Kok*_*lli 8 ruby windows ssl https openssl
我正在编写一个小实用程序脚本,它使用Windows上的Ruby的Net :: HTTP模块通过HTTPS处理一些RESTful API.我一直都会遇到这个错误:
C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:74:in `timeout'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:852:in `start'
from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:1375:in `request'
根据这篇文章,我错过了默认的CA Certs.我跑了他的"ssl医生"脚本,它给了我这个诊断:
C:\Users\Megaflux\Documents\GitHub\Github_Backup> ruby doctor.rb
C:/Ruby22-x64/bin/ruby (2.2.2-p95)
OpenSSL 1.0.1l 15 Jan 2015: C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://status.github.com:443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The server presented a certificate that could not be verified:
subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
error code 20: unable to get local issuer certificate
Possible causes:
`C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/cert.pem' does not exist
`C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/certs/' is empty
我很好下载一些根CA证书并在那个目录下安装它们,这并不难.但贾斯汀是谁?我的机器上没有该用户,如果不需要,我宁愿不创建这些文件夹.有谁知道如何更改默认的ssl证书目录?
非常感谢.
编辑:为了完整性,我将抛出生成错误的脚本
require 'open-uri'
open("https://www.google.com/") {|f|
f.each_line {|line| p line}
}
OpenSSL::X509::DEFAULT_CERT_FILE 带有个人硬编码路径
问题是 OpenSSL 具有硬编码值。搜索已关闭的问题以及 RubyInstaller 组,会发现这种情况时常发生。
OpenSSL 需要修复,但 OpenSSL 本身还没有提出解决此问题的补丁。请参阅oneclick/rubyinstaller#47
cert.pem 已经由 RubyGems 提供并包含在内,请看这里:
https://github.com/ruby/ruby/tree/ruby_2_0_0/lib/rubygems/ssl_certs
这是 Ruby 的一部分,因此也是 RubyInstaller 版本的一部分。
RubyGems 能够从 rubygems.org 安装 gem,但是,就像您在 Bundler 问题中指出的那样,您需要其他 CA 的列表,以便连接到私有/自定义 RubyGems 服务器可以工作。
为此,您需要设置
SSL_CERT_FILE指向 CA 证书文件的环境变量。
tl;dr:Justin 是编译 OpenSSL 二进制文件的人。