search

ryanb / private_pub

Handle pub/sub messaging through private channels in Rails using Faye.
MIT License
864 stars 228 forks source link

certificate verify failed #68

Open tomoyuki28jp opened 11 years ago

tomoyuki28jp commented 11 years ago

curl -O 'https://mydomain.com:4443/faye.js' This command works over http, but not on the server where my private_pub is running. Any idea why?

I get this error. error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

seraphinmiranda commented 11 years ago

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed error:xxxxxxxxx:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I have the same problem, i used the http://fabrizio-soppelsa.rhcloud.com/articles/thin-deploy guide to generate the self signed certificate. Any suggestion?

mido18 commented 11 years ago

@seraphinmiranda so do you solve your problem i get the save problem here

ddnz commented 11 years ago

@mido18 so do you solve your problem i get the same problem now

mido18 commented 11 years ago

@ddnz yes on production mode what u just need is real ssl certificate on development mode just thin start -C "path/your/config" --ssl

aman199002 commented 10 years ago

I am using real ssl certificate in production, but still getting the same error:

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):

chrise86 commented 10 years ago

@aman199002 I'm also getting this problem in production. My SSL certificates work fine on the website. I noticed that the thin server returns <SSL_incomp> when trying to use PrivatePub.publish_to in the console.

Did you manage to solve your issues?

aman199002 commented 10 years ago

@chrise86 : The problem is same. Certificate is working on website and faye.js also available with secured https protocol but getting error while using PrivatePub.publish_to. The error is still present with https in production.

chrise86 commented 10 years ago

@aman199002 I managed to solve it! Just appended the contents of the ca-bundle to the crt file specified in the slim config

aman199002 commented 10 years ago

where have you found ca-bundle file. I don't have any ca-bundle file in my certificates directory.

stevetoza commented 10 years ago

When you get your SSL certificate you should have the cabundle file with the crt file, If you haven't you should be able to download it from your SSL provider. Once you have it copy the contents of the ca bundle file into the bottom of the crt file and it should work for you .

aman199002 commented 9 years ago

@stevetoza I have "UTNAddTrustServer_CA.crt" file. Is it the same that you are talking about. I have appended its content with crt file, but its not working yet. Any idea ?

Irostovsky commented 9 years ago

I had the same issue fith faye + ssl. The solution is:

  1. use real cert(I cannot make it run with self-signed)
  2. Create correct PositiveSSL.ca_bundle and add it to your example_com.crt
  3. Use the new example_com.crt into faye thin config - http://www.rubyspy.com/150_20493316/

Note: correct I mean create the right cert chain, depends on your ssl provider. For my way it was Comodo, so http://www.devside.net/wamp-server/installing-comodo-positivessl-certificate-bundled-with-root-and-intermediate-ca-certificates-on-apache. The same manual I saw for another ssl providers.

Note2: when I just loaded the ca_bundle from comodo site and added it to my_site.crt, the site worked but faye was failed.

rbcs commented 8 years ago

Hi, I am facing the same issue. What i did till now is i added content of .ca file into .crt file but still getting same error SSL_incomp in rails console. Please help me if anyone know about this. Thanks

ovinix commented 8 years ago

@rbcs I had SSL_incomp issue for Thin and "certificate verify failed" in my Rails app log. The problem was inside "private_pub" publish_to function. This error happend to me then "http" request was created using Net::HTTP.new with use_ssl set to 'true'. I forked "private_pub" and changed publish_message function a bit:

if http.use_ssl? and config[:cert_path].present? and config[:key_path].present?
        cert = File.read(config[:cert_path])
        key = File.read(config[:key_path])
        http.cert = OpenSSL::X509::Certificate.new(cert)
        http.key = OpenSSL::PKey::RSA.new(key)
        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
 end

But I don't know if setting http.verify_mode to OpenSSL::SSL::VERIFY_NONE is good idea.

So now you can set your 'private_pub.yml' like this:

production:
  server: "https://localhost:4443/faye"
  secret_token: "secret"
  signature_expiration: 3600 # one hour
  cert_path: "/path_to_ssl/server.crt"
  key_path: "/path_to_ssl/server.key"

You can see my fork here.

Set your Gemfile like this:

gem 'private_pub', :git => 'git://github.com/ovinix/private_pub.git'
rbcs commented 8 years ago

@ovinix Thank you for your response. I have solved this issue by appending ca-bundle files into .crt files and now thin server is running fine on https.

Edward-Teach commented 8 years ago

Houston, I have a problem ...

I tried to app ca-bundle and this is what happens:

When I try to post a message (chat):

POST https://xxx/conversations/7/messages 500 (Internal Server Error)

Rserver msg:

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed): app/controllers/messages_controller.rb:18:in `create'

I did

  1. openssl genrsa -out ca.key 4096
  2. openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
  3. openssl genrsa -out intermediate.key 4096
  4. openssl req -new -sha1 -key intermediate.key -out intermediate.csr
  5. openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out intermediate.crt
  6. openssl genrsa -out xxx.key 4096
  7. openssl req -new -key xxx.key -out xxx.csr
  8. openssl x509 -req -days 1825 -in xxx.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 01 -out xxx.crt
  9. cat intermediate.crt ca.crt > ca.ca-bundle
  10. cat xxx.crt ca.ca-bundle >n.ca.crt

private_pub_thin.yml

port: 4443
ssl: true
ssl_key_file: /path/ca.key
ssl_cert_file: /path/n.ca.crt
environment: production
rackup: private_pub.ru

Nginx Config:

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    listen 443;
    server_name xxx;
    ssl_certificate           /path/ca.crt;
    ssl_certificate_key       /path/ca.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    access_log            /var/log/nginx/jenkins.access.log;

    location / {
         proxy_set_header        Host $host;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header        X-Forwarded-Proto $scheme;
         proxy_pass          http://localhost:8080;
         proxy_read_timeout  90;
         proxy_redirect      http://localhost:8080 https://xxx;
    }
    location /faye {
          proxy_set_header  X-Real-IP  $remote_addr;
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host $http_host;
          proxy_redirect off;
          root /var/applications/current/faye;
          proxy_pass https://0.0.0.0:4443;
          break;
    }
}

I'm running rails s -p 8080 -b 0.0.0.0 -e production & thin -C config/private_pub_thin.yml start