Ruby-on-rails Heroku 上的 OpenSSL::SSL::SSLError
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11703679/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
OpenSSL::SSL::SSLError on Heroku
提问by varatis
I'm trying to authenticate a user via Facebook or Twitter, get them to fill out their information, and then click save (thus creating a user record). I'm getting an OpenSSL error on that final step -- after clicking save. This happens at the Devise RegistrationsController#create method.
我正在尝试通过 Facebook 或 Twitter 对用户进行身份验证,让他们填写他们的信息,然后单击保存(从而创建用户记录)。在最后一步 - 单击保存后,我收到 OpenSSL 错误。这发生在 Devise RegistrationsController#create 方法中。
So I'm getting this error in my Rails application, hosted on Heroku:
所以我在 Heroku 上托管的 Rails 应用程序中收到此错误:
2012-07-28T18:25:13+00:00 app[web.1]: OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)
I've seen plenty of solutions, none of them work. Here are some things I've tried:
我见过很多解决方案,但没有一个有效。以下是我尝试过的一些事情:
1) Installing the certifiedgem
1)安装certifiedgem
2) Upgrading the Heroku gem to v2.30, pushing again
2) 将 Heroku gem 升级到 v2.30,再次推送
3) This:
3)这个:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :twitter, TWITTER_KEY, TWITTER_SECRET, {:client_options => {:ssl => {:ca_file => "/usr/lib/ssl/certs/ca-certificates.crt"}}}
provider :facebook, FACEBOOK_KEY, FACEBOOK_SECRET, {:scope => "publish_actions,user_location,email", :client_options => {:ssl => {:ca_file => "/usr/lib/ssl/certs/ca-certificates.crt"}}}
end
It seems like one problem could be that this cert file doesn't actually exist -- I've seen it in several places, and it seems like that is the default path to the ca_cert file for Heroku, but I could be wrong.
似乎有一个问题可能是这个证书文件实际上并不存在——我已经在几个地方看到过它,而且这似乎是 Heroku 的 ca_cert 文件的默认路径,但我可能是错的。
Oddly enough, this is happening afterI've already authenticated via FB/Twitter, and am trying to create a user's account. Why would this be, and how can I solve/debug this? Sincerely confused.
奇怪的是,这是在我已经通过 FB/Twitter 进行身份验证并尝试创建用户帐户之后发生的。为什么会这样,我该如何解决/调试这个问题?真诚的困惑。
Update:I added this line to the Omniauth initializer, and now it "works". Thus I've diagnosed the problem is with Omniauth. However, I'd like to still have the SSL verification... this obviously leaves a security gap.
更新:我将此行添加到 Omniauth 初始值设定项,现在它“有效”。因此,我已经诊断出问题出在 Omniauth 上。但是,我仍然希望进行 SSL 验证……这显然会留下安全漏洞。
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
回答by Pavel Nikolov
After some searching here is what I found:
经过一番搜索,我发现了以下内容:
If you're using Ruby to open connections to an external server over https, eg. the Facebook Graph API, you may run into the following error:
如果您使用 Ruby 通过 https 打开与外部服务器的连接,例如。Facebook Graph API,您可能会遇到以下错误:
OpenSSL::SSL::SSLError:SSL_connectreturned=1errno=0state=SSLv3readservercertificateB:certificateverifyfailed
This error is due to Ruby not being able to find the certification authority certificates (CA Certs) used to verify the authenticity of secured web servers. The solution is to download the this ca-bundle.crtinto your application's lib/directory:
Then add the following code to config/initializers/fix_ssl.rb:
此错误是由于 Ruby 无法找到用于验证安全 Web 服务器真实性的证书颁发机构证书 (CA Certs)。解决方案是将这个ca-bundle.crt下载到您的应用程序lib/目录中:然后将以下代码添加到config/initializers/fix_ssl.rb:
require 'open-uri'
require 'net/https'
module Net
class HTTP
alias_method :original_use_ssl=, :use_ssl=
def use_ssl=(flag)
self.ca_file = Rails.root.join('lib/ca-bundle.crt').to_s
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.original_use_ssl = flag
end
end
end
This should force ruby to use the CA bundle from your application's lib/ directory.
这应该会强制 ruby 使用应用程序的 lib/ 目录中的 CA 包。
Taken from: http://jimneath.org/2011/10/19/ruby-ssl-certificate-verify-failed.html
摘自:http: //jimneath.org/2011/10/19/ruby-ssl-certificate-verify-failed.html
UPDATE:
更新:
You may need to use self.ca_path=instead of self.ca_file=depending on your system.
您可能需要使用self.ca_path=而不是self.ca_file=取决于您的系统。
回答by Winfield
It sounds like you've got the right openssl configuration in OmniAuth, but perhaps your CA certs path isn't correct?
听起来您在 OmniAuth 中拥有正确的 openssl 配置,但也许您的 CA 证书路径不正确?
You can check that on your heroku servers by running:
您可以通过运行以下命令在您的 heroku 服务器上进行检查:
heroku run bash
... and then running openssl to display the proper path:
...然后运行 openssl 以显示正确的路径:
$ openssl version -a
OpenSSL 1.0.0e 6 Sep 2011
OPENSSLDIR: "/usr/lib/ssl"
... You should find the ca_certificates.crt file at $OPENSSLDIR/certs/ca-certificates.crt
...您应该在 $OPENSSLDIR/certs/ca-certificates.crt 找到 ca_certificates.crt 文件
I would confirm that path an update your code to match.
我会确认该路径并更新您的代码以匹配。
