问题
I used RVM to install Ruby 1.9.3 on Ubuntu 12.04 by doing
rvm pkg install openssl
rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr
And then when I try to run something along the lines of:
require 'open-uri'
open('https://www.google.com/')
I get the error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
How do I solve this? I have many similar threads where people have this problem in OSX, but how do I resolve it in Ubuntu?
Thanks for your help.
回答1:
That sometimes happens if the default 'OpenSSL directory' is not set correctly with the native OpenSSL library. open-uri uses OpenSSL::X509::Store#set_default_paths in order to tell OpenSSL to look in the OpenSSL directory for the file that contains the trusted root certificates that OpenSSL trusts by default.
In your case, this lookup fails. You can make it succeed by setting an environment variable that overrides the default setting and tells OpenSSL to look in that directory instead:
export SSL_CERT_FILE=/etc/pki/tls/cert.pem
That's the default location for the root CA bundle on my Fedora 16 64 bit, other popular locations are /etc/ssl/ca-bundle.crt etc. In your case, the OpenSSL library used by RVM is located in $rvm_path/usr, so you should look around there for a suitable candidate for the default root CA file. After the environment variable is set correctly, the call to open-uri will succeed.
To make the environment variable permanent, use the usual ways such as defining the export in .bashrc, /etc/profile or whatever fits best in your situation.
回答2:
The cacert.pem file is missing from rvm installed openssl.
$ cd $rvm_path/usr/ssl
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
$ sudo mv cacert.pem cert.pem
回答3:
Add the 'certified' gem to your Gemfile.
More info: https://rubygems.org/gems/certified
回答4:
See http://jjinux.blogspot.nl/2012/02/ruby-working-around-ssl-errors-on-os-x.html as an alternative answer to your question, it should work for both Ubuntu and Mac OS X users and it doesn't require a change in the environment variables.
The solution from the above link:
# config/initializers/fix_ssl.rb
#
# Work around errors that look like:
#
# SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
require 'open-uri'
require 'net/https'
module Net
class HTTP
alias_method :original_use_ssl=, :use_ssl=
def use_ssl=(flag)
# Ubuntu
if File.exists?('/etc/ssl/certs')
self.ca_path = '/etc/ssl/certs'
# MacPorts on OS X
# You'll need to run: sudo port install curl-ca-bundle
elsif File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
self.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
end
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.original_use_ssl = flag
end
end
end
回答5:
This did now work for me. Things starting working when I ran "brew doctor", which led me to clues like "unset SSL_CERT_DIR"
回答6:
Check your system clock!!
Hit this error on a virtual machine after a long period (1 week) without use. Updating my system clock fixed the issue immediately.
If you're running ntpd then ntpdate -b -u pool.ntp.org will do that for you.
来源:https://stackoverflow.com/questions/10728436/opensslsslsslerror-ssl-connect-returned-1-errno-0-state-sslv3-read-server-c