RestClient.get returning certificate verify failed

Question

I am trying hit an internal testing API server using RestClient and Ruby v. 2.2.1.

This is essentially the code:

url = "https://10.10.0.10/thing/i/want/to/get"
header = {
      :content_type => "application/json",
      :"x-auth-token" => "testingtoken"
  }
response = RestClient.get url, header

This is the failure message I get:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (RestClient::SSLCertificateNotVerified)

If I'm reading this right, it looks like Ruby couldn't accept the SSL security certificate. This call works in the Chrome app Postman, but in order for it to work, I have to hit the URL in Chrome itself and accept that the connection is not secure (but proceed anyway), and THEN it will work in postman.

Is there a way to ignore the certificate failures and proceed anyway in Ruby?

Answer 1

Try using #execute(&block) with verify_ssl set to false.

:verify_ssl enable ssl verification, possible values are constants from OpenSSL::SSL::VERIFY_*, defaults to OpenSSL::SSL::VERIFY_PEER

url = "https://10.10.0.10/thing/i/want/to/get"
headers = {
  :content_type => "application/json",
  :"x-auth-token" => "testingtoken"
}

RestClient::Request.execute(
  :url => url, 
  :method => :get, 
  :headers => headers,
  :verify_ssl => false
)

see: http://www.rubydoc.info/github/rest-client/rest-client/RestClient/Request#execute-instance_method

---

RVM

Additional solution for RVM users from: https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html

This discussion on Github finally gave the solution: Somehow RVM comes with a precompiled version of ruby that is statically linked against an openssl that looks into /etc/openssl for it's certificates.

What you wanna do is NOT TO USE any of the precompiled rubies and rather have ruby compiled on your local machine, like so: rvm install 2.2.0 --disable-binary

Answer 2

rest-client verify certificates using the system's CA store on all platforms by default. But is possible set to false the option :verify_ssl or specify :ssl_ca_file or :ssl_ca_path or :ssl_cert_store to customize the certificate authorities accepted.

See documentation

So you could simply set :verify_ssl to false:

url = "https://10.10.0.10/thing/i/want/to/get"
header = {
      :content_type => "application/json",
      :"x-auth-token" => "testingtoken"
}
resource = RestClient::Resource.new(
  url,
  headers: header,
  verify_ssl: false
)

response = resource.get

You could try immediately with a host which use a self-signed certificated provided by https://badssl.com/. Simply copy the snippet below in your irb console.

response = RestClient::Resource.new(
 'https://self-signed.badssl.com/',
  :verify_ssl =>  false
).get