带有 Twitter 的 Ruby SSL 在 Windows 7 上的证书 OpenSSL 问题上失败 [英] Ruby SSL with Twitter failed on cert OpenSSL issue on Windows 7

问题描述

我想访问 Twitter，但在使用 Net::HTTP 的 POST 函数时出现此错误.

I want to access Twitter and upon using Net::HTTP's POST function I get this error.

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

是的，我知道每个人都会收到此消息.

Yes I know everyone gets this message.

这是我找到的可行解决方案.

Here are viable solutions I found.

首先，手动设置证书文件:

First, manually set the cert file:

#! /usr/bin/env ruby
require 'net/https'
require 'uri'
 
uri = URI.parse(ARGV[0] || 'https://localhost/')
http = Net::HTTP.new(uri.host, uri.port)
if uri.scheme == "https"
  http.use_ssl = true
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER
  http.ca_file = File.join(File.dirname(__FILE__), "cacert.pem")
end
http.start {
  http.request_get(uri.path) {|res|
    print res.body
  }
}

这是由 Ariejan de Vroom 提供的:https://www.kabisa.nl/tech/ruby-and-ssl-certificate-validation/

This was provided by Ariejan de Vroom: https://www.kabisa.nl/tech/ruby-and-ssl-certificate-validation/

很多人对此给出了类似的答案.这对我不起作用.

Many people have given a similar answer to this. This did not work for me.

然后我发现了一些让我走上正确道路的东西.这家伙米斯拉夫·马罗尼奇 https://mislav.net/2013/07/ruby-openssl/ 确定了关注的领域.它与 OpenSSL::X509::DEFAULT_CERT_FILE 和 OpenSSL::X509::DEFAULT_CERT_DIR 有关.结果是通过它的源代码硬编码到我的 Ruby 1.9.3 中.Mislav 给出了他的解决方法:

Then I found something that brought me along the right path. This guy Mislav Marohnić https://mislav.net/2013/07/ruby-openssl/ nailed the area of concern. It has to do with OpenSSL::X509::DEFAULT_CERT_FILE and OpenSSL::X509::DEFAULT_CERT_DIR. Which turns out are hard coded into my Ruby 1.9.3 through it's source code. Mislav gives his workaround like so:

require 'https'

http = Net::HTTP.new('example.com', 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER

http.cert_store = OpenSSL::X509::Store.new
http.cert_store.set_default_paths
http.cert_store.add_file('/path/to/cacert.pem')
# ...or:
cert = OpenSSL::X509::Certificate.new(File.read('mycert.pem'))
http.cert_store.add_cert(cert)

我涉足这个，我总是会得到这个错误:

I dabbled around with this and I would always get this error:

OpenSSL::X509::StoreError: cert already in hash table

呸，胡说八道！

我还应该提到他编写了一个脚本，可以帮助调试正在发生的事情.它可能对你有帮助，但对我来说不是.链接在他的页面上.

I should also mention he has written a script that should help debug what's going on. It may help you, but not in my case. The link is on his page.

我也设置了

ENV['SSL_CERT_FILE']
ENV['SSL_CERT_DIR']

在我的 ruby​​ 代码中没有成功.

in my ruby code without success.

然后我继续通过开始在windows中设置环境变量->控制面板 ->系统 ->高级系统设置 ->高级(标签)->环境变量 ->系统变量新建并添加了 SSL_CERT_DIR 和 SSL_CERT_FILE.这也不起作用.

Then I proceeded to set the environment variables in windows by Start -> Control Panel -> System -> Advanced System Settings -> Advanced(tab) -> Environment Variables -> System variables New and added the SSL_CERT_DIR and SSL_CERT_FILE. This didn't work either.

认证的 gem 对我不起作用... https://github.com/stevegraham/认证

And the certified gem didn't work for me... https://github.com/stevegraham/certified

所以我现在将为您下面的所有 Windows 7 用户提供我的 hack 答案.

So I will now provide you with my hack answer for all you Windows 7 users out there below.

推荐答案

所以我挖了一圈，基本上盯着证书的硬编码路径.在命令行输入这个

So I dug around and basically stared at the hard coded path of the certs. By typing this at the command line

ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'

我得到了以下...

c:/Users/Luis/Code/openknapsack/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0k/ssl/cert.pem

所以我的解决方案是首先从 http://curl.haxx.se/ca/cacert 下载 cacert.pem.pem 到 c: .然后打开 Windows 控制面板 -> 管理工具 -> Windows PowerShell 模块.然后我继续输入:

So my solution was to first download cacert.pem from http://curl.haxx.se/ca/cacert.pem to c: . Then open up Windows Control Panel -> Administrative Tools -> Windows PowerShell Modules. Then I proceeded to type out:

cd 
cd users
mkdir Luis
cd Luis
mkdir Code
cd Code
mkdir openknapsack
cd openknapsack
mkdir knap-build
cd knap-build
mkdir var
cd var
mkdir knapsack
cd knapsack
mkdir software
cd software
mkdir x86-windows
cd x86-windows
mkir openssl
cd openssl
mkdir 1.0.0k
cd 1.0.0k
mkdir ssl
cd ssl
cp c:cacert.pem .cert.pem

现在一切正常！是的，这是一个便宜的黑客，而且很丑.但现在你和我都可以重新开始认真编码，而不必担心讨厌的问题.

And now everything works! Yes it's a cheap hack and it's ugly. But now both you and I can get back to doing serious coding and not worry about pesky problems.

我知道这不是一个很好的解决方法，但它是唯一对我有用的东西，它也应该对你有用.

I know it's not a great fix, but it's the only thing that worked for me, and it should for you too.

如果有人想编写一个 PowerShell 脚本来自动将证书文件安装到此目录中，那么您可以更轻松地将 Ruby 项目部署到 Windows 7.只是一个想法.

If some one would like to write a PowerShell script to auto install the cert file into this directory then you could more easily deploy your Ruby project to Windows 7. Just a thought.

顺便说一句，如果需要，您可以为任何操作系统复制此过程.只需找到证书文件所属的路径:

By the way, you can duplicate this process for any operating system should the need arise. Just find the path the cert file belongs in with:

ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'

并确保重命名文件，因为它显示在输出中！

And be sure to rename the file as it appears in the ouput!

这篇关于带有 Twitter 的 Ruby SSL 在 Windows 7 上的证书 OpenSSL 问题上失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！