SSLError with upgrade from 0.2.0 to 0.2.1 #260
Comments
|
I can confirm we also ran into this issue when upgrading to 0.2.1. Our solution for now was to add an initializer that does the following: But clearly this isn't a practical or desirable solution. I'd also like to see a wiki entry that specifically solves the issue with Facebook. |
|
I just posted the following on the Stackoverflow thread about this issue. The real problem is that Faraday (which Omniauth/Oauth use for their HTTP calls) is not setting the ca_path variable for OpenSSL. At least on Ubuntu, most root certs are stored in "/etc/ssl/certs". Since Faraday isn't setting this variable (and currently does not have a method to do so), OpenSSL isn't finding the root certificate for Facebook's SSL certificate. I've submitted a pull request to Faraday which will add support for this variable and hopefully they will pull in this change soon. Until then, you can monkeypatch faraday to look like this or use my fork of Faraday. After that, you should specify version 0.3.0 of the OAuth2 gem in your Gemspec which supports the passing of SSL options through to Faraday. You'll then be able to properly fix this issue by just adding the following to your Omniauth initializer: So, to recap:
Michael/OmniAuth team: Could you bump the oauth2 dependency to 0.3.0 in the next release so the SSL options can be passed through? 0.2.x doesn't support it. Thank you! |
|
I ran into the same problem when deploying to Heroku |
|
I just merged your pull request into the Faraday master. I'll talk to @technoweenie and @mislav about pushing out a new Faraday gem that includes your patch and some other small fixes to the 0.6.0 release. That will take care of problem number 1 above. As for number 2: I've already released version 0.3.0 of the oauth2 gem, so @mbleigh just needs to update the omniauth gemspec to point to it. And number 3 is up to you! |
|
I just released faraday 0.6.1: http://rubygems.org/gems/faraday |
|
Thanks! Once the oauth2 dependency is sorted in omniauth, this should probably be added as a wiki article to ensure folks are passing the right ca_path and not turning off peer verification for no good reason... |
|
Thanks to both of you! I agree with akremer--I can write up the wiki article when the oauth2 dependency is raised to 0.3.0 I wasn't able to point Omniauth 0.2.1 to the right certs using akremer's code above. I believe this is because Omniauth0.2.1 is using Oauth2 0.2.0. For now, I'm still just bypassing ssl certs by using omniauth 0.2.0 as I'm not yet in production. In the mean time, for any other linux users trying to get this to work, you can find out your ssl certs directory with However, |
|
Still seeing an error with faraday 0.6.1, oauth 0.3.0 and omniauth 0.2.2: On the server: |
|
run |
|
created a wiki entry with most of this information: https://github.com/intridea/omniauth/wiki/Setting-up-SSL-certificate-locations-in-Linux Please edit it if you find anything to be vague or verbose. I didn't include anything about the missing digicert root certificate yet, but that should be added once kbighorse verifies that works for him (and hopefully has some instructions on installing the certificate). |
|
Faraday project needs such docs. @eric-hu, I would be grateful if you documented this cert stuff in the Faraday wiki. Then, Omniauth wiki can refer to the original docs in the Faraday wiki. People should be aware that, if they consume APIs over SSL they need to do it with proper certificate verification |
|
Return code is 0: https://gist.github.com/926579, unfortunately. Thanks for the tip though! |
|
@mislav I'd be happy to, especially since most solutions floating around to this problem are essentially "disable SSL". I haven't used Faraday directly, though. I'm looking around for usage examples, but if you know some or can come up with some simple ones, that would save me a lot of time. |
|
I also have see the same issue with omniauth 0.2.4, oauth 0.4.1 and faraday 0.6.1 and the command suggested by @akremer returns 0 so the ssl cert is working. I have also set the ca_path but still getting the error. Any ideas? |
|
Are you sure your initializer is set correctly as in the above example? If so and you're still getting an error, I'd try writing a simple app with just Faraday that makes a call to https://graph.facebook.com and try to pass the ca_path parameter. If it errors out at that point, at least we know where to dig further. Another thing to check might be that apache/nginx or whatever you use can actually read from your ca_path. |
