Discussion:
[ruby-list:50510] OpenSSL::X509::DEFAULT_CERT_FILE の上書き方法
Yoshihisa Sugano
2017-04-18 00:58:13 UTC
Permalink
すがのです。

さくらのレンタルサヌバ䞊で ruby 2.4.1 を rbenv で入れお利甚しおる環境がありたす。
この環境で https 接続をしようずするず SSL 関連の゚ラヌが出お接続できたせんでした(末尟に゚ラヌメッセヌゞを曞きたす)。

原因ずしおは OpenSSL::X509::DEFAULT_CERT_FILE が指し瀺すパスに蚌明曞が存圚しないこずです。

irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> p OpenSSL::X509::DEFAULT_CERT_FILE
"/etc/ssl/cert.pem"
=> "/etc/ssl/cert.pem"

$ ls -l /etc/ssl
total 12
-rw-r--r-- 1 root wheel 9483 Dec 4 2012 openssl.cnf

レンタルサヌバなので /etc/ssl に蚌明曞を眮くこずもできたせんし、どうにか OpenSSL::X509::DEFAULT_CERT_FILE
を䞊曞きしたいず考えおおりたす。

ドキュメントには OpenSSL::X509::DEFAULT_CERT_FILE_ENV が指し瀺す環境倉数で䞊曞きできるずあるので、irb
で芋おみたずころ SSL_CERT_FILE ずいう文字列が出おきたした。

そこで環境倉数 SSL_CERT_FILE
に自分のホヌムディレクトリ以䞋にある蚌明曞のパスを指定しおみたのですが、OpenSSL::X509::DEFAULT_CERT_FILE
に倉化はありたせんし、SSL 接続゚ラヌも倉わりたせん。こちらビルド環境などによっお動䜜しないこずもあり埗るのでしょうか?

ビルド時に OpenSSL::X509::DEFAULT_CERT_FILE
を指定できれば解決するかず考えたのですが、ビルドオプションを眺めおもちょっず方法が芋぀けられたせんでした。

ext/openssl/ossl_x509.c の 182 行目

DefX509Default(CERT_FILE, cert_file);

で蚭定されおるものかずは思うのですが。

どうにか OpenSSL::X509::DEFAULT_CERT_FILE をビルド時でも実行時でも䞊曞きする方法はないでしょうか?


゚ラヌの内容は以䞋のずおりです。

net/https を利甚した堎合は以䞋。

```
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`connect_nonblock': Connection reset by peer - SSL_connect
(Errno::ECONNRESET)
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`ssl_socket_connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in
`connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in
`do_start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:1407:in
`request'
from ./myscript.rb:52:in `<main>'
```

open-uri を利甚した堎合は以䞋のようになりたす。

```
irb(main):006:0> open('https://www.google.com/')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read
server c
ertificate B: certificate verify failed
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`connect_nonblock'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`ssl_socket_connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in
`connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in
`do_start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:323:in
`open_http'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:741:in
`buffer_open'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:212:in `block
in open_loop'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in `catch'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in
`open_loop'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:151:in
`open_uri'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:721:in `open'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:35:in `open'
from (irb):6
from /home/XXXXXX/.rbenv/versions/2.4.1/bin/irb:11:in `<main>'
```
--
Sugano Yoshihisa(E) <mailto:***@foxking.org>
Sugano Yoshihisa(E)
2017-04-18 04:43:48 UTC
Permalink
$B$9$,$N$G$9!#(B
$B$*$+$7$J%a!<%k$rAw$C$F$7$^$C$F$9$_$^$;$s(B m(_ _)m

$BJL$N(B MUA $B$G0J2<$K:FAw$7$^$9!#(B

$B$5$/$i$N%l%s%?%k%5!<%P>e$G(B ruby 2.4.1 $B$r(B rbenv $B$GF~$l$FMxMQ$7$F$k4D6-$,$"$j$^$9!#(B
$B$3$N4D6-$G(B https $B@\B3$r$7$h$&$H$9$k$H(B SSL $B4XO"$N%(%i!<$,=P$F@\B3$G$-$^$;$s$G$7$?(B($BKvHx$K%(%i!<%a%C%;!<%8$r=q$-$^$9(B)$B!#(B

