I implemented the following code to communicate with Ruby between servers, but I get the following error:If there is anything missing, could you please advise me?
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:certificate verify failed
Implementation
require'net/https'
~~
https=Net::HTTP.new('Host',443)
https.open_timeout = SYSTEM_TIMEOUT_SEC
https.read_timeout = SYSTEM_TIMEOUT_SEC
https.use_ssl=true
https.verify_mode=OpenSSL::SSL::VERIFY_PEER
https.verify_depth=5
https.ca_file="./cacert.pem"
The cacert.pem is retrieved below and placed in the same hierarchy as the implementation file above.
https://curl.haxx.se/docs/caextract.html
If you ignore the certificate by specifying the following, you will be able to communicate.
OpenSSL::SSL::VERIFY_NONE
If you run the following command to see if cert.pem really exists:
I think it was saved because the certificate information was printed.
$ cat (file path) /cacert.pem
By the way, the following output shows that it is connected, but if you specify HTTPS,
Connection denied.Do I need to set it up on the server?
$wget-S --spider http://xx.xx.xx.xx.xx
Spider mode is enabled.Verify that the remote file exists.
--2018-05-1009:27:27 -- http://xx.xx.xx.xx/
Connecting to xx.xx.xx.xx:80... Connected.
HTTP connection request sent, waiting for response...
HTTP/1.1200 OK
~~
$ wget-S --spider https://xx.xx.xx.xx.xx
Spider mode is enabled.Verify that the remote file exists.
--2018-05-1009:28:06 --https://xx.xx.xx.xx/
Connecting to xx.xx.xx.xx:443...Failed: Connection denied.
I don't know the cause, but I have some questions, so I will summarize them as answers.
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:certificate verify failed
This often happens when the CA certificate (that is, cacert.pem
) is not found.
Check the https.ca_file="./cacert.pem"
items below.
https=Net::HTTP.new('Host',443)
It says 'host'
, so it's hard to tell, but you can't specify an IP address here.Be sure to specify a hostname.The hostname must then be on the server certificate.
https.ca_file="./cacert.pem"
The ./
part does not mean the same hierarchy as the implementation file, but the current directory at runtime.Is the hierarchy correct?
"Does cert.pem really exist?"
It should be cacert.pem
instead of cert.pem
.
wget-S --spider https://xx.xx.xx
https=Net::HTTP.new('Host',443)
does not allow https to specify an IP address.Specify a hostname.
However, specifying it with an IP address should not result in
Connection Denied.
You may need to check your nginx (or apache, etc.) or firewall settings.
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:certificate verify failed
This often happens when the CA certificate (that is, cacert.pem
) is not found.
Check the https.ca_file="./cacert.pem"
items below.
https=Net::HTTP.new('Host',443)
It says 'host'
, so it's hard to tell, but you can't specify an IP address here.Be sure to specify a hostname.The hostname must then be on the server certificate.
https.ca_file="./cacert.pem"
The ./
part does not mean the same hierarchy as the implementation file, but the current directory at runtime.Is the hierarchy correct?
"Does cert.pem really exist?"
It should be cacert.pem
, not cert.pem
.
wget-S --spider https://xx.xx.xx
https=Net::HTTP.new('Host',443)
does not allow https to specify an IP address.Specify a hostname.
However, specifying it with an IP address should not result in
Connection Denied.
You may need to check your nginx (or apache, etc.) or firewall settings.
That's all.I hope it will lead to a resolution.
HTTPS (or SSL/TLS) validates the certificate.
For example, if you go to https://example.com
, example.com will send you a server certificate, so make sure that it is not forged and that the Common Name (CN) or Subject Alt Name in the certificate says example.com
.
This is certificate verification.
For Net::HTTP.new('hostname',443)
, verify that the specified hostname
is in the certificate.
Similarly, for Net::HTTP.new('IP address',443)
, verify that the IP address
you specified is in the certificate.However, the certificate does not contain an IP address, so the validation fails, where an error occurs.
This validation occurs when verify_mode is set to VERIFY_PEER, but not VERIFY_NONE.With VERIFY_NONE, you can run it because you have not verified the certificate.
618 Uncaught (inpromise) Error on Electron: An object could not be cloned
916 When building Fast API+Uvicorn environment with PyInstaller, console=False results in an error
573 rails db:create error: Could not find mysql2-0.5.4 in any of the sources
581 PHP ssh2_scp_send fails to send files as intended
613 GDB gets version error when attempting to debug with the Presense SDK (IDE)
© 2024 OneMinuteCode. All rights reserved.