|
The server used is Mongrel and the distro is Fedora. The problem does not occur on my ubuntu box and if I set ca_path there it solves all problems. Fedora has a bundle file but as i said the command above returns status 0. I have even tried to copy all the certs from Ubuntu to Fedora but that did not help either. |
|
Try /etc/pki/tls/certs or /usr/share/ssl/certs on Fedora and make sure the apache user can read from there. If that doesn't work, try passing :ca_file (instead of :ca_path) and point it to /etc/pki/tls/certs/ca-bundle.crt - again, make sure your web runner can read the file. |
|
@akremer, thank you VERY much. Passing :ca_file and providing the file path did the trick :) |
|
@nat0 Was using the paths alone insufficient? I'd just like to know so the wiki can have this information for other Fedora users. |
|
I have the same problem with Ubuntu (on Heroku). I define But it isn't working. |
|
@akremer, sounds like my issue is still unresolved? |
|
@matthiasjakel I'm familiar with Heroku but haven't deployed any applications to it yet. Is that where the path for SSL certs is on the Heroku server? I couldn't find what OS a Heroku dyno runs (if it even does). A solution for you would be to get the certs bundle from a CA third party, like Godaddy's and upload it as part of your project. Then point your CA_PATH (and possibly CA_FILE) there. I'd personally prefer to use SSL certs that Heroku provides if they're available--I assume they'll keep them up to date and that will be one less thing for you to manage. Can you run the |
|
@kbighorse what OS are you using? You may require an OS-specific solution like nat0. Another possible explanation--I noticed that your openssl version is a little older than mine (running on ubuntu 10.10, but openssl should be update-able independently) Perhaps your certs are out of date? |
|
You can't run commands on the Heroku platform. @matthiasjakel, you should ask Heroku support for the location of the CA bundle. |
|
@mislav yes, you can. You have to run and if you want to make a shell request you have to set your request in backticks the path is 00673b5b.0 |
|
I'm also trying to implement this fix on heroku... Here is my setup: I've tried the "fix" in application.rb require 'rails/all' If you have a Gemfile, require the gems listed there, including any gemsyou've limited to :test, :development, or :production.Bundler.require(:default, Rails.env) if defined?(Bundler) module Rowingcamps Ive also tried sticking it at the bottom of application.rb and its own config/initializers/omniauth.rb as Rails.application.config.middleware.use OmniAuth::Builder do It will process to facebook, but on the way back it gives me this error: 2011-04-29T00:49:47+00:00 app[web.1]: RuntimeError (Did not recognize your engine specification. Please specify either a symbol or a class.): 2011-04-29T00:49:46+00:00 app[web.1]: Started GET "/users/auth/facebook/callback?code=ZehYWl7LlGPSmM8CYkFY6_WYlzWkd8P7BlDa8Fbef6g.eyJpdiI6IkUydWpEZUJ5TnpHZjZ3TTFoZ1Zta0EifQ.u1qKg0oqnxLsWZ6ha5JteAApgy0qhutLpkEf_gOZl-Qwy59wmhB3HvtbSs0QAjuiwMJydeSiulwEnfWK8WAKfuKpmVNtfqsENPY8-21UYCMtVlYv8uXuycQ87aXpUFZW" for 67.189.114.129 at Thu Apr 28 17:49:46 -0700 2011 Am I doing something wrong?? I've followed the wiki page https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview to the T ;x |
|
@eric-hu: you have to change ca_path to ca_file and point it to the ca bundle. So use ca_file instead of ca_path. |
|
Just wanted to let you know that I was having this problem and it was solved by doing what @akremer suggested. I'm using CentOS with Virtualmin and ended up having: |
|
added this information to the Faraday and Omniauth wikis. Thanks for the confirmations |
|
I have been fighting with this issue on Heroku for several hours now, and I can't get @dapbot's solution to work (unfortunately). I have put in a support request with Heroku. Here is what I am using in my initilizer: Rails.application.config.middleware.use OmniAuth::Builder do
provider :facebook, 'MY_APP_ID', 'MY_SECRET',
{:scope => 'email, offline_access',:client_options => {:ssl => {:ca_file => '/usr/lib/ssl/certs/ca-certificates.crt'}}}
endI am doing this through Devise 1.3.4 and Omniauth 0.2.5. I have not tried downgrading Omniauth yet. |
|
