Skip to content

SSL #98

Closed
sharpsaw opened this Issue May 8, 2012 · 23 comments
@sharpsaw
sharpsaw commented May 8, 2012

I currently am getting this, new as of sometime this morning maybe.

% echo yep | gist -
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: 
certificate verify failed
Usage: gist [options] [filename or stdin] [filename] ...
...etc

When I comment out lib/gist.rb line 388

# http.ca_file = ca_cert

...it works.

I'm not so great with SSL stuff, so I don't if this is on my end or what. I
don't see anyone else complaining about it, so it makes me suspect my end...
but if I could get some pointers on how to fix it.

Thanks!

-rking

@pfactum
pfactum commented May 8, 2012

++ to this question.

@icio
icio commented May 8, 2012

+1 I'm experiencing this too

@solsticedhiver

same problem here

@ronin13
ronin13 commented May 9, 2012

The workaround fixes it, thanks; but commenting out ca_cert is not a long term solution.

@sharpsaw
sharpsaw commented May 9, 2012

Interesting.

If you do something like:

cd $GISTGEMDIR/
mv lib/gist/cacert.pem oldcert.pem
curl http://curl.haxx.se/ca/cacert.pem > lib/gist/cacert.pem

(Then re-enable the disabled http.ca_file = ca_cert line from my first post,
if you did that.)

...it works.

I still don't fully understand what all is going on, though.
-rking

@solsticedhiver

the cacert file is used to verify the peer on SSL connect, I think (not sure)
So without, it still uses a SSL connexion. It just that we don't verify that we talk to the real api.github.com

No ?

@sharpsaw
sharpsaw commented May 9, 2012

solstice -

That sounds about right to me.

The cacert.pem from curl.haxx.se should fix the issue, no?

P.S.: I got that URL from Googling github cacert.pem and visiting: https://gist.github.com/867550

-rking

@solsticedhiver

it's not working here with the cacert.pem from curl.haxx.se ?!

@ronin13
ronin13 commented May 9, 2012

The one from curl.haxx.se is a generic one,

to obtain the github one do

openssl s_client -showcerts -connect api.github.com:443

which prints the entire certificate chain to stdout,

however, this will still fail because verification fails

openssl s_client -showcerts -connect api.github.com:443 -issuer_checks (you can also run other checks)

@sharpsaw
sharpsaw commented May 9, 2012

By the way - if you go to https://gist.github.com and look at the details of the cert, it has a Validity > "Not Before" of 4/29/2012. So my guess is they got a new cert and pushed it out a couple of days ago when we started seeing the errors.

ronin - I couldn't /quite/ git this same information from the openssl CLI. That first line sits there waiting for an HTTP request, in fact. Is there a handy way to say, "Get me this host:port's .pem file" ?

Thanks! (Learning stuff / having fun).
-rking

@ddd
ddd commented May 12, 2012

Actually, following the curl command above to get the pem, when I try to run gist I get this now:

∴ gist app/models/user.rb
Creating gist failed: 422 Unprocessable Entity

The 422 (Unprocessable Entity) status code means the server understands the content type of the request entity (hence a 415(Unsupported Media Type) status code is inappropriate), and the syntax of the request entity is correct (thus a 400 (Bad Request) status code is inappropriate) but was unable to process the contained instructions. For example, this error condition may occur if an XML request body contains well-formed (i.e., syntactically correct), but semantically erroneous, XML instructions.

@stanigator

I'm experiencing this as well.

@JohnMaguire

Add me to the list of people experiencing this issue, Debian wheezy, gist 3.1.0, ruby 1.9.3p194.

I also tried the curl.haxx.se certificate, and began getting the 422 Unprocessable Entity error as well.

This is one of my favorite scripts. :(

@ddd
ddd commented May 24, 2012
@stanigator

@deryldoucette How do you propose us to do that? I'm not sure how I can do that as a Ruby newbie...

@ddd
ddd commented Jun 21, 2012

I'm not the greatest either. Maybe we turn it into something like a code walkthrough and we all learn how its done. We would need to read the 3rd version of Github's API and read the Gist related portions and this gem's code. walk through and learn. Only thing I can suggest.

@isomorphisms

@sharpsaw s/line 338/line 138/

@ConradIrwin
Collaborator

I've uploaded the jist gem https://github.com/ConradIrwin/jist; that works as a replacement for gist until defunkt has time. Please let me know if it works for you!

@tekknolagi

@ConradIrwin, fabulous job! Love jist

@rking
rking commented Aug 3, 2012

Seriously.

Want gist support? ⇒ Fork it and do your own patches, I guess.

Want jist support? ⇒ cirwin's on it.

@ddd
ddd commented Aug 4, 2012

@rking err? I think we already covered that

@indirect
Collaborator
indirect commented Nov 4, 2012

I'm on it... should have this fixed shortly.

@indirect
Collaborator
indirect commented Nov 4, 2012

Fixed by 3aacc1f. I'll have a release out as soon as I see if there are any other blockers.

@ConradIrwin ConradIrwin added a commit that closed this issue May 3, 2013
@ConradIrwin ConradIrwin Merge jist with gist!
After some time as a fork, and a lot of vetting from users, we have
decided to merge the projects together.

The key change is to use OAuth tokens for authentication instead of
requiring you to hard-code your password. Please use `gist --login`
to exchange your username and password for a token.

Close #137  Gist API now requires user-agent be set, and some versions of Net::HTTP don't 3 ↑
Close #136  SSL error (w/ Homebrew & Ruby 2.0.0-p0 from rbenv)
Close #135  Moved authentication over to OAuth tokens. 1 ↑
Close #134  Trying to use gist inside a directory with dashes in the name on a file inside a subdirectory of that results in 422 errors.... 3
Close #133  SSL cert cached in /tmp
Close #132  --open doesn't works
Close #131  Replace slashes with dashes to avoid 422 errors ↑
Close #130  FEATURE: Multiple API Providers 2 ↑
Close #125  Preventing gist from throwing errors when xclip is installed but X11 isn't present (forwarding or otherwise) ↑
Close #120  Add link shortening with --shorten / -s option ↑
Close #118  Use tokens instead of username / password 4
Close #117  Integrate with git.io
Close #116  man page typos & feature request
Close #115  Creating gist failed: 500 Internal Server Error 1
Close #112  Refactor reading from stdin so --type option works 3 ↑
Close #111  Allow gist to work against different githubs 2 ↑
Close #109  fix error on windows. ↑
Close #108  set Content-Type. 5 ↑
Close #107  Add update support. 1 ↑
Close #106  Add anonymous gisting. 1 ↑
Close #103  fix some bugs.  make gist rock in vim/editor via "highlight lines - :!gist" ↑
Close #98  SSL... 23
Close #96  Creating gist failed: 422 Unprocessable Entity 2
Close #95  Fixes the extension issue for -t syntax highlighting, and the filename for stdin 5 ↑
Close #94  show JSON response when create fails ↑
Close #93  use file basename by default 4 ↑
Close #91  Support using an oauth token rather than a username+password 7 ↑
Close #90  3.1.0 fails to authenticate 3
Close #88  Current (3.1.0) no longer respects -t flag 3
Close #85  Copy to clipboard in Windows ↑
Close #84  use oauth now that there are no tokens 14
Close #78  Strip directory from arguments 2
Close #76  Some README.markdown nitpicks...
Close #75  Does not open in browser by default — documentation disagrees 3
Close #74  Set description from CLI (for issue #73) 1 ↑
Close #73  Should be able to set gist description from commandline 1
Close #69  Failed gist creation should raise instead of puts and exit.
Close #67  Use the github api and allow gist url override. 1 ↑
Close #65  Handle lowercased versions of HTTP_PROXY and HTTPS_PROXY. 1 ↑
Close #64  When generating the man page (-m/--man), skip the usage instructions ↑
Close #61  Instructions for setting github.token to a command don't work for me 1
Close #58  support for anonymous gists
Close #53  Add support for GitHub:FI 4
Close #25  Support for updating gists [feature] 1
a05092f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.