SSL

I currently am getting this, new as of sometime this morning maybe.

% echo yep | gist -
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: 
certificate verify failed
Usage: gist [options] [filename or stdin] [filename] ...
...etc

When I comment out lib/gist.rb line 388

# http.ca_file = ca_cert

...it works.

I'm not so great with SSL stuff, so I don't if this is on my end or what. I
don't see anyone else complaining about it, so it makes me suspect my end...
but if I could get some pointers on how to fix it.

Thanks!

-rking

[pfactum]

++ to this question.

[icio]

+1 I'm experiencing this too

[solsticedhiver]

same problem here

[ronin13]

The workaround fixes it, thanks; but commenting out ca_cert is not a long term solution.

Interesting.

If you do something like:

cd $GISTGEMDIR/
mv lib/gist/cacert.pem oldcert.pem
curl http://curl.haxx.se/ca/cacert.pem > lib/gist/cacert.pem

(Then re-enable the disabled http.ca_file = ca_cert line from my first post,
if you did that.)

...it works.

I still don't fully understand what all is going on, though.
-rking

[solsticedhiver]

the cacert file is used to verify the peer on SSL connect, I think (not sure)
So without, it still uses a SSL connexion. It just that we don't verify that we talk to the real api.github.com

No ?

solstice -

That sounds about right to me.

The cacert.pem from curl.haxx.se should fix the issue, no?

P.S.: I got that URL from Googling github cacert.pem and visiting: https://gist.github.com/867550

-rking

[solsticedhiver]

it's not working here with the cacert.pem from curl.haxx.se ?!

[ronin13]

The one from curl.haxx.se is a generic one,

to obtain the github one do

openssl s_client -showcerts -connect api.github.com:443

which prints the entire certificate chain to stdout,

however, this will still fail because verification fails

openssl s_client -showcerts -connect api.github.com:443 -issuer_checks (you can also run other checks)

By the way - if you go to https://gist.github.com and look at the details of the cert, it has a Validity > "Not Before" of 4/29/2012. So my guess is they got a new cert and pushed it out a couple of days ago when we started seeing the errors.

ronin - I couldn't /quite/ git this same information from the openssl CLI. That first line sits there waiting for an HTTP request, in fact. Is there a handy way to say, "Get me this host:port's .pem file" ?

Thanks! (Learning stuff / having fun).
-rking

Actually, following the curl command above to get the pem, when I try to run gist I get this now:

∴ gist app/models/user.rb
Creating gist failed: 422 Unprocessable Entity

The 422 (Unprocessable Entity) status code means the server understands the content type of the request entity (hence a 415(Unsupported Media Type) status code is inappropriate), and the syntax of the request entity is correct (thus a 400 (Bad Request) status code is inappropriate) but was unable to process the contained instructions. For example, this error condition may occur if an XML request body contains well-formed (i.e., syntactically correct), but semantically erroneous, XML instructions.

[stanigator]

I'm experiencing this as well.

[johnmaguire]

Add me to the list of people experiencing this issue, Debian wheezy, gist 3.1.0, ruby 1.9.3p194.

I also tried the curl.haxx.se certificate, and began getting the 422 Unprocessable Entity error as well.

This is one of my favorite scripts. :(

Starting to think we, the community, might have to adopt this script and fix it ourselves. No response for quite some time from defunkt, though that's easily attributable to working his ass off :-)

[stanigator]

@deryldoucette How do you propose us to do that? I'm not sure how I can do that as a Ruby newbie...