SSL certificate verify failed with Net::HTTP

[KrzaQ]

require 'uri'
require 'net/http'
require 'net/https'

url = 'https://google.com/post'

uri = URI.parse url

http = Net::HTTP.new uri.host, uri.port
req = Net::HTTP::Post.new uri.path

http.use_ssl = uri.scheme == 'https'

r = http.request req, ""

puts r.code

This script, when executed with ruby 2.4.1 and 2.4.2 (from rubyinstaller, on Windows 7 and 10) finishes displaying a 404 (as expected) to the standard output.

When compiled with ocra, it also does output 404:

C:\Users\pzi\Downloads>ocra test.rb
=== Loading script to check dependencies
404
=== Attempting to trigger autoload of Gem::ConfigFile
=== Attempting to trigger autoload of Gem::DependencyList
=== Attempting to trigger autoload of Gem::DependencyResolver
=== Attempting to trigger autoload of Gem::Installer
=== Attempting to trigger autoload of Gem::Licenses
=== Attempting to trigger autoload of Gem::Source
=== Attempting to trigger autoload of Gem::RequestSet
=== Attempting to trigger autoload of Gem::SpecFetcher
=== Attempting to trigger autoload of Gem::SourceList
=== Attempting to trigger autoload of RubyInstaller::Runtime::Components::Base
=== WARNING: RubyInstaller::Runtime::Components::Base was defined autoloadable, but caused NameError
=== Attempting to trigger autoload of RubyInstaller::Runtime::Colors
=== Attempting to trigger autoload of RubyInstaller::Runtime::ComponentsInstaller
=== Attempting to trigger autoload of RubyInstaller::Runtime::Ridk
=== Attempting to trigger autoload of RubyInstaller::Runtime::PACKAGE_VERSION
=== Attempting to trigger autoload of CGI::HtmlExtension
=== Detected gem did_you_mean-1.1.2 (loaded, files)
===     18 files, 34197 bytes
=== Detected gem ocra-1.3.10 (loaded, files)
===     5 files, 210830 bytes
=== Detected gem openssl-2.0.6 (loaded, files)
===     13 files, 2495995 bytes
=== Detected gem io-console-0.4.6 (loaded, files)
=== WARNING: Gem io-console-0.4.6 root folder was not found, skipping
=== Detected gem rake-12.3.0 (loaded, files)
===     44 files, 117664 bytes
=== Including 59 encoding support files (3907071 bytes, use --no-enc to exclude)
=== Building test.exe
=== Adding user-supplied source files
=== Adding ruby executable ruby.exe
=== Adding detected DLL C:/pro/ruby/bin/ruby_builtin_dlls/libgmp-10.dll
=== Adding detected DLL C:/pro/ruby/bin/ruby_builtin_dlls/libffi-6.dll
=== Adding detected DLL C:/pro/ruby/bin/ruby_builtin_dlls/zlib1.dll
=== Adding detected DLL C:/pro/ruby/bin/ruby_builtin_dlls/LIBEAY32.dll
=== Adding detected DLL C:/pro/ruby/bin/ruby_builtin_dlls/SSLEAY32.dll
=== Adding external manifest C:/pro/ruby/bin/ruby_builtin_dlls/ruby_builtin_dlls.manifest
=== Adding library files
=== Compressing 15245969 bytes

LZMA 4.65 : Igor Pavlov : Public domain : 2009-02-03
=== Finished building test.exe (3574231 bytes)

But when executing the generated executable file:

C:\Users\pzi\Downloads>test
C:/Users/pzi/AppData/Local/Temp/ocr5F07.tmp/lib/ruby/2.4.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError)
        from C:/Users/pzi/AppData/Local/Temp/ocr5F07.tmp/lib/ruby/2.4.0/net/protocol.rb:44:in `ssl_socket_connect'
        from C:/Users/pzi/AppData/Local/Temp/ocr5F07.tmp/lib/ruby/2.4.0/net/http.rb:948:in `connect'
        from C:/Users/pzi/AppData/Local/Temp/ocr5F07.tmp/lib/ruby/2.4.0/net/http.rb:887:in `do_start'
        from C:/Users/pzi/AppData/Local/Temp/ocr5F07.tmp/lib/ruby/2.4.0/net/http.rb:876:in `start'
        from C:/Users/pzi/AppData/Local/Temp/ocr5F07.tmp/lib/ruby/2.4.0/net/http.rb:1407:in `request'
        from C:/Users/pzi/AppData/Local/Temp/ocr5F07.tmp/src/test.rb:14:in `<main>'

[zeroalpha]

Hi @KrzaQ

I found this: https://mislav.net/2013/07/ruby-openssl/

The author discusses several ways to fix your Problem.

You can either switch SSL certificate verification off (which I would not recommend) or add your Certificate (or CA) Manually:

require 'https'

http = Net::HTTP.new('example.com', 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER

http.cert_store = OpenSSL::X509::Store.new
http.cert_store.set_default_paths
http.cert_store.add_file('/path/to/cacert.pem')
# ...or:
cert = OpenSSL::X509::Certificate.new(File.read('mycert.pem'))
http.cert_store.add_cert(cert)

I hope this is still of some help

[amo13]

This seems pretty odd to me. I noticed that my ruby program runs perfectly fine with openssl doing its thing, no certificate problem at all. It also works just fine when ocra runs the program to check for dependencies before actually packaging stuff together. But afterwards, when I start the exe, I get this error about missing certificates: #<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)>

Is it possible that ocra misses out on packing the certificates into the exe?

For additional info in my case: I am using the tk gem for gui and therefore have to use the following command for the packaging: C:\ruby26-portable\bin\ruby.exe C:\ruby26-portable\bin\ocra C:\ruby26-portable\MyApp\MyApp.rb --windows --chdir-first --gemfile C:\ruby26-portable\MyApp\Gemfile C:\ruby26-portable\lib\ruby\gems\2.6.0\gems\tk-0.2.0\ --no-autoload --add-all-core

Do I have to add the certificates folder as additional ressource just like with the tk stuff?

Any hint would be greatly appreciated!

[damian-m-g]

Hi guys, having the same problem than you. I've found an easy way to workaround this problem by now.

Gotta use the gem net_http_ssl_fix. Require it in your code before using Net::HTTP. And make sure to update cacert.pem to its last version, specific steps to do that are here.

[Vucius]

The method of net_http_ssl_fix has become invalid. The approach I have figured out now is Disabling Certificate Verification. Wishing everyone good luck.