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE; end; endRube
I definitely think that in your answer you should include why that is very insecure.Witherite
Not just that is a security violation, it's even useless to the point that it doesn't tell WHERE to put this code.Kinkajou
The code is meant to go at the very beginning of the script.Detraction
R
9

Add the following code to config/initializers/fix_ssl.rb

require 'open-uri'
require 'net/https'

module Net
  class HTTP
    alias_method :original_use_ssl=, :use_ssl=

    def use_ssl=(flag)
      self.ca_file = "/etc/pki/tls/certs/ca-bundle.crt"  # for Centos/Redhat
      self.verify_mode = OpenSSL::SSL::VERIFY_PEER
      self.original_use_ssl = flag
    end
  end
end

Note:

Many operating systems already come with a supplied certificate bundle. For example in Red Hat Enterprise Linux and CentOS it's installed in:

/etc/pki/tls/certs/ca-bundle.crt

For Ubuntu its at:

/etc/ssl/certs/ca-certificates.crt
Rebhun answered 1/8, 2012 at 5:22 Comment(4)
I can't find initializers directory in my .config directory (I'm on ubuntu), could you help me with it?Wadai
config/initializers directory comes under your Rails application folder structure. This solution is for Rails application.Rebhun
For me it was enough to set environmet variable in redhat export SSL_CERT_FILE='/etc/pki/tls/certs/ca-bundle.crt'Mnemonic
the line self.ca_file = "/etc/pki/tls/certs/ca-bundle.crt helped me with my ruby console app. None of the other solution worked. I guess, ssls wasn't able to know, which certificate file to use.Goering
K
7

I've been facing the same problem after updating Ruby running on Yosemite, but while trying to authenticate with Google.

Following this: https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html seemed to solve my problem.

For the sake of history I'll quote:

So the rvm-installed ruby does look into the wrong directory for certificates whereas the OSX-ruby will look into the correct one. In it's case that is a OSX system-directory.

So the rvm-installed ruby is the problem.

This discussion on Github finally gave the solution: Somehow RVM comes with a precompiled version of ruby that is statically linked against an openssl that looks into /etc/openssl for it's certificates.

What you wanna do is NOT TO USE any of the precompiled rubies and rather have ruby compiled on your local machine, like so: rvm install 2.2.0 --disable-binary

In the end, I had to run:

rvm uninstall ruby-2.2.4
rvm install ruby-2.2.4 --disable-binary
gem pristine --all

Hope this helps

Kohler answered 18/3, 2016 at 3:21 Comment(0)
L
6

Looks like SSL verification is failing for Facebook. I'm no OpenSSL master, but I think this should work for you.

Assuming you're using an up-to-date version of OmniAuth (>= 0.2.2, I assume you are) and a version of Faraday >= 0.6.1 (the stack trace says you are), you can pass the location of your CA certificates bundle. Modify your OmniAuth setup for Facebook accordingly:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, 'appid', 'appsecret', {:scope => 'publish_stream,email', :client_options => {:ssl => {:ca_path => '/etc/ssl/certs'}}}
  # other providers...
end

and replace '/etc/ssl/certs' with the path to your bundle. If you need one, I believe this file will work for you--just put it somewhere, give it necessary permissions, and point your app at it.

Thanks to Alex Kremer at this SO answer for the detailed instructions.

Longshoreman answered 21/4, 2011 at 14:50 Comment(1)
[email protected] works perfectly. Thanks very much. It looks like i developed that problem after i upgraded my gems...Its an issue with Omniauth 0.2.1 - 0.2.2.Doersten
A
1

Do this, this will get ride of the certificate error with openssl

sudo curl http://curl.haxx.se/ca/cacert.pem -o /opt/local/etc/openssl/cert.pem
Altdorfer answered 12/10, 2011 at 5:25 Comment(3)
This looks like it's for a self installed, maybe MacPorts OpenSSL ? any idea for standard Mac OS X or homebrew?Tit
This worked for me with RVM on Mountain Lion: curl http://curl.haxx.se/ca/cacert.pem -o ~/.rvm/usr/ssl/cert.pemCastorena
@Lachlan Cotter, many thanks! I was finally able to get RailsApps Project apps working with Rails 3.2.8 on Mountain Lion thanks to this command.Fremd
P
1

This link should work. https://gist.github.com/fnichol/867550 Just follow the instructions. You will need to download Rails installer and run two command line functions.

Periodical answered 11/3, 2014 at 0:46 Comment(0)
D
0

An ugly workaround I just did is to override the class in Net::HTTP and set the variable which tells it to not verify ssl certs:

    require 'net/http'
    require 'openssl'

    class Net::HTTP   
        alias_method :orig_connect, :connect

        def connect
          @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
          orig_connect
        end
    end

I did it this way because I don't want to muck with the source code of the gem which calls the gem which calls the gem which calls Net::HTTP. I should really go back and figure out how to nudge it to look at a separate cacert.pem file instead. I can't modify the server's cacert.pem file, or that would be the best route.

Dyscrasia answered 30/6, 2011 at 11:24 Comment(3)
No need to open a class and override a method -- you can change the verify_mode directly on the HTTP object you create: http.verify_mode = OpenSSL::SSL::VERIFY_NONEAlp
@MikeA. that only works if you're the one creating the Net::HTTP instance.Consanguineous
—1 for OpenSSL::SSL::VERIFY_NONE.Lole

© 2022 - 2024 — McMap. All rights reserved.