Ruby OpenSSL 错误 - 缺少 CA 证书(Justin 是谁?)
Ruby OpenSSL Errors - Missing CA Certs (Who is Justin?)
我正在编写一个小实用程序脚本,使用 Windows 上的 Ruby 的 Net::HTTP 模块通过 HTTPS 处理一些 RESTful API ].我一直收到此错误:
C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:74:in `timeout'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:852:in `start'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:1375:in `request'
根据 this post,我缺少默认的 CA 证书。我 运行 他的 "ssl doctor" 脚本,它给了我这个诊断:
C:\Users\Megaflux\Documents\GitHub\Github_Backup> ruby doctor.rb
C:/Ruby22-x64/bin/ruby (2.2.2-p95)
OpenSSL 1.0.1l 15 Jan 2015: C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://status.github.com:443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The server presented a certificate that could not be verified:
subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
error code 20: unable to get local issuer certificate
Possible causes:
`C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/cert.pem' does not exist
`C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/certs/' is empty
我可以下载一些根 CA 证书并将它们安装在该目录中,这并不难。但贾斯汀是谁?我的机器上没有该用户,如果不需要,我宁愿不创建这些文件夹。有谁知道如何更改默认的 ssl 证书目录?
非常感谢。
编辑:
为了完整起见,我将生成错误的脚本放在这里
require 'open-uri'
open("https://www.google.com/") {|f|
f.each_line {|line| p line}
}
OpenSSL::X509::DEFAULT_CERT_FILE with personal hardcoded path
The problem is OpenSSL that has hardcoded values. Search to closed
issues and also RubyInstaller group and will see this happens from
time to time.
OpenSSL needs to be fixed, but no patch to solve this issue has
proposed to OpenSSL itself. See oneclick/rubyinstaller#47
cert.pem is already provided by RubyGems and is included, please take
a look here:
https://github.com/ruby/ruby/tree/ruby_2_0_0/lib/rubygems/ssl_certs
That is part of Ruby and thus, RubyInstaller release.
RubyGems is capable of installing gems from rubygems.org, however,
like you pointed in the Bundler issue, you need a list of other CAs so
connect to the private/custom RubyGems server works.
For that you need to set SSL_CERT_FILE environment variable pointing
to the CA certs file.
See oneclick/rubyinstaller#86 and oneclick/rubyinstaller#148
tl;dr:Justin 是编译您的 OpenSSL 二进制文件的人。
我正在编写一个小实用程序脚本,使用 Windows 上的 Ruby 的 Net::HTTP 模块通过 HTTPS 处理一些 RESTful API ].我一直收到此错误:
C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:74:in `timeout'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:852:in `start'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:1375:in `request'
根据 this post,我缺少默认的 CA 证书。我 运行 他的 "ssl doctor" 脚本,它给了我这个诊断:
C:\Users\Megaflux\Documents\GitHub\Github_Backup> ruby doctor.rb
C:/Ruby22-x64/bin/ruby (2.2.2-p95)
OpenSSL 1.0.1l 15 Jan 2015: C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://status.github.com:443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The server presented a certificate that could not be verified:
subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
error code 20: unable to get local issuer certificate
Possible causes:
`C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/cert.pem' does not exist
`C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/certs/' is empty
我可以下载一些根 CA 证书并将它们安装在该目录中,这并不难。但贾斯汀是谁?我的机器上没有该用户,如果不需要,我宁愿不创建这些文件夹。有谁知道如何更改默认的 ssl 证书目录?
非常感谢。
编辑: 为了完整起见,我将生成错误的脚本放在这里
require 'open-uri'
open("https://www.google.com/") {|f|
f.each_line {|line| p line}
}
OpenSSL::X509::DEFAULT_CERT_FILE with personal hardcoded path
The problem is OpenSSL that has hardcoded values. Search to closed issues and also RubyInstaller group and will see this happens from time to time.
OpenSSL needs to be fixed, but no patch to solve this issue has proposed to OpenSSL itself. See oneclick/rubyinstaller#47
cert.pem is already provided by RubyGems and is included, please take a look here:
https://github.com/ruby/ruby/tree/ruby_2_0_0/lib/rubygems/ssl_certs
That is part of Ruby and thus, RubyInstaller release.
RubyGems is capable of installing gems from rubygems.org, however, like you pointed in the Bundler issue, you need a list of other CAs so connect to the private/custom RubyGems server works.
For that you need to set
SSL_CERT_FILEenvironment variable pointing to the CA certs file.See oneclick/rubyinstaller#86 and oneclick/rubyinstaller#148
tl;dr:Justin 是编译您的 OpenSSL 二进制文件的人。