Cert verification failure with openssl and curl

[bruno-]

Hi,

this is a great gem, thank you for making it. I'm using localhost with puma. Connecting to the server via browser works great. The guide does a great job of informing a user how to set this up.

Connecting to the server via Net::HTTP (httparty) fails

$ ruby -e 'require "httparty"; HTTParty.get("https://localhost:3000")'

Output (personal stuff redacted with (...)`:

...3.0.0/lib/ruby/3.0.0/net/protocol.rb:46:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)
        from ...3.0.0/lib/ruby/3.0.0/net/protocol.rb:46:in `ssl_socket_connect'
        from ...3.0.0/lib/ruby/3.0.0/net/http.rb:1038:in `connect'
        from ...3.0.0/lib/ruby/3.0.0/net/http.rb:970:in `do_start'
        from ...3.0.0/lib/ruby/3.0.0/net/http.rb:959:in `start'
        from ...3.0.0/lib/ruby/3.0.0/net/http.rb:1512:in `request'
        from ...3.0.0/lib/ruby/gems/3.0.0/gems/httparty-0.18.1/lib/httparty/request.rb:145:in `perform'
        from ...3.0.0/lib/ruby/gems/3.0.0/gems/httparty-0.18.1/lib/httparty.rb:594:in `perform_request'
        from ...3.0.0/lib/ruby/gems/3.0.0/gems/httparty-0.18.1/lib/httparty.rb:508:in `get'
        from ...3.0.0/lib/ruby/gems/3.0.0/gems/httparty-0.18.1/lib/httparty.rb:627:in `get'

Connecting to the server via curl fails

curl https://localhost:3000 fails with the following error:

curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Is connecting via curl or net-http out of scope for this gem?

[bruno-]

I spent some time looking for a solution.

The root problem is: localhosts self-signed cert is not added to the openssls or curls CA files.

Solution for ruby

Append the content of ~/.localhost/localhost.crt to openssls root CA file (/usr/local/etc/openssl@1.1/cert.pem on my machine, path stored in ::OpenSSL::X509::DEFAULT_CERT_FILE) and requests from ruby will work.

Solution for curl

Explicitly tell curl which CA file to use.

• Tell curl to use openssls CA file:

CURL_CA_BUNDLE="/usr/local/etc/openssl@1.1/cert.pem" curl https://localhost:3000

• Or tell it to use localhost certificate only:

CURL_CA_BUNDLE="/path/to/home/.localhost/localhost.crt" curl https://localhost:3000

[bruno-]

I'll gladly get involved and write a guide or investigate this more, I'd just appreciate some feedback:

• Is this in scope for this gem?
• Should this just be documented, and the users are expected to manually resolve this?
• Maybe this gem can provide a rake task that adds certificate file to openssls root CA file?

Thanks!

[ioquatix]

That is all in scope. For the task, use bake.

[ioquatix]

The point of this gem is to make it easier to use TLS in local development environments. I got sick of manually creating self-signed certificates :p

[ioquatix]

Bump :)

[ioquatix]

Okay, this feature is now implemented. See the installation instructions for details: https://socketry.github.io/localhost/guides/getting-started/index#installation