Can't start Net::HTTP session without getting the error unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
isaiah-kueski opened this issue · comments
Hi, I am trying to start a Net::HTTP session with the following options:
{
use_ssl: true,
verify_mode: OpenSSL::SSL::VERIFY_PEER,
cert: OpenSSL::X509::Certificate.new(File.read('path_of_cert'))
key: OpenSSL::PKey::RSA.new(File.read('path_of_key'), 'password')
ca_file: 'path of ca file'
}
The values of the options are obviously not the real values.
I instantiate a URI object with the endpoint that I want to call, and initiate the http session with
http = Net::HTTP.start(url.hostname, Net::HTTP.https_default_port, options)
However I keep getting this error and the http session never gets instantiated.
.rbenv/versions/3.2.1/lib/ruby/3.2.0/net/protocol.rb:46:in `connect_nonblock': SSL_connect returned=1 errno=0 peeraddr=123.123.123.123:443 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
Where the peeraddr does not have the real value.
I got the contents of the ca_file by extracting their root certificate with the following command
echo | openssl s_client -servername $HOSTNAME -connect $HOSTNAME:443 2>/dev/null | openssl x509 -text
I ran my application in staging with the verify_mode option set to VERIFY_NONE and it works just fine, but obviously I want to set the option to VERIFY_PEER since launching it to production as it is now is not safe.
Note that the there is another same issue ticket ruby/net-http#150 opened in ruby/net-http.
Note that the there is another same issue ticket ruby/net-http#150 opened in ruby/net-http.
Yes, I just wasn't sure whether the issue belongs to this repo or the other.
error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
The error message describes the issue. Either ca_file is incorrect or the server is not sending the intermediate CA certificate(s) correctly.
How can I reproduce it?