$B860x$H$7$F$O(B OpenSSL::X509::DEFAULT_CERT_FILE $B$,;X$7<($9%Q%9$K>ZL@=q$,B8:_$7$J$$$3$H$G$9!#(B

irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> p OpenSSL::X509::DEFAULT_CERT_FILE
"/etc/ssl/cert.pem"
=> "/etc/ssl/cert.pem"

$ ls -l /etc/ssl
total 12
-rw-r--r-- 1 root wheel 9483 Dec 4 2012 openssl.cnf

$B%l%s%?%k%5!<%P$J$N$G(B /etc/ssl $B$K>ZL@=q$rCV$/$3$H$b$G$-$^$;$s$7!"$I$&$K$+(B OpenSSL::X509::DEFAULT_CERT_FILE $B$r>e=q$-$7$?$$$H9M$($F$*$j$^$9!#(B

$B%I%-%e%a%s%H$K$O(B OpenSSL::X509::DEFAULT_CERT_FILE_ENV $B$,;X$7<($94D6-JQ?t$G>e=q$-$G$-$k$H$"$k$N$G!"(Birb $B$G8+$F$_$?$H$3$m(B SSL_CERT_FILE $B$H$$$&J8;zNs$,=P$F$-$^$7$?!#(B

$B$=$3$G4D6-JQ?t(B SSL_CERT_FILE $B$K<+J,$N%[!<%`%G%#%l%/%H%j0J2<$K$"$k>ZL@=q$N%Q%9$r;XDj$7$F$_$?$N$G$9$,!"(BOpenSSL::X509::DEFAULT_CERT_FILE $B$KJQ2=$O$"$j$^$;$s$7!"(BSSL $B@\B3%(%i!<$bJQ$o$j$^$;$s!#$3$A$i%S%k%I4D6-$J$I$K$h$C$FF0:n$7$J$$$3$H$b$"$jF@$k$N$G$7$g$&$+(B?

$B%S%k%I;~$K(B OpenSSL::X509::DEFAULT_CERT_FILE $B$r;XDj$G$-$l$P2r7h$9$k$+$H9M$($?$N$G$9$,!"%S%k%I%*%W%7%g%s$rD/$a$F$b$A$g$C$HJ}K!$,8+$D$1$i$l$^$;$s$G$7$?!#(B

ext/openssl/ossl_x509.c $B$N(B 182 $B9TL\(B

DefX509Default(CERT_FILE, cert_file);

$B$***@_Dj$5$l$F$k$b$N$+$H$O;W$&$N$G$9$,!#(B

$B$I$&$K$+(B OpenSSL::X509::DEFAULT_CERT_FILE $B$r%S%k%I;~$G$b<B9T;~$G$b>e=q$-$9$kJ}K!$O$J$$$G$7$g$&$+(B?


$B%(%i!<$NFbMF$O0J2<$N$H$*$j$G$9!#(B

net/https $B$rMxMQ$7$?>l9g$O0J2<!#(B

```
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `connect_nonblock': Connection reset by peer - SSL_connect (Errno::ECONNRESET)
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `ssl_socket_connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in `connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in `do_start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:1407:in `request'
from ./myscript.rb:52:in `<main>'
```

open-uri $B$rMxMQ$7$?>l9g$O0J2<$N$h$&$K$J$j$^$9!#(B

```
irb(main):006:0> open('https://www.google.com/')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server c
ertificate B: certificate verify failed
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `connect_nonblock'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `ssl_socket_connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in `connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in `do_start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:323:in `open_http'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:741:in `buffer_open'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:212:in `block in open_loop'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in `catch'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in `open_loop'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:151:in `open_uri'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:721:in `open'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:35:in `open'
from (irb):6
from /home/XXXXXX/.rbenv/versions/2.4.1/bin/irb:11:in `<main>'
```
--
Sugano Yoshihisa(E) <mailto:***@foxking.org>
Sugano Yoshihisa(E)
2017-04-18 04:44:16 UTC
Permalink
$B$9$,$N$G$9!#(B
$B$*$+$7$J%a!<%k$rAw$C$F$7$^$C$F$9$_$^$;$s(B m(_ _)m

