得到"SSL_connect返回＝ 1 errno ＝ 0状态＝错误:证书验证失败".连接到S3时 [英] Getting "SSL_connect returned=1 errno=0 state=error: certificate verify failed" when connecting to S3

问题描述

我一直试图将照片上传到我的AWS存储桶，但是遇到标题中提到的错误.我知道这很可能与我的OpenSSL证书有关，但是到目前为止，我尝试过的任何建议解决方案都失败了.

I have been trying to upload a photo to my AWS bucket, but running into the error mentioned in the title. I understand that it most likely has to do with my OpenSSL certificates, but any suggested solution that I have tried has failed thus far.

我在OSX Yosemite上遇到了红宝石2.3.1，Rails 4.1.8，aws-sdk-core 2.3.4和载波0.11.0的问题.

I am running into this issue with ruby 2.3.1, Rails 4.1.8, aws-sdk-core 2.3.4, and carrierwave 0.11.0 on OSX Yosemite.

我也尝试过在此类似问题上发现的所有可用工具，以及其他(与Windows一起使用的其他工具):

I have tried all available found at this similar issue as well, as others (this one being with Windows): https://github.com/aws/aws-sdk-core-ruby/issues/166#issuecomment-111603660

这是我的一些文件:

carrierwave.rb

carrierwave.rb

CarrierWave.configure do |config|                     # required
  config.aws_credentials = {
    access_key_id:     Rails.application.secrets.aws_access_key_id, # required
    secret_access_key: Rails.application.secrets.aws_access_key,    # required
    region:            'eu-west-2'                  # optional, defaults to 'us-east-1'
  }

  config.aws_bucket = Rails.application.secrets.aws_bucket                        # required
  config.fog_attributes = { 'Cache-Control' => "max-age=#{365.day.to_i}" } # optional, defaults to {}
end

avatar_uploader.rb

avatar_uploader.rb

class AvatarUploader < CarrierWave::Uploader::Base

  storage :aws

  def store_dir
    "uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
  end
end

编辑(更多信息):

stack trace:

    Seahorse::Client::NetworkingError - SSL_connect returned=1 errno=0 state=error: certificate verify failed:
  /Users/stevenharlow/.rbenv/versions/2.3.1/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock'
  /Users/stevenharlow/.rbenv/versions/2.3.1/lib/ruby/2.3.0/net/http.rb:933:in `connect'
  /Users/stevenharlow/.rbenv/versions/2.3.1/lib/ruby/2.3.0/net/http.rb:863:in `do_start'
  /Users/stevenharlow/.rbenv/versions/2.3.1/lib/ruby/2.3.0/net/http.rb:858:in `start'
  /Users/stevenharlow/.rbenv/versions/2.3.1/lib/ruby/2.3.0/delegate.rb:83:in `method_missing'
  aws-sdk-core (2.3.4) lib/seahorse/client/net_http/connection_pool.rb:292:in `start_session'
  aws-sdk-core (2.3.4) lib/seahorse/client/net_http/connection_pool.rb:104:in `session_for'
  aws-sdk-core (2.3.4) lib/seahorse/client/net_http/handler.rb:109:in `session'

尝试过的解决方案:

• Aws.use_bundled_cert！
• 手动下载证书和参考
• 我尝试使用雾代替载波波形法
• 升级rbenv后尝试重新安装ruby

这是

CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3-us-west-2.amazonaws.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---

<certificate info>

No client certificate CA names sent
---
SSL handshake has read 2703 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: <session-id>
    Session-ID-ctx: 
    Master-Key: <master-key>
    Key-Arg   : None
    Start Time: 1463697130
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

推荐答案

借助@RodrigoM的调查帮助和您的问题更新，一切都开始变得有意义.实际上，有两个明显的问题会导致您观察到错误:

With the investigative help of @RodrigoM and your question update, it all started to make sense. There are actually two distinct problems that contribute to the error you observe:

• 您的openssl安装没有在其受信任的证书存储区中验证Amazon服务器所需的证书链...
• ...这是应该通过将Aws.use_bundled_cert!添加到初始化程序 CN=DigiCert Baltimore CA-2 G2 已于2015年12月8日发布，因此没有想知道CA Bundle文件不包含它.

• Your openssl installation does not have the certificate chain needed to verify the Amazon server in its trusted certs store...
• ...which is the exact situation that should be solved by adding Aws.use_bundled_cert! to an initializer, according to the docs. But in this case it does not work because even though this command instructs the ruby openssl library to add various CA certs to the trusted store from the aws-sdk-core gem's CA bundle file, the file also does not contain the proper CA certificate as it is itself almost 2 years old and outdated. The intermediate CA cert CN=DigiCert Baltimore CA-2 G2 has been published Dec 8, 2015, so no wonder that the CA bundle file does not contain it.

现在，您有两个选择:

• 您可以尝试安装此中间CA证书，可能包括根CA证书( CN=Baltimore CyberTrust Root )，移至您的openssl受信任证书存储.这应该使s_client命令起作用.但是，使用来自ruby代码的这些受信任的证书可能仍然会遇到问题.有关使其在OSX上在ruby下工作的具体步骤，请参阅

• You can try to install this intermediate CA certificate, probably including the root CA cert (CN=Baltimore CyberTrust Root), to your openssl trusted certs store. This should make the s_client command work. But you might still run into issues using these trusted certs from ruby code. For concrete steps for making it work under ruby on OSX, refer to the Solution section of this SO question.

此外，由于无论如何您都使用分叉的aws-sdk-ruby gem存储库，因此您也可以更新

Also, since you are using a forked aws-sdk-ruby gem repository anyway, you may as well update the ca-bundle.crt file in your repo by adding the intermediate CA cert yourself (the root CA cert seems to be already present in the bundle). For this you need to do the following:

• 从 DigicertCA证书的官方页面上下载中间CA证书(您也可以使用上面的直接链接，但是要严格遵守安全规则，还应该检查指纹)

• 将其转换为PEM格式(以DER格式下载)，然后使用以下openssl命令将其添加到证书捆绑包中:

• download the intermediate CA cert from the official page of the DigicertCA certificates (you can as well use the direct link above, but to obey security rules precisely you should also check the fingerprints)

• convert it to the PEM format (it gets downloaded in DER format) and add it to the cert bundle using the following openssl command:

openssl x509 -in DigiCertBaltimoreCA-2G2.crt -inform DER >> ca-bundle.crt

运行此命令后，您的ca-bundle.crt应在文件末尾包含中间CA证书.

after running this command, your ca-bundle.crt should contain the intermediate CA certificate at the end of the file.

现在只需将此更新的捆绑文件推送到您的仓库中， Aws.use_bundled_cert!应该开始工作！

Now simply push this updated bundle file to your repo and the Aws.use_bundled_cert! should start working!

这篇关于得到"SSL_connect返回＝ 1 errno ＝ 0状态＝错误:证书验证失败".连接到S3时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！