Permalink
Browse files

Added first rev of PEER cert resolution.

  • Loading branch information...
1 parent f12aa53 commit 6835f6b757da08e0093fb891eee28ea1d60cea0e Jonathan Siegel committed Nov 2, 2011
Showing with 3,416 additions and 1 deletion.
  1. +6 −1 lib/airbrake/sender.rb
  2. +34 −0 resources/README.md
  3. +3,376 −0 resources/ca-bundle.crt
View
@@ -34,7 +34,12 @@ def send_to_airbrake(data)
if secure
http.use_ssl = true
- http.ca_file = OpenSSL::X509::DEFAULT_CERT_FILE if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)
+ if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)
+ http.ca_file = OpenSSL::X509::DEFAULT_CERT_FILE
+ else
+ # ca-bundle.crt built from source, see resources/README.md
+ http.ca_file = File.expand_path(File.join("..", "..", "..", "resources", "ca-bundle.crt"), __FILE__)
+ end
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
else
http.use_ssl = false
View
@@ -0,0 +1,34 @@
+Airbrake Resources
+==================
+
+Airbrake has an SSL mode available to paying plans. SSL Certificate Authority (CA) certificates are not kept current by default on many environments. When CA certs are stale, Airbrake cannot verify Airbrake's production SSL cert and error reports fail. To avoid this, we now package local CA certs. The production of these certs is detailed here.
+
+Building ca-bundle.crt
+----------------------
+
+From https://gist.github.com/996292.
+
+If you want to use curl or net-http/open-uri to access https resources, you will often (always?) get an error, because they don't have the large number of root certificates installed that web browsers have.
+
+You can manually install the root certs, but first you have to get them from somewhere. [This article](http://notetoself.vrensk.com/2008/09/verified-https-in-ruby/) gives a nice description of how to do that. The [source of the cert files](http://curl.haxx.se/ca/cacert.pem) it points to is hosted by the curl project, who kindly provide it in the .pem format.
+
+**problem:** Sadly, ironically, and comically, it's not possible to access that file via https! Luckily, the awesome curl project does provide us with the script that they use to produce the file, so we can do it securely ourselves. Here's how.
+
+1. `git clone https://github.com/bagder/curl.git`
+2. `cd curl/lib`
+3. edit `mk-ca-bundle.pl` and change:
+
+ ```perl
+ my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1';
+ ```
+
+ to
+
+ ```perl
+ my $url = 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1';
+ ```
+
+ (change `http` to `https`)
+4. `./mk-ca-bundle.pl`
+
+Ta da!
Oops, something went wrong.

0 comments on commit 6835f6b

Please sign in to comment.