New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL issues #13

Closed
hbokh opened this Issue Jan 3, 2011 · 7 comments

Comments

Projects
None yet
2 participants
@hbokh

hbokh commented Jan 3, 2011

Keep on seeing "certificate verify failed" issues when using Excon in different gems (backup and chef / knife) that try to set up a connection to EC2/AWS.
Might be a duplicate of issue 12.

Platform: FreeBSD 8.1-RELEASE, ruby 1.8.7 (2010-08-16 patchlevel 302) [i386-freebsd8]

Is this an error or the result of an installation-issue? E.g. has the AWS-certificate to be "installed" or saved somewhere first?

$ knife ec2 server list
/usr/local/lib/ruby/gems/1.8/gems/excon-0.3.6/lib/excon/connection.rb:171:in connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (Excon::Errors::SocketError) from /usr/local/lib/ruby/gems/1.8/gems/excon-0.3.6/lib/excon/connection.rb:171:inconnect'
from /usr/local/lib/ruby/gems/1.8/gems/excon-0.3.6/lib/excon/connection.rb:188:in socket' from /usr/local/lib/ruby/gems/1.8/gems/excon-0.3.6/lib/excon/connection.rb:101:inrequest'
from /usr/local/lib/ruby/gems/1.8/gems/fog-0.3.34/lib/fog/core/connection.rb:20:in request' from /usr/local/lib/ruby/gems/1.8/gems/fog-0.3.34/lib/fog/aws/compute.rb:214:inrequest'
from /usr/local/lib/ruby/gems/1.8/gems/fog-0.3.34/lib/fog/aws/requests/compute/describe_instances.rb:64:in describe_instances' from /usr/local/lib/ruby/gems/1.8/gems/fog-0.3.34/lib/fog/aws/models/compute/servers.rb:64:inall'
from /usr/local/lib/ruby/gems/1.8/gems/chef-0.9.12/lib/chef/knife/ec2_server_list.rb:73:in run' from /usr/local/lib/ruby/gems/1.8/gems/chef-0.9.12/lib/chef/knife.rb:127:inrun'
from /usr/local/lib/ruby/gems/1.8/gems/chef-0.9.12/lib/chef/application/knife.rb:121:in run' from /usr/local/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/knife:25 from /usr/local/bin/knife:19:inload'
from /usr/local/bin/knife:19

@geemus

This comment has been minimized.

Contributor

geemus commented Jan 4, 2011

It may be an installation issue of some sort, but it wouldn't be having to install special certificates. It should just check the one that amazon gives against a definitive list (that ought to be available from open-ssl). I didn't have to setup anything special to make this work, but its possible that I have lucked out and FreeBSD has a slightly different setup.

@hbokh

This comment has been minimized.

hbokh commented Jan 4, 2011

Thanks for the answer. But even after a complete clean install of all gems starting with "chef" and including "excon" and "fog" the same error remains.
I wonder where the certificate verifications happens...

FYI I'm trying to connect to a EU-based AWS-instance (in Ireland).

@geemus

This comment has been minimized.

Contributor

geemus commented Jan 4, 2011

I would also check to make sure you have an up to date version of openssl installed (not the ruby gem, but the actual package). If you don't the certificates packaged with it may be out of date. Let me know if that doesn't help and we can keep trying other stuff.

@hbokh

This comment has been minimized.

hbokh commented Jan 4, 2011

Thanks again, geemus.
OpenSSL is the latest version from FreeBSD ports: OpenSSL 1.0.0c 2 Dec 2010

It all works by the way when using "VERIFY_NONE" instead of "VERIFY_PEER" in "lib/excon/connection.rb", app. line 161:

ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE

For AWS / EC2 there is a unique / personal X.509 Certificate named like "cert-T446GFOOBARFOOBARFOOBAR.pem".
It's in my $HOME/.ec2 directory now, but does this have to be placed in a specific place (aka $OPENSSL/certs)? Couldn't find any info so far...

@geemus

This comment has been minimized.

Contributor

geemus commented Jan 5, 2011

As long as the default certs exist in $OPENSSL/certs it should just work (this is what happens on both my mac and ubuntu machines). That said I'm going to work on a patch to make it easier to set different verify modes and paths so you should be able to work around it that way, I'll update here when I get it done.

@geemus

This comment has been minimized.

Contributor

geemus commented Jan 5, 2011

excon 0.3.7 has been updated to provide a workaround until a better solution is found. For now do this:
require 'rubygems'
require 'excon'
Excon.ssl_verify_peer = false
You'll be less secure, but at least it will work (and I'm trying to figure out a better way).

@geemus

This comment has been minimized.

Contributor

geemus commented Jan 12, 2011

There are now two workarounds, so calling this good. First choice is better than second if you can manage it.

  1. fix ca_path to cert path: Excon.ssl_ca_path = '/path/to/certs'
  2. turn off peer verification: Excon.ssl_verify_peer = false

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment