puma-dev cert not accepted by ruby http libraries

[cainlevy]

Common Ruby HTTP libraries like Net::HTTP and Excon will not verify puma-dev's generated certificate on my install. I'm running a fresh MacOS Sierra with homebrew's openssl, and I've moved the puma-dev cert to the System keychain, per #84 (comment).

Examples

Excon provides a helpful error:

Excon::Error::Certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError) Unable to verify certificate. This may be an issue with the remote host or with Excon. Excon has certificates bundled, but these can be customized:

            `Excon.defaults[:ssl_ca_path] = path_to_certs`
            `ENV['SSL_CERT_DIR'] = path_to_certs`
            `Excon.defaults[:ssl_ca_file] = path_to_file`
            `ENV['SSL_CERT_FILE'] = path_to_file'
            `Excon.defaults[:ssl_verify_callback] = callback`
                (see OpenSSL::SSL::SSLContext#verify_callback)
or:
            `Excon.defaults[:ssl_verify_peer] = false` (less secure).

Net::HTTP does not:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed

[evanphx]

This is fixed in the upcoming release v0.11

[lackac]

@evanphx could you elaborate on this? I just tried the current master and I'm still getting the error that was pasted above. I'm probably missing something. Where is this implemented in puma-dev?

[rxbynerd]

I've poured over the diff for this and I can't find anything that would help me with this - I've manually run the security add-trusted-cert command, and it hasn't changed anything

@evanphx please could you expand on what fixes this problem, as I'm still suffering from it?

[ecielam]

@evanphx when is that release happening? I am running into this problem now, and it's a show stopper for me.

[tanelsuurhans]

Any updates on this issue? Keep hitting this same problem in local environments.

[flanger001]

Still running into this now also on a Rails app. I just dumped this into an initializer and it's generally fine:

Excon.defaults[:ssl_verify_peer] = false if Rails.env.development?

But it would be good to know if there's a fix.

[dcorking]

Which commit fixed this? I'd like to be able to check there has not been a regression, because I and several co-workers experience the same error message with puma-dev 0.15.2 on macOS with Net::HTTP.

What is the correct way to verify puma-dev's TLS certificate with Net::HTTP ?

[nonrational]

You must specify where to find CA certs for ruby to use them.

# create /tmp/cert.pem containing puma-dev CA and all default CAs
cat $(ruby -e "require 'net/http'; puts OpenSSL::X509::DEFAULT_CERT_FILE") \ 
  $HOME/Library/Application\ Support/io.puma.dev/cert.pem \
  > /tmp/cert.pem

# configure Net::HTTP to use the CA bundle including puma-dev's CA
require 'open-uri'
require 'net/http'

module Net
  class HTTP
    alias_method :original_use_ssl=, :use_ssl=
    def use_ssl=(flag)
      self.ca_file = "/tmp/cert.pem"
      self.verify_mode = OpenSSL::SSL::VERIFY_PEER
      self.original_use_ssl = flag
    end
  end
end

uri = URI('https://localhost:9283/events')

Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
  request = Net::HTTP::Get.new uri
  request["User-Agent"] = "net::http"
  request["Host"] = "puma-dev"

  response = http.request(request)
  puts response.body
end