$BJL$N(B MUA $B$G0J2<$K:FAw$7$^$9!#(B

$B$5$/$i$N%l%s%?%k%5!<%P>e$G(B ruby 2.4.1 $B$r(B rbenv $B$GF~$l$FMxMQ$7$F$k4D6-$,$"$j$^$9!#(B
$B$3$N4D6-$G(B https $B@\B3$r$7$h$&$H$9$k$H(B SSL $B4XO"$N%(%i!<$,=P$F@\B3$G$-$^$;$s$G$7$?(B($BKvHx$K%(%i!<%a%C%;!<%8$r=q$-$^$9(B)$B!#(B

$B860x$H$7$F$O(B OpenSSL::X509::DEFAULT_CERT_FILE $B$,;X$7<($9%Q%9$K>ZL@=q$,B8:_$7$J$$$3$H$G$9!#(B

irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> p OpenSSL::X509::DEFAULT_CERT_FILE
"/etc/ssl/cert.pem"
=> "/etc/ssl/cert.pem"

$ ls -l /etc/ssl
total 12
-rw-r--r-- 1 root wheel 9483 Dec 4 2012 openssl.cnf

$B%l%s%?%k%5!<%P$J$N$G(B /etc/ssl $B$K>ZL@=q$rCV$/$3$H$b$G$-$^$;$s$7!"$I$&$K$+(B OpenSSL::X509::DEFAULT_CERT_FILE $B$r>e=q$-$7$?$$$H9M$($F$*$j$^$9!#(B

$B%I%-%e%a%s%H$K$O(B OpenSSL::X509::DEFAULT_CERT_FILE_ENV $B$,;X$7<($94D6-JQ?t$G>e=q$-$G$-$k$H$"$k$N$G!"(Birb $B$G8+$F$_$?$H$3$m(B SSL_CERT_FILE $B$H$$$&J8;zNs$,=P$F$-$^$7$?!#(B

$B$=$3$G4D6-JQ?t(B SSL_CERT_FILE $B$K<+J,$N%[!<%`%G%#%l%/%H%j0J2<$K$"$k>ZL@=q$N%Q%9$r;XDj$7$F$_$?$N$G$9$,!"(BOpenSSL::X509::DEFAULT_CERT_FILE $B$KJQ2=$O$"$j$^$;$s$7!"(BSSL $B@\B3%(%i!<$bJQ$o$j$^$;$s!#$3$A$i%S%k%I4D6-$J$I$K$h$C$FF0:n$7$J$$$3$H$b$"$jF@$k$N$G$7$g$&$+(B?

$B%S%k%I;~$K(B OpenSSL::X509::DEFAULT_CERT_FILE $B$r;XDj$G$-$l$P2r7h$9$k$+$H9M$($?$N$G$9$,!"%S%k%I%*%W%7%g%s$rD/$a$F$b$A$g$C$HJ}K!$,8+$D$1$i$l$^$;$s$G$7$?!#(B

ext/openssl/ossl_x509.c $B$N(B 182 $B9TL\(B

DefX509Default(CERT_FILE, cert_file);

$B$***@_Dj$5$l$F$k$b$N$+$H$O;W$&$N$G$9$,!#(B

$B$I$&$K$+(B OpenSSL::X509::DEFAULT_CERT_FILE $B$r%S%k%I;~$G$b<B9T;~$G$b>e=q$-$9$kJ}K!$O$J$$$G$7$g$&$+(B?


$B%(%i!<$NFbMF$O0J2<$N$H$*$j$G$9!#(B

net/https $B$rMxMQ$7$?>l9g$O0J2<!#(B

```
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `connect_nonblock': Connection reset by peer - SSL_connect (Errno::ECONNRESET)
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `ssl_socket_connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in `connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in `do_start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:1407:in `request'
from ./myscript.rb:52:in `<main>'
```

open-uri $B$rMxMQ$7$?>l9g$O0J2<$N$h$&$K$J$j$^$9!#(B

```
irb(main):006:0> open('https://www.google.com/')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server c
ertificate B: certificate verify failed
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `connect_nonblock'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `ssl_socket_connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in `connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in `do_start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:323:in `open_http'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:741:in `buffer_open'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:212:in `block in open_loop'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in `catch'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in `open_loop'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:151:in `open_uri'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:721:in `open'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:35:in `open'
from (irb):6
from /home/XXXXXX/.rbenv/versions/2.4.1/bin/irb:11:in `<main>'
```
--
Sugano Yoshihisa(E) <mailto:***@foxking.org>
U.NAKAMURA
2017-04-18 09:27:24 UTC
Permalink
$B$3$s$K$A$O!"$J$+$`$i(B($B$&(B)$B$G$9!#(B