@rwhiten1 I'm using Omniauth 0.2.5 too, so don't know what the difference in our setups could be. I'm not using Devise but don't see how that could matter (?) |
|
@dapbot I was following the devise-omniauth tutorial found here: https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview. Maybe there is some other omniauth configuration parameter I am missing? f*%$in' clouds. How do they work? |
|
I figured it out. Since I am using Devise, the omniauth config goes into Devise's initializer. So I had erroneously created a brand new initializer for omniauth to handle the SSL issue, but left the omniauth config inside of the Devise initializer. Once I moved the SSL portion into the Devise initializer and removed the separate omniauth initializer file, everything worked! I am going to document this on the Devise wiki. |
|
Followed the updated OmniAuth:-Overview tutorial I do not have a serparate omniauth initializer file and the /config/initializers/devise.rb contains: Yet I still get the error? Ideas? |
|
@xhertz what OS are you using? My first guess would be to eliminate/comment that line and create |
|
Found the problem .... was missing the "," after the 'MY_SECRET' .... darn I make hard mistakes to track down. |
|
We plaid for hours with those ca_file and ca_path and cannot manage to make it working with Rails 2.3.8, Ruby 1.8.7... Here is our configuration : And the exception that we get is every time looking like this : However disabling the cetificate checking with the bellow works fine : Here is the content of our /etc/ssl/certs folder : 00673b5b.0 a15b3b6b.0 fb571e3d Thx for your help. |
|
@nimbleapps your problem is strange. Even if peer certificates couldn't be verified, an unrelated exception from net/http code shouldn't get raised like in your case. Maybe newrelic screws something up with their hooks. To all – don't disable peer verification by doing this: # don't do this!
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONEUse the { :ssl => { :verify => false } } |
|
@mislav Have used your option to turn off verification after pulling my hair out to get this working. Both, openssl s_client -CApath etc/ssl/certs -connect graph.facebook.com:443 and openssl s_client -CAfile etc/ssl/certs/ca-certificates.crt -connect graph.facebook.com:443 Verify return code: 0 (ok) But, both (devise configuration): config.omniauth :facebook, 'ID', 'KEY', and config.omniauth :facebook, 'ID', 'KEY', return OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed): Using: devise (1.3.4) omniauth (0.2.6) faraday (0.6.1) and .crt has read rights for everybody. Killing me. Any ideas how to chase this down? |
|
No idea where your problem lies, @fosrias, but you have perfect conditions to hunt your bug down, given a little extra time. I suggest you set up a small script that accesses Facebook directly through Faraday: conn = Faraday.new "https://graph.facebook.com", :ssl => { ... }
conn.get "/"If this request passes, then the problem is some extra library in your app that messes up your HTTP groove. If the request fails, on the other hand, you can dive in more easily with ruby-debug. For assistance I'm available to contact over email – I'd like to get this confusion over soon. |
|
@mislav : the problem we had is now solved. We implement a custom strategy and when doing that you need to propagate the parameters provided in the initializer file : this was done with the bellow merge : |
|
@mislav : I continue to have this problem inspite of following all the suggestions down to the T. So, as per the wiki, I have the following in omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do I get the same error. Then I run the following so it works using faraday. Do you think omniauth is rejecting the ssl? |
|
@anuragphadke19: With OmniAuth, you used :ca_path. With Faraday directly you used :ca_file and it worked. So, go back to using OmniAuth and use :ca_file instead of :ca_path. |
|
Doesn't help. Rails.application.config.middleware.use OmniAuth::Builder do |
|
@anuragphadke19 I saw that exact error (even with FB auth) recently using the most recent version of OmniAuth. I solved the issue by reverting to 0.2.6. Since Omniauth is moving all of the strategies (like Facebook) to other gems, I'm sticking with a slightly older version for now. |
|
@eric-hu : I downgraded omniauth but it still doesn't help. Here are the versions for the relevant gems: faraday - 0.6.1 The thing thats bugging me is, how come it works on my development OS X machine and doesn't work on the Production Linux box. BTW, I am using the EC2 Linux AMI as production box. Any other ideas to resolve this are most welcome at this point. |
