ssl_cert_file is not the same as cert or key, use ca_file #49

Merged
merged 1 commit into from Apr 16, 2012

Projects

None yet

3 participants

@eddroid
eddroid commented Mar 31, 2012

A ca_file is not the same as a cert or key. This commit only sets http.ca_file = @ssl_cert_file and ignores http.cert and http.key. Depending on the format of your ssl_cert_file, it may throw errors if you try to parse it as a X509 Certificate or RSA key (it did for me).

You should use different config keys (e.g. ssl_509cert and ssl_key_file) if you'd like users to set the key or cert file specifically. Neither worked for me, so I didn't bother.

Check http://martinottenwaelter.fr/2010/12/ruby19-and-the-ssl-error/ for an example of the two different ways he solved SSL certificate verification errors. You already support http.ca_path = @ssl_cert_path (even though you don't demonstrate it in your sample config file). This commit adds support for http.ca_file as well.

I tested this on a small EC2 instance running the Amazon AMI with Ruby v1.8.7p357. The ca_file is /etc/ssl/certs/ca-bundle.crt. ca_path didn't work. The blog link indicates ca_path may only work on Ubuntu.

Ed Toro An ssl_cert_file is not the same as a cert or key. Use http.ca_file =…
… ssl_cert_file. Use a different config key for http.cert and http.key.
8b41e04
@ghost
ghost commented Apr 15, 2012

eddroid, thanks for the fix! We can confirm that we were seeing the same SSL/cert issue on CentOS, used your patch on our fork, and it fixes the problem.

I agree that it should be merged into the gem.

Owner
tc commented Apr 16, 2012

thanks for validating, i'll merge this fix into the next version.

@tc tc merged commit f241eb5 into tc:master Apr 16, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment