OpenSSL::SSL::SSLError:SSL_connect 返回=1 errno=0 state=SSLv3 读取服务器证书B:证书验证失败 [英] OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
问题描述
我使用 RVM 在 Ubuntu 12.04 上安装了 Ruby 1.9.3
I used RVM to install Ruby 1.9.3 on Ubuntu 12.04 by doing
rvm pkg install openssl
rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr
然后当我尝试按照以下方式运行时:
And then when I try to run something along the lines of:
require 'open-uri'
open('https://www.google.com/')
我收到错误:OpenSSL::SSL::SSLError: SSL_connect Returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
我该如何解决这个问题?我有很多类似的帖子,人们在 OSX 中遇到了这个问题,但我如何在 Ubuntu 中解决它?
How do I solve this? I have many similar threads where people have this problem in OSX, but how do I resolve it in Ubuntu?
感谢您的帮助.
推荐答案
如果使用本机 OpenSSL 库未正确设置默认的OpenSSL 目录",有时会发生这种情况.open-uri 使用 OpenSSL::X509::Store#set_default_paths 来告诉 OpenSSL 在 OpenSSL 目录中查找包含 OpenSSL 默认信任的可信根证书的文件.
That sometimes happens if the default 'OpenSSL directory' is not set correctly with the native OpenSSL library. open-uri uses OpenSSL::X509::Store#set_default_paths in order to tell OpenSSL to look in the OpenSSL directory for the file that contains the trusted root certificates that OpenSSL trusts by default.
在您的情况下,此查找失败.您可以通过设置一个覆盖默认设置的环境变量并告诉 OpenSSL 在该目录中查找来使其成功:
In your case, this lookup fails. You can make it succeed by setting an environment variable that overrides the default setting and tells OpenSSL to look in that directory instead:
export SSL_CERT_FILE=/etc/pki/tls/cert.pem
这是我的 Fedora 16 64 位上根 CA 包的默认位置,其他流行的位置是/etc/ssl/ca-bundle.crt 等.在您的情况下,RVM 使用的 OpenSSL 库位于 $rvm_path/usr,因此您应该四处寻找适合默认根 CA 文件的候选者.环境变量设置正确后,open-uri的调用就会成功.
That's the default location for the root CA bundle on my Fedora 16 64 bit, other popular locations are /etc/ssl/ca-bundle.crt etc. In your case, the OpenSSL library used by RVM is located in $rvm_path/usr, so you should look around there for a suitable candidate for the default root CA file. After the environment variable is set correctly, the call to open-uri will succeed.
要使环境变量永久化,请使用通常的方法,例如在 .bashrc、/etc/profile 或任何最适合您情况的文件中定义导出.
To make the environment variable permanent, use the usual ways such as defining the export in .bashrc, /etc/profile or whatever fits best in your situation.
这篇关于OpenSSL::SSL::SSLError:SSL_connect 返回=1 errno=0 state=SSLv3 读取服务器证书B:证书验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
