Fix for OpenSSL::SSL::SSLError on RestForce / Faraday
Fix for OpenSSL::SSL::SSLError on RestForce / Faraday. Hopefully this will save you some time if you see this RestForce error
Today I want to share how I fixed an
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed error that we were having on one of our Rails applications.
There are several different articles on the web with people providing their solutions to this super annoying error, each solution came with a slew of people commenting “it worked” or “didn’t fix it”. I want to present the very specific things I needed to do in the hope that if other solutions have failed this one works!
This is the setup we had when we spotted this issue, this isn’t to say that if yours is different then the eventual solution won’t work but I can’t claim this to be a general solution that will fix everything for everyone.
- We noticed this when our
RestForcegem wasn’t sending data to SalesForce anymore
- On one Ubuntu instance it worked, on another it didn’t
- It worked locally (Mac OS X)
- On the server that it didn’t work on,
curlwere throwing similar errors
It didn’t look like OpenSSL was using the correct SSL certificates when trying to establish the authenticity of websites.
Even though this was being called form RestForce, it uses Faraday, which uses Ruby’s
Net::HTTP. Since it was
Net::HTTP throwing the error I was pretty sure the solution had to be fairly low level.
The (eventual) Solution
I say eventual because I followed several red herrings.
I had to run the following things on the server;
openssl version -ato find out the
OPENSSLDIRbeing used by the system
ls /usr/lib/ssl/certsto verify it was empty (that location being the result of
- Updating the ca-certificates with
sudo apt-get install ca-certificates(in my case this wasn’t needed, but a good step)
- Updating the certificate location with
- Hashing the certificates for OpenSSL with
- This blog post really helped me understand the issue and the doctor script was useful (not least because it showed me that my wget was being weird too!)
- Paul Synnott helped me with an issue I had during certificate creation