In message "[ruby-list:50512] Re: OpenSSL::X509::DEFAULT_CERT_FILE $B$N>e=q$-J}K!(B"
Post by Sugano Yoshihisa(E)
$B$I$&$K$+(B OpenSSL::X509::DEFAULT_CERT_FILE $B$r%S%k%I;~$G$b<B9T;~$G$b>e=q$-$9$kJ}K!$O$J$$$G$7$g$&$+(B?
$B$=$3$G$O$J$$$s$G$9$1$I!"<B9T;~$K>ZL@=q$,;XDj$G$-$l$P$$$$$N$J$i!"(B
Net::HTTPS.start$B$N%*%W%7%g%s0z?t(B ca_file: $B!"$"$k$$$O(Bopen-uri$B$N(B
open$B$N%*%W%7%g%s0z?t(B ssl_ca_cert: $B$G>ZL@=q%U%!%$%k$N%Q%9$rEO$;$P(B
$B$$$1$k$H;W$$$^$9!#(B


$B$=$l$G$O!#(B
--
U.Nakamaura <***@garbagecollect.jp>
松永 肇一
2017-04-19 00:17:25 UTC
Permalink
$B>>1J$H8@$$$^$9!#(B

Windows$B$G(Bhttps$B$J%5%$%H$K(Bnet/http$B$G$D$J$4$&$H$9$k$H;w$?LdBj$K$V$D$+$j$^(B
$B$9!#0J2<$N$h$&$JJ}K!$G2sHr$7$^$7$?!#(B

1) $B>ZL@=q$r<+J,$GMQ0U(B
curl http://curl.haxx.se/ca/cacert.pem -o./cacert.pem

2) $B>ZL@=q$r<+J,$***@_Dj(B
https = Net::HTTP.new(HOST, PORT)
https.use_ssl = true
https.ca_file = "/path/to/cacert.pem"

