Issue: Specifing jruby SSL keystore location

Detlef_R · May 1, 2015, 5:44pm

Hello everyone,

I’ve been having some trouble specifying a custom keystore for use with
SSL. I’m creating a local CA and then creating a self-signed cert from
that
CA. Now I want to be able to start a Jetty server and hit it with jruby.
My
current issue is I can’t seem to get jruby to pick up the local keystore
and trust it. I’m hopeful someone has ran into this issue before or can
walk me through how to fix it. Below is my test case:

Env:

CentOS 6.5
Java 7
jruby-complete-1.7.12

Steps to reproduce:

Install this simple jetty server (
http://blog.knoldus.com/2013/09/10/configure-ssl-on-jetty-server-to-run-it-with-https/
)
Run the commands to generate the CA and self-signed cert.
Start the jetty server (should be on 8443)
Use the following jruby script to contact the jetty server over SSL:

require ‘java’
require ‘net/https’
host = ‘localhost’
path = ‘/’

puts 'javax.net.ssl.trustStore = ’ +
java.lang.System.getProperty(‘javax.net.ssl.trustStore’)
puts 'javax.net.ssl.trustStorePassword = ’ +
java.lang.System.getProperty(‘javax.net.ssl.trustStorePassword’)

https = Net::HTTP.new(host, 8443)
https.use_ssl = true
https.ssl_timeout = 2
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
response = https.request(Net::HTTP::Get.new(‘/’))
puts response.body

If everything is working correctly you should see HTML dumped to your
terminal.
Otherwise if there are issues verifying the certificates you’ll see an
error like: (which is what i’m seeing)

[vagrant@localhost ~]$ java
-Djavax.net.ssl.trustStore=~/jetty-hightide-8.1.8.v20121106/etc/certs/keystore
-D -Djavax.net.ssl.trustStorePassword=changeit -jar
/path/to/jruby-complete-1.7.12.jar local.rb
javax.net.ssl.trustStore =
~/jetty-hightide-8.1.8.v20121106/etc/certs/keystore
javax.net.ssl.trustStorePassword = changeit
OpenSSL::SSL::SSLError: certificate verify failed
connect at org/jruby/ext/openssl/SSLSocket.java:170
connect at
file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:799
timeout at org/jruby/ext/timeout/Timeout.java:104
connect at
file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:799
do_start at
file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:755
start at
file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:744
request at
file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:1292
(root) at local.rb:13

Chason_Choate · May 5, 2015, 9:43am

might be a JRuby-OpenSSL regression … please try gem install
jruby-openssl and make sure the installed gem gets loaded as some of
the
older 1.7.x releases had issues not allowing to override default gems.
thus
if possible I would upgrade JRuby 1.7.x as well - alternatively wait a
few
hours and get a freshly baked 1.7.20 !

K.

On Fri, May 1, 2015 at 5:43 PM, Chason Choate <