13

I'm having a terrible time getting SSL to verify a certificate. I'm completely ignorant on how certificates work so that's a major handicap to begin with. Here's the error I get when running the script:

c:/Ruby191/lib/ruby/1.9.1/net/http.rb:611:in `connect': SSL_connect returned=1 e
rrno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL
::SSL::SSLError)

Here's the relevant code:

client = Savon::Client.new order_svc

request = client.create_empty_cart { |soap, http|
  http.auth.ssl.cert_file = 'mycert.crt'
  http.auth.ssl.verify_mode = :none
  http.read_timeout = 90
  http.open_timeout = 90
  http.headers = { "Content-Length" => "0", "Connection" => "Keep-Alive" }
  soap.namespaces["xmlns:open"] = "http://schemas.datacontract.org/2004/07/Namespace"
  soap.body = {
      "wsdl:brand" => brand,
      "wsdl:parnter" => [
        {"open:catalogName" => catalogName, "open:partnerId" => partnerId }
      ] }.to_soap_xml

      }

Any help is appreciated.

jww
  • 83,594
  • 69
  • 338
  • 732
r3nrut
  • 985
  • 2
  • 9
  • 27
  • I updated Savon to the latest beta 0.8.0.beta4 and HTTPClient to 2.1.5. The error message changed up a bit but still getting the same error. D, [2010-12-01T09:53:58.500216 #3116] DEBUG -- : Retrieving WSDL from: https://testsite/MyService.svc?wsdl at depth 0 - 20: unable to get local issuer certificate c:/Ruby191/lib/ruby/gems/1.9.1/gems/httpclient-2.1.5.2/lib/httpclient/session.rb :247:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certif icate B: certificate verify failed (OpenSSL::SSL::SSLError) – r3nrut Dec 01 '10 at 16:00
  • Take a look at my answer here: http://stackoverflow.com/a/16983443/11792 – Pavel Nikolov Jun 07 '13 at 12:03
  • 1
    ***Bad idea***: *`http.auth.ssl.verify_mode = :none`*. If the assets did not need to be protected, then the server would not use HTTPS and SSL/TLS. – jww May 14 '15 at 22:07

4 Answers4

5

check your cert.pem and your key.pem

the cert key should have one

-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgIKG1DIagAAAAAAAzANBgkqhkiG9w0BAQsFADCBvDEkMCIG
....
-----END CERTIFICATE-----

your key.pem should have 

-----BEGIN PRIVATE KEY-----
CSqGSIb3DQEJARYVY2Fjb250YWN0QGVzY3JlZW4uY29tMQswCQYDVQQGEwJVUzEP
....
-----END PRIVATE KEY-----

and it may have some certs in it but that doesn't matter for this case. (Although it does for me as curl doesn't work without the extra certs) The webservice I am talking to has a good root CA, but the client auth keys are not trusted so this is probably why the extra certs make curl work.

getting those out of your client certificate was what caused me the problems.

here is what worked for me.

openssl pkcs12 -in Client.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in Client.pfx -nodes -out key.pem

each will prompt you for the Import password and you can set a pem password if you want. (you would have to set that in the ruby code later)

require 'savon'
client = Savon::Client.new "https://service/Service.asmx?wsdl"
client.http.auth.ssl.cert_key_file = "key.pem"
client.http.auth.ssl.cert_file = "cert.pem"
client.http.auth.ssl.verify_mode=:peer

p client.wsdl.soap_actions

you can also test with curl

curl -v  -E  key.pem  https://services/Service.asmx?wsdl
Pete Brumm
  • 1,588
  • 17
  • 13
  • This solution would work fine but at the time I was looking for an answer to address a self signed certificate where I just needed to ignore it. Thanks! – r3nrut Mar 30 '12 at 17:43
  • 1
    ***Plus One*** - you did not tell the OP to turn off certificate verification. – jww May 14 '15 at 22:06
1

You need to provide the private key file that goes along with your certificate.

http.auth.ssl.cert_key_file = "mycert.pem"

If your private key file is encrypted, you'll need to supply the password too:

http.auth.ssl.cert_key_password = "foobar"
caf
  • 216,678
  • 34
  • 284
  • 434
1

Putting the http.auth.ssl.verify_mode = :none inside the client.request block does not work for me.

I had to use:

client = Savon::Client.new do |wsdl, http|
  http.auth.ssl.verify_mode = :none
  wsdl.document = #YOUR_WSDL_URL_HERE
end

Using Savon 0.9.9 and Ruby 1.9.3-p125

tvdeyen
  • 668
  • 4
  • 9
  • This worked for me with Ruby 1.9.2-p320 and savon 1.2.0. I only began to experience this problem when I updated savon from < 1.0 to 1.2.0. – dcashman Nov 26 '12 at 17:02
  • Use ssl_verify_mode: :none -- for example... client = Savon.client(wsdl: 'https://your_url?wsdl', ssl_verify_mode: :none ) – genegc May 14 '15 at 19:45
  • 1
    Let me repeat BJ Clarke and others: Please don't do this. If the assets did not need to be protected, then the servers would not use HTTPS and SSL/TLS. – jww May 14 '15 at 22:05
0

Note: I was working with test automation in lower level environments that did not have properly signed certificates and would often throw errors due to domain signatures not matching. For the problem at hand, bypassing signatures was a plausible solution but it is not a solution to be used for production level development.

My problem is that I am trying to validate a self-signed certificate. All I had to do was put the following code and omit anything to do with validating certificates.

I had to do this for both my SOAP and REST calls that were both experiencing the same issue.

SOAP using Savon

client = Savon::Client.new order_svc

request = client.create_empty_cart { |soap, http|
  http.auth.ssl.verify_mode = :none
  http.headers = { "Content-Length" => "0", "Connection" => "Keep-Alive" }
  soap.namespaces["xmlns:open"] = "http://schemas.datacontract.org/2004/07/Namespace"
  soap.body = {
      "wsdl:brand" => brand,
      "wsdl:parnter" => [
        {"open:catalogName" => catalogName, "open:partnerId" => partnerId }
      ] }.to_soap_xml

      }

REST using HTTPClient

client = HTTPClient.new
client.ssl_config.verify_mode=(OpenSSL::SSL::VERIFY_NONE)
resp = client.get(Methods)
r3nrut
  • 985
  • 2
  • 9
  • 27
  • 5
    Don't do this!!!! Don't skip certificate verification especially in production. Take a look at my answer here http://stackoverflow.com/a/16983443/11792 – Pavel Nikolov Jun 07 '13 at 12:04
  • 1
    Please don't do this. – BJ Clark Jan 18 '14 at 00:48
  • 1
    To be clear, I was using this for a test automation framework where the target environment was anything from pre-production and below and using self-signed certs. I wouldn't practice skipping certificate verification in production. Thanks for the warning though. – r3nrut May 09 '17 at 22:11