SSL Verification failed on Windows

Question

SSL Verification failed on Windows

briceo opened this issue 10 years ago · comments

It appears that when trying to use Faraday on Windows to communicate with a site that is SSL, a certificate verify failed error occurs:

irb(main):001:0> require 'faraday'
=> true
irb(main):002:0> Faraday.get('https://google.com')
Faraday::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
        from C:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in `connect'
        from C:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
        from C:/Ruby200/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
        from C:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in `connect'
        from C:/Ruby200/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
        from C:/Ruby200/lib/ruby/2.0.0/net/http.rb:851:in `start'
        from C:/Ruby200/lib/ruby/2.0.0/net/http.rb:1367:in `request'
        from C:/Ruby200/lib/ruby/2.0.0/net/http.rb:1126:in `get'
        from C:/Ruby200/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/adapter/net_http.rb:78:in `perform_request'
        from C:/Ruby200/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/adapter/net_http.rb:39:in `call'
        from C:/Ruby200/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/request/url_encoded.rb:15:in `call'
        from C:/Ruby200/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/rack_builder.rb:139:in `build_response'
        from C:/Ruby200/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/connection.rb:377:in `run_request'
        from C:/Ruby200/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/connection.rb:140:in `get'
        from C:/Ruby200/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday.rb:99:in `method_missing'
        from (irb):2
        from C:/Ruby200/bin/irb:12:in `<main>'

This same example works correctly from a linux system, and retrieves the expected webpage with no errors.

Brice Oliver · Answer 1 · Sat Jul 19 2014 04:57:02 GMT+0800 (China Standard Time)

I was able to work around this issue by setting the environment variable SSL_CERT_FILE to the full path of my cacert.pem file (which I obtained from here: http://curl.haxx.se/docs/caextract.html).

Lamont Granquist · Answer 2 · Wed Oct 22 2014 08:11:58 GMT+0800 (China Standard Time)

that is the correct solution to the problem, faraday has nothing to do with it, see oneclick/rubyinstaller#226

timcy · Answer 3 · Thu Nov 20 2014 14:53:45 GMT+0800 (China Standard Time)

i have same issue with ubuntu system with facebook authentication.

影月零 · Answer 4 · Mon Dec 07 2015 18:28:10 GMT+0800 (China Standard Time)

@timcy I suspect your issue is unrelated.

Unless there is some proposal for a built-in workaround I think this issue should be closed. It's still present but I can confirm it has nothing to do with faraday; I'm confirming it's a windows/ruby-installer issue.

Mislav Marohnić · Answer 5 · Tue Dec 08 2015 20:03:18 GMT+0800 (China Standard Time)

@briceo Thanks for sharing the workaround!

I'm afraid there's not much we can do from Faraday. Developers who need to connect to sites over HTTPS are responsible for ensuring that root certificates are already in place.

ZK Zhao · Answer 6 · Tue Aug 15 2017 21:07:52 GMT+0800 (China Standard Time)

@briceo Hi, can you give a more specific solution to this problem? I'm on windows and also have this problem. But I already have SSL_CERT_FILE to cacert.pem full pacht (i.e., D:\RailsInstaller\cacert.pem)

影月零 · Answer 7 · Thu Aug 17 2017 10:40:15 GMT+0800 (China Standard Time)

The problem is SSL_CERT_FILE (or maybe it was some other environment variable) needs to be an aboslute path for some reason, and that path is hard coded into something that was generated by whoever compiled that component of the rails installer.

Grab the root certs from somewhere else, save them locally, then point to them. EG:
https://github.com/emojidex/emojidex/blob/master/lib/emojidex/service/transactor.rb#L110