ruby on rails - Trouble using a SSL certificate: 'self signed certificate in certificate chain' -


i using self generated wildcard ssl certificate , know if following problem and, if so, can fix that. certificate web ruby on rails 3 application running on localhost.

i using mac os running "snow leopard" 1.6.6. typing in terminal

<my_user_name>$ openssl s_client -connect localhost.com:443

i following:

connected(00000003) depth=1 c = au, st = some-state, o = internet widgits pty ltd, cn = name\surname verify error:num=19:self signed certificate in certificate chain verify return:0 --- certificate chain  0 s:/c=au/st=some-state/o=internet widgits pty ltd/cn=*localhost.com    i:/c=au/st=some-state/o=internet widgits pty ltd/cn=my name\surname  1 s:/c=au/st=some-state/o=internet widgits pty ltd/cn=my name\surname    i:/c=au/st=some-state/o=internet widgits pty ltd/cn=my name\surname --- server certificate -----begin certificate----- miicjdccay0caqewdqyjkozihvcnaqeebqawwtelmakga1uebhmcqvuxezarbgnv bagmclnvbwutu3rhdguxitafbgnvbaomgeludgvybmv0ifdpzgdpdhmguhr5iex0 zdesmbaga1ueawwju2vyz2lviewumb4xdtexmdixodiwmdawofoxdteymdixodiw mdawofowxdelmakga1uebhmcqvuxezarbgnvbagmclnvbwutu3rhdguxitafbgnv baomgeludgvybmv0ifdpzgdpdhmguhr5iex0zdevmbmga1ueawwmknbqdg5hbwuu y29tmigfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqddm46dh9rwky5snkbwj7oo wytsjw8fflrskjge0qqgkpz5ztyk8yc/kifi4gpwzyvysepmvqhr6+wpv8ry1kvx bl2qhf6sslbbc5bvok4ef2rx9lnaz/ndy+0q07dvsnammcxhnmegltcg1jzhazcg g7elpm2piqlaqvklfsjwkqidaqabma0gcsqgsib3dqebbauaa4gbado7xjboaszm bm/xelq1auvu1dr6/wkowloxcn8+kwsumyidzj1yl8+83nhhg/yekzor25n/i0sq zn1aui3ox5vxlx8vp2xqsnug2bm/infqxon+90jjhzypbcokh9ifzysnj7fvgg57 kz4et2jsfchxfmrqqoputdop/gnkw3me -----end certificate----- subject=/c=au/st=some-state/o=internet widgits pty ltd/cn=*localhost.com issuer=/c=au/st=some-state/o=internet widgits pty ltd/cn=my name\surname --- no client certificate ca names sent --- ssl handshake has read 1944 bytes , written 409 bytes --- new, tlsv1/sslv3, cipher dhe-rsa-aes256-sha server public key 1024 bit secure renegotiation not supported compression: zlib compression expansion: zlib compression ssl-session:     protocol  : tlsv1     cipher    : dhe-rsa-aes256-sha     session-id: 63be474e62950d542bcbe30f72f80c28851ee23ea15ba34ae3e3e46ab5615505     session-id-ctx:      master-key: 9e8a8f7f4e824a2b251d5a28e3a133ac761ba8edb237073973d2b1ae0ae0a31addada2315f33b443b3f29d382070fc6c     key-arg   : none     psk identity: none     psk identity hint: none     tls session ticket:     0000 - 10 b0 f3 4d 96 90 d3 65-22 d4 bf 09 27 8c a0 af   ...m...e"...'...     0010 - d3 79 5c 9a cf d9 5b e1-3f aa 46 56 55 9b 55 50   .y\...[.?.fvu.up     0020 - 8b 49 99 07 bc 35 e0 bc-e1 1d 4e 61 f0 aa 33 57   .i...5....na..3w     0030 - 1d 37 0b dd 51 ae 81 ea-df 8e 6e 25 ff f7 2b ff   .7..q.....n%..+.     0040 - e9 88 79 e4 57 2a b2 f2-61 22 df 86 f0 24 57 a7   ..y.w*..a"...$w.     0050 - 06 13 b5 71 47 dc d5 ac-c2 61 89 75 6e 03 45 cc   ...qg....a.un.e.     0060 - 14 69 0c 72 3a 4a 00 b3-4f d8 8d 44 2d 66 cb 40   .i.r:j..o..d-f.@     0070 - 80 c8 9b e2 12 9f 0d b4-58 6e a1 c7 bb fe 92 6d   ........xn.....m     0080 - b8 b7 b7 f0 dc 1c ab fd-44 a4 25 96 c6 09 09 a1   ........d.%.....     0090 - aa ff c0 dc 53 6b 30 13-30 f3 44 f6 78 b1 43 c7   ....sk0.0.d.x.c.     00a0 - ca 88 9d 63 41 d3 c1 a1-af fa 36 e2 9c fd 0e 62   ...ca.....6....b     00b0 - c4 44 6b 5c 74 da ff be-a8 98 3f 54 f9 fa 59 15   .dk\t.....?t..y.      compression: 1 (zlib compression)     start time: 1298072476     timeout   : 300 (sec)     verify return code: 19 (self signed certificate in certificate chain)

the issue, maybe, on line 3: verify error:num=19:self signed certificate in certificate chain. means? certificate working localhost.com?

update

in browser accepted sel-signed certificate (i explicitly added certificate list of private certificates in system), so, verify error:num=19:self signed certificate in certificate chain , in application use following code make http requests on ssl

require 'uri' require 'net/https'  host = "https://<subdomain>.localhost.com" path = "/users/1.json"  uri = uri.parse("#{host}#{path}")  http = net::http.new(uri.host, uri.port) http.use_ssl = true  http.verify_mode = openssl::ssl::verify_none # think here necessary verify connections using 'http.verify_mode = openssl::ssl::verify_peer': # in localhost using connection fault, in production mode  # (when deploy application) think must use 'verify_peer'  http.ca_file = file.join(file.dirname("<certificate_folder>/wildcard.certificate/ca.db.certs/"), "01.pem")  http.start   response = http.get("#{host}#{path}")   @test_response = json(response.body)["profile"] end

the connection going on ssl? 'verify_peer' means something?

ssl verifies validity of host checking certificate of host.

every certificate either:

  1. self-signed
  2. signed certificate.

if signed certificate, checks certificate signed it.

now, @ point, verify if certificate valid or not, has match certificate against store of 'valid' certificates has on system (eg: firefox maintains own store, windows has own store, etc.). if matches certificate in hierarchy against store, treats certificate valid, , therefore certificates signed valid.

however, if certificate self-signed , isn't in store, reject it, or warn cannot verify certificate.

if certificate test out application, or very limited scale deployment can ask people add certificate store, alright. however, if planning move application production site @ somedomain.com, need buy certificate domain.

note: in either case, self-signed certificate have localhost valid 'localhost', not if accessed on intranet via ip


Comments

Post a Comment