private_pub icon indicating copy to clipboard operation
private_pub copied to clipboard

Published 20 hours ago verified publisher icon ryanb

certificate verify failed

Open tomoyuki28jp opened this issue 12 years ago • 16 comments

curl -O 'https://mydomain.com:4443/faye.js' This command works over http, but not on the server where my private_pub is running. Any idea why?

I get this error. error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

tomoyuki28jp avatar Jan 24 '13 16:01 tomoyuki28jp

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed error:xxxxxxxxx:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I have the same problem, i used the http://fabrizio-soppelsa.rhcloud.com/articles/thin-deploy guide to generate the self signed certificate. Any suggestion?

seraphinmiranda avatar Mar 07 '13 14:03 seraphinmiranda

@seraphinmiranda so do you solve your problem i get the save problem here

mido18 avatar Apr 28 '13 01:04 mido18

@mido18 so do you solve your problem i get the same problem now

ddnz avatar Jun 04 '13 13:06 ddnz

@ddnz yes on production mode what u just need is real ssl certificate on development mode just thin start -C "path/your/config" --ssl

mido18 avatar Jun 04 '13 13:06 mido18

I am using real ssl certificate in production, but still getting the same error:

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):

aman199002 avatar Dec 03 '13 11:12 aman199002

@aman199002 I'm also getting this problem in production. My SSL certificates work fine on the website. I noticed that the thin server returns <SSL_incomp> when trying to use PrivatePub.publish_to in the console.

Did you manage to solve your issues?

chrise86 avatar Dec 09 '13 20:12 chrise86

@chrise86 : The problem is same. Certificate is working on website and faye.js also available with secured https protocol but getting error while using PrivatePub.publish_to. The error is still present with https in production.

aman199002 avatar Dec 10 '13 04:12 aman199002

@aman199002 I managed to solve it! Just appended the contents of the ca-bundle to the crt file specified in the slim config

chrise86 avatar Dec 10 '13 08:12 chrise86

where have you found ca-bundle file. I don't have any ca-bundle file in my certificates directory.

aman199002 avatar Dec 10 '13 13:12 aman199002

When you get your SSL certificate you should have the cabundle file with the crt file, If you haven't you should be able to download it from your SSL provider. Once you have it copy the contents of the ca bundle file into the bottom of the crt file and it should work for you .

stevetoza avatar Dec 10 '13 13:12 stevetoza

@stevetoza I have "UTNAddTrustServer_CA.crt" file. Is it the same that you are talking about. I have appended its content with crt file, but its not working yet. Any idea ?

aman199002 avatar Oct 09 '14 09:10 aman199002

I had the same issue fith faye + ssl. The solution is:

  1. use real cert(I cannot make it run with self-signed)
  2. Create correct PositiveSSL.ca_bundle and add it to your example_com.crt
  3. Use the new example_com.crt into faye thin config - http://www.rubyspy.com/150_20493316/

Note: correct I mean create the right cert chain, depends on your ssl provider. For my way it was Comodo, so http://www.devside.net/wamp-server/installing-comodo-positivessl-certificate-bundled-with-root-and-intermediate-ca-certificates-on-apache. The same manual I saw for another ssl providers.

Note2: when I just loaded the ca_bundle from comodo site and added it to my_site.crt, the site worked but faye was failed.

Irostovsky avatar Oct 31 '14 04:10 Irostovsky

Hi, I am facing the same issue. What i did till now is i added content of .ca file into .crt file but still getting same error SSL_incomp in rails console. Please help me if anyone know about this. Thanks

rbcs avatar Aug 27 '15 14:08 rbcs

@rbcs I had SSL_incomp issue for Thin and "certificate verify failed" in my Rails app log. The problem was inside "private_pub" publish_to function. This error happend to me then "http" request was created using Net::HTTP.new with use_ssl set to 'true'. I forked "private_pub" and changed publish_message function a bit:

if http.use_ssl? and config[:cert_path].present? and config[:key_path].present?
        cert = File.read(config[:cert_path])
        key = File.read(config[:key_path])
        http.cert = OpenSSL::X509::Certificate.new(cert)
        http.key = OpenSSL::PKey::RSA.new(key)
        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
 end

But I don't know if setting http.verify_mode to OpenSSL::SSL::VERIFY_NONE is good idea.

So now you can set your 'private_pub.yml' like this:

production:
  server: "https://localhost:4443/faye"
  secret_token: "secret"
  signature_expiration: 3600 # one hour
  cert_path: "/path_to_ssl/server.crt"
  key_path: "/path_to_ssl/server.key"

You can see my fork here.

Set your Gemfile like this:

gem 'private_pub', :git => 'git://github.com/ovinix/private_pub.git'

ovinix avatar Aug 27 '15 15:08 ovinix

@ovinix Thank you for your response. I have solved this issue by appending ca-bundle files into .crt files and now thin server is running fine on https.

rbcs avatar Aug 28 '15 06:08 rbcs

Houston, I have a problem ...

I tried to app ca-bundle and this is what happens:

When I try to post a message (chat):

POST https://xxx/conversations/7/messages 500 (Internal Server Error)

Rserver msg:

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed): app/controllers/messages_controller.rb:18:in `create'

I did

  1. openssl genrsa -out ca.key 4096
  2. openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
  3. openssl genrsa -out intermediate.key 4096
  4. openssl req -new -sha1 -key intermediate.key -out intermediate.csr
  5. openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out intermediate.crt
  6. openssl genrsa -out xxx.key 4096
  7. openssl req -new -key xxx.key -out xxx.csr
  8. openssl x509 -req -days 1825 -in xxx.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 01 -out xxx.crt
  9. cat intermediate.crt ca.crt > ca.ca-bundle
  10. cat xxx.crt ca.ca-bundle >n.ca.crt

private_pub_thin.yml

port: 4443
ssl: true
ssl_key_file: /path/ca.key
ssl_cert_file: /path/n.ca.crt
environment: production
rackup: private_pub.ru

Nginx Config:

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    listen 443;
    server_name xxx;
    ssl_certificate           /path/ca.crt;
    ssl_certificate_key       /path/ca.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    access_log            /var/log/nginx/jenkins.access.log;

    location / {
         proxy_set_header        Host $host;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header        X-Forwarded-Proto $scheme;
         proxy_pass          http://localhost:8080;
         proxy_read_timeout  90;
         proxy_redirect      http://localhost:8080 https://xxx;
    }
    location /faye {
          proxy_set_header  X-Real-IP  $remote_addr;
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host $http_host;
          proxy_redirect off;
          root /var/applications/current/faye;
          proxy_pass https://0.0.0.0:4443;
          break;
    }
}

I'm running rails s -p 8080 -b 0.0.0.0 -e production & thin -C config/private_pub_thin.yml start

Edward-Teach avatar Dec 30 '15 15:12 Edward-Teach