-
Notifications
You must be signed in to change notification settings - Fork 985
Setting up SSL certificates
##Background and Setup
Faraday requires a little extra configuration for users who want to use SSL/HTTPS. Typically any log in, authentication, or payment processing will use HTTPS. Most systems will already have a Certificate Authority (CA) certificates bundle available already. Prior to performing SSL transactions, Faraday needs to know where the system's CA certificates are located. If Faraday is used for only HTTP, then no SSL setup is necessary. Otherwise, follow the steps below to set up the proper CA paths.
###Ubuntu
To locate your SSL certificate folder, type openssl version -a. You should see a response similar to
OpenSSL 0.9.8o 01 Jun 2010
built on: Thu Feb 10 01:47:31 UTC 2011
platform: debian-amd64
options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(ptr2)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
OPENSSLDIR: "/usr/lib/ssl"
Append /certs to the OPENSSLDIR listed, here it would be /usr/lib/ssl/certs.
With this certs directory known, change your Faraday initializer to include this path as the ca_path variable.
connection = Faraday::Connection.new 'https://encrypted.google.com', :ssl => {
:ca_path => "/usr/lib/ssl/certs"
}
HTTP requests using this object will now use that path for SSL certificates
connection.get '/search?q=asdf' # returns successful result
If this solution isn't working you can download a local copy of the official Mozilla certificate and set the path to this certificate file, as well. http://www.cacert.org/index.php?id=3
connection = Faraday::Connection.new 'https://encrypted.google.com', :ssl => {
:ca_file => "PATH_TO_YOUR_LOCAL_CERTIFICATE_COPY"
}
Users who don't set up the CA path or set it up incorrectly will see the following error when performing HTTPS transactions:
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
This error can have 2 causes
-
You do not have the proper SSL certificates on your system. This would be the case if no browser or other system application can view ssl sites.
To test, open uphttps://encrypted.google.com/in a browser. If it loads, your system has SSL certificates available. If not, you may be missing SSL certificates. This seems unlikely as most modern browsers install SSL certificates automatically.
However, if this is the case, you may download an SSL certificates bundle from GoDaddy , which is a certificate authority. The specific file you will need depends on your web server. -
OpenSSL is unaware of where the SSL certificates are located on your system. See the background section above for information on setting up your Certificate Authority (CA) path.
#Solutions to avoid
Some online posts suggest disabling SSL with a command similar to the following:
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
This will eliminate the certificate verify failed error. However, it is strongly discouraged in production code as you're weakening the encryption process by using unchecked security certificates. This will open up your site to multiple types of cryptographic attacks.