OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed) 同时连接到 Paypal [英] OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed) while connecting to Paypal

问题描述

我知道有很多关于这个错误的讨论，但很抱歉我无法找到任何可行的解决方案.

I know there are lots of discussion regarding this error but sorry to say that I'm unable to find any working solution over there.

我正在使用 ShareTribe 开发电子商务网站.我正在尝试将 Paypal 用作支付网关.所以我正在使用 Activemerchant.

I'm developing a ecommerce site using ShareTribe.I'm trying to implement Paypal as payment gateway.So I'm using Activemerchant.

在开发机器上一切正常，但是当我将我的 rails 应用程序部署到生产环境时它会抛出

Everything works fine on development machine but when I deploy my rails app to production It throws

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)

我将我的 Activemerchant 初始化为

I'm initializing my Activemerchant as

 config.after_initialize do
    ActiveMerchant::Billing::Base.mode = :test
    paypal_options = {
        login: "bla bla",
        password: "bla bla",
        signature: "bla bla",
        appid: "APP-80W284485P519543T"
    }
    ::EXPRESS_GATEWAY = ActiveMerchant::Billing::PaypalExpressGateway.new(paypal_options)

  end

添加了 HTTPS 并禁用了 SSLV3

经过大量谷歌搜索后，我发现

Added HTTPS and Disabled SSLV3

After lots of googling I found that

SSLv3 被证明是不安全的 POODLE 漏洞.你应确保您的系统具有最新版本的 OpenSSL，以便您可以使用 TLSv1.2.

SSLv3 was proven to be insecure with the POODLE vulnerability. You should make sure that your system has the latest version of OpenSSL so that you can use TLSv1.2.

所以我禁用了 SSLV3，如下所示

So I disabled SSLV3 as shown below

 openssl s_client -connect kickmarket.eu:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...........................................
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2038 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4D23F4A942AAD4264BE96EB5F1E62204269D882A64ACFBD2D139CD2F10A449A0
    Session-ID-ctx: 
    Master-Key: 1E381DAA3BA90FE3609606716E7E9A2EB2E2F671E9F3C4005D8EBAE009103A7AB771FB2AC8B45F169F43CBD0AD352E06
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
   ..................................

    Start Time: 1446132175
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

但是重启nginx后我遇到了同样的问题.有什么办法可以解决这个问题.任何建议将不胜感激.

But after restarting nginx I got the same problem.Is there Any way to fix this issue. Any suggestion will be appreciated.

推荐答案

造成这种情况的主要原因是 rvm 安装的 ruby​​ 确实会查找错误的证书目录，而 OSX-ruby 会查找正确的目录.

The primary cause for this is the rvm installed ruby does look into the wrong directory for certificates whereas the OSX-ruby will look into the correct one.

您要做的不是使用任何预编译的 ruby​​，而是在本地机器上编译 ruby​​，如下所示:

What you wanna do is NOT TO USE any of the precompiled rubies and rather have ruby compiled on your local machine, like so:

rvm install 2.2.0 --disable-binary

可以阅读详细说明https:///toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html

这篇关于OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed) 同时连接到 Paypal的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！