$B$3$l$G(Bnet/http$B$G$N(BSSL$B$O$G$-$^$7$?!#(B
$BLr$KN)$F$P$$$$$N$G$9$,!#(B
Post by Sugano Yoshihisa(E)
$B$9$,$N$G$9!#(B
$B$*$+$7$J%a!<%k$rAw$C$F$7$^$C$F$9$_$^$;$s(B m(_ _)m
$BJL$N(B MUA $B$G0J2<$K:FAw$7$^$9!#(B
$B$5$/$i$N%l%s%?%k%5!<%P>e$G(B ruby 2.4.1 $B$r(B rbenv $B$GF~$l$FMxMQ$7$F$k4D6-$,$"$j$^$9!#(B
irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> p OpenSSL::X509::DEFAULT_CERT_FILE
"/etc/ssl/cert.pem"
=> "/etc/ssl/cert.pem"
$ ls -l /etc/ssl
total 12
-rw-r--r-- 1 root wheel 9483 Dec 4 2012 openssl.cnf
$B%I%-%e%a%s%H$K$O(B OpenSSL::X509::DEFAULT_CERT_FILE_ENV $B$,;X$7<($94D6-JQ?t$G>e=q$-$G$-$k$H$"$k$N$G!"(Birb $B$G8+$F$_$?$H$3$m(B SSL_CERT_FILE $B$H$$$&J8;zNs$,=P$F$-$^$7$?!#(B
$B%S%k%I;~$K(B OpenSSL::X509::DEFAULT_CERT_FILE $B$r;XDj$G$-$l$P2r7h$9$k$+$H9M$($?$N$G$9$,!"%S%k%I%*%W%7%g%s$rD/$a$F$b$A$g$C$HJ}K!$,8+$D$1$i$l$^$;$s$G$7$?!#(B
ext/openssl/ossl_x509.c $B$N(B 182 $B9TL\(B
DefX509Default(CERT_FILE, cert_file);
$B$I$&$K$+(B OpenSSL::X509::DEFAULT_CERT_FILE $B$r%S%k%I;~$G$b<B9T;~$G$b>e=q$-$9$kJ}K!$O$J$$$G$7$g$&$+(B?
$B%(%i!<$NFbMF$O0J2<$N$H$*$j$G$9!#(B
net/https $B$rMxMQ$7$?>l9g$O0J2<!#(B
```
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `connect_nonblock': Connection reset by peer - SSL_connect (Errno::ECONNRESET)
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `ssl_socket_connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in `connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in `do_start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:1407:in `request'
from ./myscript.rb:52:in `<main>'
```
open-uri $B$rMxMQ$7$?>l9g$O0J2<$N$h$&$K$J$j$^$9!#(B
```
irb(main):006:0> open('https://www.google.com/')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server c
ertificate B: certificate verify failed
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `connect_nonblock'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in `ssl_socket_connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in `connect'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in `do_start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:323:in `open_http'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:741:in `buffer_open'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:212:in `block in open_loop'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in `catch'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in `open_loop'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:151:in `open_uri'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:721:in `open'
from /home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:35:in `open'
from (irb):6
from /home/XXXXXX/.rbenv/versions/2.4.1/bin/irb:11:in `<main>'
```
--
$B3t<02q<R%i%$%U%a%G%#%"!!%7%9%F%`3+H/It(B
$B>>1JH%0l(B
Sugano Yoshihisa(E)
2017-04-20 06:39:57 UTC
Permalink
$B$9$,$N$G$9!#(B
$B$_$J$5$s$*CN7C$r$"$j$,$H$&$4$6$$$^$9!#(B

$BD:$$$?$*OC$r$^$H$a$k$H!"(B

1. $B4D6-JQ?t$G(B cert $B%U%!%$%k$N0LCV$O>e=q$-$G$-$k(B
2. cert $B%U%!%$%k$O%9%/%j%W%HFb$G$b;XDj$G$-$k(B

$B$H$$$&$3$H$G$9$h$M!#(B

$B$5$C$=$/$I$A$i$b;n$7$?$N$G$9$,>u67$,JQ$o$j$^$;$s$G$7$?!#(B
$B$H$$$&$3$H$O(B cert $B%U%!%$%k$NLdBj$G$O$J$$!"$H$$$&$3$H$K$J$j$^$9$h$M$(!#(B
$B%U%!%$%k$,$J$+$C$?$N$G$F$C$-$j$=$l$@$H;W$C$F$?$s$G$9$,!"$*CQ$:$+$7$$!#(B

$B;n$7$K(B OpenSSL $B$r%[!<%`%G%#%l%/%H%j$K%$%s%9%H!<%k$7$F!"(Bruby $B$N%S%k%I;~(B
$B$K$=$A$i$r;2>H$9$k$h$&$K$7$F$_$?$N$G$9$,!"$3$l$@$H$A$c$s$HF0:n$7$^$7$?!#(B

$B$5$/$i$N%l%s%?%k%5!<%P>e$N(B openssl $B$N>l=j$r3NG'$7$F$_$F!"(B

$ openssl version -d
OPENSSLDIR: "/usr/local/ssl/etc/ssl"

$B$@$C$?$N$G!"(B

RUBY_CONFIGURE_OPTS='--with-openssl-dir=/usr/local/ssl' rbenv install 2.4.1

$B$H$7$F%$%s%9%H!<%k$7$?$iL5;vF0:n$7$^$7$?!#(B

cert $B%U%!%$%k$N0LCV$b!"(B

$ ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE'
"/usr/local/ssl/etc/ssl/cert.pem"
$ ls -l /usr/local/ssl/etc/ssl/cert.pem
lrwxr-xr-x 1 root wheel 38 May 11 2016 /usr/local/ssl/etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt

$B$H$$$&>uBV$G!"@5>o$K$J$C$F$k$h$&$G$9!#(B

configure $B%9%/%j%W%H$,8+$D$1$?(B OpenSSL $B$N>l=j$,$J$s$i$+$NM}M3$GJL$N$H(B
$B$3$m$K$J$C$F$7$^$&$3$H$,$"$k!"$H$$$&$3$H$G$7$g$&$+$M$(!#$A$g$C$H5$;}$A(B
$B0-$$$G$9$,L5;vF0:n$7$F$/$l$FNI$+$C$?$G$9!#(B

$B$_$J$5$s$"$j$,$H$&$4$6$$$^$7$?(B!

