"SSL handshake failed" error after setting https_proxy variable in terminal for CLI usage

[djpowers]

Proxyman version? (Ex. Proxyman 1.4.3)

2.11.1

macOS Version? (Ex. mac 10.14)

10.15.7

Steps to reproduce

1. In a terminal window, run: export https_proxy=http://127.0.0.1:9090 (approach copied from this comment, fixing presumed typo in IP address)
2. Open a new Rails console and make an API call resulting in an HTTPS request.
3. Response says "Enable SSL Proxying to see this content" (with "Enabled" button indicating certificate is installed and trusted), so then click "Enable all domains from 'rails_console'."
4. Run same request from previous step.

Proxyman shows:

handshakeFailed(NIOSSL.BoringSSLError.sslError([Error: 268436504 error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA]))

And directed me to the SSL Error from HTTPS Request/Response troubleshooting page. (I am able to successfully see HTTPS responses when visiting https://google.com.)

Rails console shows:

Faraday::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
from ~/.rbenv/versions/2.3.0/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock'
Caused by OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
from ~/.rbenv/versions/2.3.0/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock'

Expected behavior

Request is shown in Proxyman with response viewable.

This might be outside the scope of Proxyman, but it seems that Ruby is not detecting the certificate for some reason.

Any help you're able to provide is appreciated.

[NghiaTranUIT]

If you're able to see HTTPS response from https://google.com, it means the problem comes from your Rail App.

Some libraries need a config to tell Rail app trusts Proxyman self-signed certificate since they're not using Apple Keychain's Trust Store.

For example, Java Virtual Machine doesn't use KeyChain, so I have to manually install it.

For Ruby and Rails, let me google it 😄

[NghiaTranUIT]

I found some tutorials:

• https://stackoverflow.com/a/1113614/3127477
• Use rails s -b 'ssl://127.0.0.1:3000?key=config/ssl/localhost.ross.key&cert=config/ssl/localhost.ross.crt' (https://rossta.net/blog/local-ssl-for-rails-5.html#trust-the-certificate)
• https://medium.com/@matayoshi.mariano/how-to-add-ssl-to-your-localhost-with-puma-37a66a649f29

Basically, I googled how to use self-signed certificate or disable SSL Verification from Rail app.

Please let me know if it works.

[djpowers]

Thank you so much for the prompt reply and investigation!

The answer in the first option worked for me (adding OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE to a file in config/initializers, along with setting https_proxy in the terminal).

The others options appear to be intended for when running the Rails server, but the Rails console does not accept the --binding=IP flag so I'm not sure if they would be the best solution for that use case.

[NghiaTranUIT]

Glad to know that it works for you 👍 I will update the Troubleshooting to let other users know how to fix 😄

[djpowers]

Also I'm not sure how it works under the hood, but I noticed that HTTP Toolkit has a clever way of Intercepting HTTP from Node.js and other command line tools by setting environmental variables & overrides. It would be great if Proxyman could implement something similar to avoid the need for changes to the code.

Either way, thanks again for the help! Feel free to close out this issue if that makes sense to you.

[NghiaTranUIT]

Thanks for the hint. I will check out to see how this tool can do it automatically 👍

[djpowers]

Closing this out to help clean up the open issues.

In case someone (or future me) stumbles upon this, the initializer step is no longer necessary. See the Ruby docs page for the current solution (the provided environment variable can be set from within the Rails console).