|
@anuragphadke19 ah ok, if it work on OS X, this isn't the same bug I was seeing. Are your certs on the EC2 Linux AMI valid? (Did you run the Faraday test code above on the EC2 AMI) If those both check out, can you see if the code works with your application running in production mode on your OS X machine? That might help to narrow this problem down. |
|
@eric-hu : I tried your suggestion of running my application in production mode on my OS X development machine and it works there. In fact I don't even need the omniauth.rb "fix" to make it work there. About the other 2 things that you asked: I ran the Farady code on my production box. Any other insights? |
|
I'm not too familiar with the EC2 linux AMIs. Can you shell into them to run IRB? If so, I would try that next and check your Faraday code. Is everything else identical between your OS X dev machine and EC2? Ruby engine, |
|
I stumbled upon this problem for a second time now. And the solution also worked on all other apps we have including Rails 3.x { :ssl => { :verify => false } } Thanks! |
|
If you use macs and linux for development or for production you might need to dynamically determine the certificate path of the machine. I did this. auth_config = YAML.load(File.read(Rails.root.to_s + '/config/omniauth.yml'))
cert_path = `openssl version -a`.match(%r~.*OPENSSLDIR: ("[a-zA-Z\/]+")~)[1]
config.omniauth :facebook, auth_config[Rails.env]['facebook']['app_id'], auth_config[Rails.env]['facebook']['secret'], :client_options => {:ssl => {:ca_path => cert_path}}
config.omniauth :google_oauth2, auth_config[Rails.env]['google']['app_id'], auth_config[Rails.env]['google']['secret'], :client_options => {:ssl => {:ca_path => cert_path}} |
|
BTW if you are having the similar issue with jruby download cacert.pem and put this in config/initializers #
# File: cacert_openssl_hack.rb
# Dir : config/initializers
#
# open ssl in jruby cannot use JVM trust anchor to get CA certificates. So I am bundeling
# the CA certs in lib/ssl/certs/cacert.pem and telling open ssl to use it but only if running
# as jruby.
# The ca certs were down loaded using curl -O http://curl.haxx.se/ca/cacert.pem
#
ENV["SSL_CERT_FILE"]=Rails.root.join("lib/ssl/certs/cacert.pem").to_s if RUBY_ENGINE == "jruby" |
|
For those arriving via Google, I had this issue in OS X with the system version of openssl: OpenSSL 0.9.8r 8 Feb 2011 This fixed my problem without needing to specify certs. A similar solution with brew might work as well. |
|
For those developing on OS/X, it seems the easiest solution is to disable certificate verification for OpenSSL. Just put this code in your devise initializer before the config.omniauth: |
|
Is not OpenSSL::SSL::VERIFY_PEER a constant? How is it is possible to overwrite constants? Newbie question based on this error: |
and others
Omniauth 0.2.1 changes its dependency on the Faraday gem from 0.5.7 to 0.6.0
This change forces https connections to check for valid certificates. In development mode, my program was previously handling Facebook authentications as expected with 0.2.0. During authentications, the console displays
I assume that by default, SSL certificate checking was disabled. With Omniauth 0.2.1/Faraday 0.6.0, SSL certificate checking seems to be enabled and I get the following error on a Facebook authentication:
This may be out of the scope of Omniauth and could be considered a Faraday issue. I just wanted to post it here since I feel it deserves at least a wiki entry. I'll post more as I search for ways to get the newest version working with SSL cert checking.
For now, reverting to Omniauth 0.2.0 works (without SSL cert checking), so I'll be using that to finish some feature development first.
In looking for a solution, I found some questions on StackOverflow that suggested monkey-patching faraday to ignore SSL certifications. I also found another solution that suggested pointing rails to CA certificates for Firefox. I was under the impression that the
always_verify_ssl_certificatesgem would do something similar, but it seems to require some customization to use system certificates.Sorry for the rambling post but I just wanted to share the issue I've had and the progress I've made
The text was updated successfully, but these errors were encountered: