Certificate verify failed (OpenSSL::SSL::SSLError)

Dobai-Pataky_BSSSSl · December 6, 2010, 2:27pm

JRuby: 1.5.6
RVM: 1.1.3
Rails: 3.0.3
jruby-openssl: 0.7.2
OpenSSL: 0.9.8o 01 Jun 2010

While trying to install jQuery support I’m getting an error when going
out
to GitHub (I think):

rails generate jquery:install

  remove  public/javascripts/controls.js
  remove  public/javascripts/dragdrop.js
  remove  public/javascripts/effects.js
  remove  public/javascripts/prototype.js
fetching  jQuery (1.4.4)

identical public/javascripts/jquery.js
identical public/javascripts/jquery.min.js
fetching jQuery UJS adapter (github HEAD)
/home/cdempsey/.rvm/rubies/jruby-1.5.6/lib/ruby/1.8/net/http.rb:586:in
connect': certificate verify failed (OpenSSL::SSL::SSLError) from /home/cdempsey/.rvm/rubies/jruby-1.5.6/lib/ruby/1.8/net/http.rb:553:indo_start’
from
/home/cdempsey/.rvm/rubies/jruby-1.5.6/lib/ruby/1.8/net/http.rb:542:in
start' from /home/cdempsey/.rvm/rubies/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:242:inopen_http’
from
/home/cdempsey/.rvm/rubies/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:616:in
buffer_open' from /home/cdempsey/.rvm/rubies/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:164:inopen_loop’
from
/home/cdempsey/.rvm/rubies/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:162:in
catch' from /home/cdempsey/.rvm/rubies/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:162:inopen_loop’
from
/home/cdempsey/.rvm/rubies/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:132:in
open_uri' ... 20 levels... from /home/cdempsey/.rvm/gems/jruby-1.5.6/gems/railties-3.0.3/lib/rails/commands.rb:17 from /home/cdempsey/.rvm/gems/jruby-1.5.6/gems/railties-3.0.3/lib/rails/commands.rb:6:inrequire’
from script/rails:6

I’m not sure where to go from here. Thoughts?

chrisdwan · December 6, 2010, 6:12pm

Can you file a bug for this at http://bugs.jruby.org/ ? We should
follow up on it.

Thanks,
/Nick

chrisdwan · December 6, 2010, 6:37pm

On further investigation, it doesn’t look like this is a JRuby bug.

http://support.github.com/discussions/repos/4714-jquery-github-ssl

Because of Github turning on SSL everywhere, open-uri needs a
certificate chain to verify Github’s cert in order to install jQuery.
JRuby doesn’t ship one, but maybe we should (or maybe we can plug into
the JDK’s).

The other option is to follow the instructions in comment #14. As the
commenter says, make sure you remove that line after you install
jQuery.

/Nick

chrisdwan · December 6, 2010, 8:52pm

Thanks Nick! My Google-fu should have been stronger so I wouldn’t have
bothered the JRuby list with a GitHub issue.

C

chrisdwan · August 12, 2011, 3:38am

Agreed. Not to split hairs, CRuby doesn’t ship it, too. open-uri tries
to detect ‘trust anchors’ specified at openssl compilation time.
jruby-ossl cannot do it so we should specify it by hand at present.

Appears it does fail with CRuby too.
The fixes described here fix it for jruby, too (for followers):
http://snippets.aktagon.com/snippets/370-Hack-for-using-OpenURI-with-SSL

in 1.8: OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

chrisdwan · December 6, 2010, 10:48pm

Hi all,

On Tue, Dec 7, 2010 at 02:36, Nick S. [email protected] wrote:

On further investigation, it doesn’t look like this is a JRuby bug.

http://support.github.com/discussions/repos/4714-jquery-github-ssl

Because of Github turning on SSL everywhere, open-uri needs a
certificate chain to verify Github’s cert in order to install jQuery.

Sure it must be the case.

JRuby doesn’t ship one, but maybe we should (or maybe we can plug into
the JDK’s).

Agreed. Not to split hairs, CRuby doesn’t ship it, too. open-uri tries
to detect ‘trust anchors’ specified at openssl compilation time.
jruby-ossl cannot do it so we should specify it by hand at present.

On Ubuntu box, trust anchors are at /etc/ssl/certs.

0% jruby -ropen-uri -e ‘p open(“https://www.github.com/”)’
/home/nahi/java/jruby-1.5.6/lib/ruby/1.8/net/http.rb:586:in connect': certificate verify failed (OpenSSL::SSL::SSLError) from /home/nahi/java/jruby-1.5.6/lib/ruby/1.8/net/http.rb:553:in do_start’
from /home/nahi/java/jruby-1.5.6/lib/ruby/1.8/net/http.rb:542:in
start' from /home/nahi/java/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:242:in open_http’
from /home/nahi/java/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:616:in
buffer_open' from /home/nahi/java/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:164:in open_loop’
from /home/nahi/java/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:162:in
catch' from /home/nahi/java/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:162:in open_loop’
from /home/nahi/java/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:132:in
open_uri' from /home/nahi/java/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:518:in open’
from /home/nahi/java/jruby-1.5.6/lib/ruby/1.8/open-uri.rb:30:in `open’
from -e:1
1% SSL_CERT_DIR=/etc/ssl/certs jruby -ropen-uri -e ‘p
open(“https://www.github.com/”)’
#<File:/tmp/open-uri.9800.47992>
0%

JRUBY-5010 discusses this issue. Importing JDK’s cacerts looks good
for Java integration, but this might cause ‘CRuby and JRuby behaves a
slightly different’ issue. I’m still open how to handle this issue.
Any ideas?

Regards,
// NaHi