Ruby和OpenSSL证书验证失败

Question

Ruby和OpenSSL证书验证失败

3

我非常确定我已经尝试了每一个可能。这里是我要运行的代码：

require 'rubygems'
require 'rest-client'
require 'json'

def vipr_session(viprurl, username, password)
  vipr_session_link = RestClient::Resource.new(viprurl + '/login', username, password)
  vipr_session_response = vipr_session_link.get
  myvar = 'x_sds_auth_token'
  @mysession = vipr_session_link.headers[myvar.to_sym]
end

@username = 'root'
@password = 'mypw'
@viprurl = 'https://192.168.50.141:4443'

print " Logging into ViPR..."
  vipr_session(@viprurl, @username, @password)
print "Success! \n\n\n"
puts @mysession
storagesystems = JSON.parse(RestClient.get(@viprurl + '/vdc/storage-systems', :x_sds_auth_token => @mysession, :content_type => :json, :accept => :json))
puts storagesystems

这里是错误信息

kcoleman-mbp:vipr_scripts kcoleman$ ruby storage_systems.rb
 Logging into ViPR.../Users/kcoleman/.rvm/gems/ruby-2.1.2/gems/rest-client-1.7.2/lib/restclient/request.rb:445:in `rescue in transmit': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (RestClient::SSLCertificateNotVerified)
    from /Users/kcoleman/.rvm/gems/ruby-2.1.2/gems/rest-client-1.7.2/lib/restclient/request.rb:350:in `transmit'
    from /Users/kcoleman/.rvm/gems/ruby-2.1.2/gems/rest-client-1.7.2/lib/restclient/request.rb:176:in `execute'
    from /Users/kcoleman/.rvm/gems/ruby-2.1.2/gems/rest-client-1.7.2/lib/restclient/request.rb:41:in `execute'
    from /Users/kcoleman/.rvm/gems/ruby-2.1.2/gems/rest-client-1.7.2/lib/restclient/resource.rb:51:in `get'
    from storage_systems.rb:8:in `vipr_session'
    from storage_systems.rb:18:in `<main>'

我可以通过在RestClient中设置verify_ssl: false来使其正常工作，但是这段代码之前一直可以正常工作，突然间就不能用了。

以下是我尝试修复的方法:

rvm osx-ssl-certs update all
brew install openssl
brew link openssl --force
brew tap raggi/ale
brew install openssl-osx-ca
rvm pkg install openssl
curl http://curl.haxx.se/ca/cacert.pem -o /usr/local/etc/openssl/cert.pem

以下是我的当前配置

kcoleman$ which openssl
/usr/local/bin/openssl
kcoleman$ openssl version
OpenSSL 1.0.1i 6 Aug 2014

我看到了这篇文章《SSLError and Rubyist, sitting in a tree》，以下是doctor.rb脚本的输出结果。

kcoleman-mbp:ssl-tools kcoleman$ ruby doctor.rb 192.168.50.141:4443
/Users/kcoleman/.rvm/rubies/ruby-2.1.2/bin/ruby (2.1.2-p95)
OpenSSL 1.0.1g 7 Apr 2014: /etc/openssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""

HEAD https://192.168.50.141:4443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

The server presented a certificate that could not be verified:
  subject: /CN=192.168.50.140
  issuer: /CN=192.168.50.140
  error code 18: self signed certificate

看起来 Ruby 正在使用与 RVM 打包的不同版本的 OpenSSL。通过在 rvm 上运行 openssl install 进行验证。

kcoleman-mbp:vipr_scripts kcoleman$ rvm pkg install openssl

Beware, 'rvm pkg ...' is deprecated, read about the new autolibs feature: 'rvm help autolibs'.

Checking requirements for osx.
Certificates in '/usr/local/etc/openssl/cert.pem' are already up to date.
Requirements installation successful.
Fetching openssl-1.0.1g.tar.gz to /Users/kcoleman/.rvm/archives
Extracting openssl to /Users/kcoleman/.rvm/src/openssl-1.0.1g....
Configuring openssl in /Users/kcoleman/.rvm/src/openssl-1.0.1g.......................
Compiling openssl in /Users/kcoleman/.rvm/src/openssl-1.0.1g...........................................................................................-
Installing openssl to /Users/kcoleman/.rvm/usr

如果您有任何想法可以尝试，我们将不胜感激。

- Kenny Coleman

我认为Steffen已经解决了IP不匹配的问题。生成新的自签名证书。请查看在Firefox中仅使用扩展密钥用途的证书以获取说明和配置文件样例。 - jww

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Steffen Ullrich · Accepted Answer

HEAD https://192.168.50.141:4443
OpenSSL::SSL::SSLError: SSL_connect返回了1个错误编号=0，状态=SSLv3读取服务器证书B：证书验证失败。
服务器呈现的证书无法验证：
  主题：/CN=192.168.50.140
  签发者：/CN=192.168.50.140
  错误代码18：自签名证书
您的证书存在几个问题，导致验证失败：


证书是自签名的，因此无法根据本地信任锚点进行检查。接受这样的证书等同于接受任何人自己创建的护照，而不仅仅是由受信任政府颁发的护照。
证书的主题与您用于连接的名称不匹配。该证书适用于192.168.50.140，但您将主机访问为192.168.50.141（可能仍然存在更多IP作为主体替代名称，这里未显示）。不检查证书中的名称相当于不检查护照中的照片是否与护照持有人相符。