--
Sugano Yoshihisa(E)

Kazuhiro NISHIYAMA
2017-04-18 13:03:30 UTC
Permalink
$B@>;3OB9-$G$9!#(B

On Tue, 18 Apr 2017 09:58:13 +0900,
Post by Sugano Yoshihisa(E)
$B$I$&$K$+(B OpenSSL::X509::DEFAULT_CERT_FILE $B$r%S%k%I;~$G$b<B9T;~$G$b>e=q$-$9$kJ}K!$O$J$$$G$7$g$&$+(B?
% lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

$B$N4D6-$G;n$7$F$_$?$H$3$m!"(B OpenSSL::X509::DEFAULT_CERT_FILE $B$,$5$9%U%!%$%k$,(B
$BB8:_$7$J$/$F$bLdBj$J$/7R$,$j$^$7$?!#(B

SSL_CERT_FILE $B$,%@%a$J$i(B SSL_CERT_DIR $B$r;n$9$HNI$$$N$G$O$J$$$G$7$g$&$+!#(B

% /usr/bin/irb -r irb/completion --simple-prompt
Post by Sugano Yoshihisa(E)
RUBY_DESCRIPTION
=> "ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]"
Post by Sugano Yoshihisa(E)
require 'openssl'
=> true
Post by Sugano Yoshihisa(E)
OpenSSL::X509::DEFAULT_CERT_FILE
=> "/usr/lib/ssl/cert.pem"
Post by Sugano Yoshihisa(E)
File.exist? OpenSSL::X509::DEFAULT_CERT_FILE
=> false
Post by Sugano Yoshihisa(E)
require 'open-uri'
=> true
Post by Sugano Yoshihisa(E)
open('https://www.google.com/')
=> #<Tempfile:/tmp/user/1000/open-uri20170418-9096-155vnnx>
Post by Sugano Yoshihisa(E)
OpenSSL::X509::DEFAULT_CERT_DIR
=> "/usr/lib/ssl/certs"
Post by Sugano Yoshihisa(E)
OpenSSL::X509::DEFAULT_CERT_DIR_ENV
=> "SSL_CERT_DIR"
% SSL_CERT_DIR=. /usr/bin/irb -r irb/completion --simple-prompt
Post by Sugano Yoshihisa(E)
require 'open-uri'
=> true
Post by Sugano Yoshihisa(E)
open('https://www.google.com/')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
from /usr/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock'
from /usr/lib/ruby/2.3.0/net/http.rb:933:in `connect'
from /usr/lib/ruby/2.3.0/net/http.rb:863:in `do_start'
from /usr/lib/ruby/2.3.0/net/http.rb:852:in `start'
from /usr/lib/ruby/2.3.0/open-uri.rb:319:in `open_http'
from /usr/lib/ruby/2.3.0/open-uri.rb:737:in `buffer_open'
from /usr/lib/ruby/2.3.0/open-uri.rb:212:in `block in open_loop'
from /usr/lib/ruby/2.3.0/open-uri.rb:210:in `catch'
from /usr/lib/ruby/2.3.0/open-uri.rb:210:in `open_loop'
from /usr/lib/ruby/2.3.0/open-uri.rb:151:in `open_uri'
from /usr/lib/ruby/2.3.0/open-uri.rb:717:in `open'
from /usr/lib/ruby/2.3.0/open-uri.rb:35:in `open'
from (irb):2
from /usr/bin/irb:11:in `<main>'
--
|ZnZ($B%<%C%H(B $B%(%L(B $B%<%C%H(B)
|$B@>;3OB9-(B(Kazuhiro NISHIYAMA)
Loading...