certificate verify failed error in HTTPS communication

Asked 1 years ago, Updated 1 years ago, 94 views

I implemented the following code to communicate with Ruby between servers, but I get the following error:If there is anything missing, could you please advise me?

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:certificate verify failed

Implementation 

require'net/https'
  ~~
  https=Net::HTTP.new('Host',443)
  https.open_timeout = SYSTEM_TIMEOUT_SEC
  https.read_timeout = SYSTEM_TIMEOUT_SEC
  https.use_ssl=true
  https.verify_mode=OpenSSL::SSL::VERIFY_PEER
  https.verify_depth=5
  https.ca_file="./cacert.pem"

The cacert.pem is retrieved below and placed in the same hierarchy as the implementation file above.
https://curl.haxx.se/docs/caextract.html

If you ignore the certificate by specifying the following, you will be able to communicate.

OpenSSL::SSL::VERIFY_NONE

If you run the following command to see if cert.pem really exists:
I think it was saved because the certificate information was printed.
$ cat (file path) /cacert.pem

By the way, the following output shows that it is connected, but if you specify HTTPS,
Connection denied.Do I need to set it up on the server?

$wget-S --spider http://xx.xx.xx.xx.xx
Spider mode is enabled.Verify that the remote file exists.
--2018-05-1009:27:27 -- http://xx.xx.xx.xx/
Connecting to xx.xx.xx.xx:80... Connected.
HTTP connection request sent, waiting for response...
  HTTP/1.1200 OK
 ~~

$  wget-S --spider https://xx.xx.xx.xx.xx
Spider mode is enabled.Verify that the remote file exists.
--2018-05-1009:28:06 --https://xx.xx.xx.xx/
Connecting to xx.xx.xx.xx:443...Failed: Connection denied.

ruby https

2022-09-30 21:30

1 Answers

I don't know the cause, but I have some questions, so I will summarize them as answers.

  • SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:certificate verify failed

    This often happens when the CA certificate (that is, cacert.pem) is not found.
    Check the https.ca_file="./cacert.pem" items below.

  • https=Net::HTTP.new('Host',443)

    It says 'host', so it's hard to tell, but you can't specify an IP address here.Be sure to specify a hostname.The hostname must then be on the server certificate.

  • https.ca_file="./cacert.pem"

    The ./ part does not mean the same hierarchy as the implementation file, but the current directory at runtime.Is the hierarchy correct?

  • "Does cert.pem really exist?"

    It should be cacert.pem instead of cert.pem.

  • wget-S --spider https://xx.xx.xx

    https=Net::HTTP.new('Host',443) does not allow https to specify an IP address.Specify a hostname.

    However, specifying it with an IP address should not result in
    Connection Denied. You may need to check your nginx (or apache, etc.) or firewall settings.

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:certificate verify failed

This often happens when the CA certificate (that is, cacert.pem) is not found.
Check the https.ca_file="./cacert.pem" items below.

https=Net::HTTP.new('Host',443)

It says 'host', so it's hard to tell, but you can't specify an IP address here.Be sure to specify a hostname.The hostname must then be on the server certificate.

https.ca_file="./cacert.pem"

The ./ part does not mean the same hierarchy as the implementation file, but the current directory at runtime.Is the hierarchy correct?

"Does cert.pem really exist?"

It should be cacert.pem, not cert.pem.

wget-S --spider https://xx.xx.xx

https=Net::HTTP.new('Host',443) does not allow https to specify an IP address.Specify a hostname.

However, specifying it with an IP address should not result in
Connection Denied. You may need to check your nginx (or apache, etc.) or firewall settings.

That's all.I hope it will lead to a resolution.

HTTPS (or SSL/TLS) validates the certificate.

For example, if you go to https://example.com, example.com will send you a server certificate, so make sure that it is not forged and that the Common Name (CN) or Subject Alt Name in the certificate says example.com.

This is certificate verification.

For Net::HTTP.new('hostname',443), verify that the specified hostname is in the certificate.

Similarly, for Net::HTTP.new('IP address',443), verify that the IP address you specified is in the certificate.However, the certificate does not contain an IP address, so the validation fails, where an error occurs.

This validation occurs when verify_mode is set to VERIFY_PEER, but not VERIFY_NONE.With VERIFY_NONE, you can run it because you have not verified the certificate.

2022-09-30 21:30

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

493 The method of the class of the application that I am creating in Typescript does not work as I expected.

514 rails db:create error: Could not find mysql2-0.5.4 in any of the sources

515 PHP ssh2_scp_send fails to send files as intended

495 No exact matches in call to instance method 'append'

490 /usr/bin/google-chrome:symbol lookup error:/usr/bin/google-chrome: undefined symbol:gbm_bo_get_modifier

© 2024 OneMinuteCode. All rights reserved.