connect: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

前端 未结 4 635
栀梦
栀梦 2021-02-13 12:56

I\'m having a terrible time getting SSL to verify a certificate. I\'m completely ignorant on how certificates work so that\'s a major handicap to begin with. Here\'s the error

相关标签:
4条回答
  • 2021-02-13 13:14

    check your cert.pem and your key.pem

    the cert key should have one

    -----BEGIN CERTIFICATE-----
    MIIFGDCCBACgAwIBAgIKG1DIagAAAAAAAzANBgkqhkiG9w0BAQsFADCBvDEkMCIG
    ....
    -----END CERTIFICATE-----
    

    your key.pem should have

    -----BEGIN PRIVATE KEY-----
    CSqGSIb3DQEJARYVY2Fjb250YWN0QGVzY3JlZW4uY29tMQswCQYDVQQGEwJVUzEP
    ....
    -----END PRIVATE KEY-----
    

    and it may have some certs in it but that doesn't matter for this case. (Although it does for me as curl doesn't work without the extra certs) The webservice I am talking to has a good root CA, but the client auth keys are not trusted so this is probably why the extra certs make curl work.

    getting those out of your client certificate was what caused me the problems.

    here is what worked for me.

    openssl pkcs12 -in Client.pfx -clcerts -nokeys -out cert.pem
    openssl pkcs12 -in Client.pfx -nodes -out key.pem
    

    each will prompt you for the Import password and you can set a pem password if you want. (you would have to set that in the ruby code later)

    require 'savon'
    client = Savon::Client.new "https://service/Service.asmx?wsdl"
    client.http.auth.ssl.cert_key_file = "key.pem"
    client.http.auth.ssl.cert_file = "cert.pem"
    client.http.auth.ssl.verify_mode=:peer
    
    p client.wsdl.soap_actions
    

    you can also test with curl

    curl -v  -E  key.pem  https://services/Service.asmx?wsdl
    
    0 讨论(0)
  • 2021-02-13 13:20

    Putting the http.auth.ssl.verify_mode = :none inside the client.request block does not work for me.

    I had to use:

    client = Savon::Client.new do |wsdl, http|
      http.auth.ssl.verify_mode = :none
      wsdl.document = #YOUR_WSDL_URL_HERE
    end
    

    Using Savon 0.9.9 and Ruby 1.9.3-p125

    0 讨论(0)
  • 2021-02-13 13:30

    You need to provide the private key file that goes along with your certificate.

    http.auth.ssl.cert_key_file = "mycert.pem"
    

    If your private key file is encrypted, you'll need to supply the password too:

    http.auth.ssl.cert_key_password = "foobar"
    
    0 讨论(0)
  • 2021-02-13 13:31

    Note: I was working with test automation in lower level environments that did not have properly signed certificates and would often throw errors due to domain signatures not matching. For the problem at hand, bypassing signatures was a plausible solution but it is not a solution to be used for production level development.

    My problem is that I am trying to validate a self-signed certificate. All I had to do was put the following code and omit anything to do with validating certificates.

    I had to do this for both my SOAP and REST calls that were both experiencing the same issue.

    SOAP using Savon

    client = Savon::Client.new order_svc
    
    request = client.create_empty_cart { |soap, http|
      http.auth.ssl.verify_mode = :none
      http.headers = { "Content-Length" => "0", "Connection" => "Keep-Alive" }
      soap.namespaces["xmlns:open"] = "http://schemas.datacontract.org/2004/07/Namespace"
      soap.body = {
          "wsdl:brand" => brand,
          "wsdl:parnter" => [
            {"open:catalogName" => catalogName, "open:partnerId" => partnerId }
          ] }.to_soap_xml
    
          }
    

    REST using HTTPClient

    client = HTTPClient.new
    client.ssl_config.verify_mode=(OpenSSL::SSL::VERIFY_NONE)
    resp = client.get(Methods)
    
    0 讨论(0)
提交回复
热议问题