Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL_CACERT Error: Peer certificate cannot be authenticated with known CA certificates #155

Open
saravanabalagi opened this issue Feb 23, 2019 · 1 comment
Open

SSL_CACERT Error: Peer certificate cannot be authenticated with known CA certificates #155

saravanabalagi opened this issue Feb 23, 2019 · 1 comment

Comments

@saravanabalagi
Copy link

ssl_cacert error

I get ssl_cacert error -> Peer certificate cannot be authenticated with known CA certificates

Started GET "/" for 127.0.0.1 at 2019-02-23 17:42:55 +0000
Processing by HelloController#index as HTML
ETHON: Libcurl initialized
ETHON: performed EASY effective_url=https://www.linkedin.com/ response_code=301 return_code=ssl_cacert total_time=0.123962
  Rendering hello/index.html.erb within layouts/application
  Rendered hello/index.html.erb within layouts/application (1.8ms)
Completed 200 OK in 406ms (Views: 273.2ms | ActiveRecord: 0.0ms)

Steps to Reproduce

Ruby: 2.6.0
Rails: 5.2.2
Windows 10 [Version 10.0.17134.590]

  • Freshly installed Ruby on Rails from railsinstaller.org
  • Created a fresh app using rails new myapp
  • Created a hello controller using rails g controller hello and added content
class HelloController < ApplicationController
	def index
		@easy = Ethon::Easy.new(url: "www.linkedin.com", followlocation: true)
		@easy.perform
		@response = @easy

		# conn = Faraday.new(:url => 'https://www.linkedin.com')
		# @response = conn.get '/'  
		@something = 'somethinghere'
	end
end
  • Manually created a index.html.erb file in views with content
<h1>Hello, Rails!</h1>
<div> <%= raw(@response.response_body) %> </div>

What I also tried

Tried the same with Faraday and did not get any errors: See the commented code in the controller. I had to change @response.response_body to @response.body in the views. Linkedin page was rendered.

But with ethon, I get ssl_cacert.
@diachedelic
Copy link

diachedelic commented Aug 29, 2020
edited
Loading

Problem

Running the command pod install started failing a couple of days ago, seemingly for no reason, with the error mentioned in the issue title. cocoapods uses typhoeus under the hood, and I was able to reproduce the error using ethon.

Reproduction

require 'net/http'
require 'pp'
require 'ethon'

file_remote_url = "https://wtfismyip.com/text"

puts "trying with net/http:"
puts Net::HTTP.get(URI(file_remote_url))

puts "trying with Ethon:"
easy = Ethon::Easy.new(url: file_remote_url)
if easy.perform == :ok
  puts easy.response_body
else
  pp easy
end

Output

trying with net/http:
118.127.60.51
trying with Ethon:
#<Ethon::Easy:0x00007fad891c6e28
 @body_write_callback=
  #<Proc:0x00007fad891c69c8 /usr/local/lib/ruby/gems/2.7.0/gems/ethon-0.12.0/lib/ethon/easy/callbacks.rb:38>,
 @debug_callback=
  #<Proc:0x00007fad891c6810 /usr/local/lib/ruby/gems/2.7.0/gems/ethon-0.12.0/lib/ethon/easy/callbacks.rb:67>,
 @debug_info=#<Ethon::Easy::DebugInfo:0x00007fad891c6770 @messages=[]>,
 @handle=#<FFI::AutoPointer address=0x00007fad88fef000>,
 @header_write_callback=
  #<Proc:0x00007fad891c68b0 /usr/local/lib/ruby/gems/2.7.0/gems/ethon-0.12.0/lib/ethon/easy/callbacks.rb:53>,
 @headers_called=false,
 @response_body="",
 @response_headers="",
 @return_code=:ssl_cacert,
 @url="https://wtfismyip.com/text">

Versions

$ sw_vers -productVersion
10.15.6 # macOS

$ ruby -v
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-darwin19]

$ gem -v
3.1.4

$ gem list --local ethon

*** LOCAL GEMS ***

ethon (0.12.0)

$ ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.1.1f  31 Mar 2020

Investigation

It appears that ethon loads an older version of openssl than net/http does, as evidenced by file accesses obtained by running dtrace:

# net/http
/usr/local/opt/[email protected]/lib/libssl.1.1.dylib
/usr/local/opt/[email protected]/lib/libcrypto.1.1.dylib
/usr/local/etc/[email protected]/openssl.cnf
/usr/local/etc/[email protected]/cert.pem

# ethon
/opt/local/lib/libssl.1.0.0.dylib
/opt/local/lib/libcrypto.1.0.0.dylib
/opt/local/etc/openssl/openssl.cnf
/usr/local/lib/libcurl.dylib
/opt/local/lib/libffi.6.dylib
/opt/local/lib/libidn.11.dylib
/opt/local/lib/libz.1.dylib
/opt/local/lib/libintl.8.dylib
/opt/local/lib/libiconv.2.dylib

Notably, using ethon does not cause a .pem file to be read.

Solution

It seems ethon was using a version of libcurl.dylib I had installed, last updated in 2014! I was able to force ethon to load the latest version of libcurl by removing my old version like so:

sudo rm /usr/local/lib/libcurl*
brew install curl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@diachedelic @saravanabalagi