I'm having a terrible time getting SSL to verify a certificate. I'm completely ignorant on how certificates work so that's a major handicap to begin with. Here's the error I get when running the script:
我得到SSL来验证证书的过程很糟糕。我完全不知道证书是如何工作的,所以这是一个主要的障碍。下面是我在运行脚本时遇到的错误:
c:/Ruby191/lib/ruby/1.9.1/net/http.rb:611:in `connect': SSL_connect returned=1 e
rrno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL
::SSL::SSLError)
Here's the relevant code:
相关代码:
client = Savon::Client.new order_svc
request = client.create_empty_cart { |soap, http|
http.auth.ssl.cert_file = 'mycert.crt'
http.auth.ssl.verify_mode = :none
http.read_timeout = 90
http.open_timeout = 90
http.headers = { "Content-Length" => "0", "Connection" => "Keep-Alive" }
soap.namespaces["xmlns:open"] = "http://schemas.datacontract.org/2004/07/Namespace"
soap.body = {
"wsdl:brand" => brand,
"wsdl:parnter" => [
{"open:catalogName" => catalogName, "open:partnerId" => partnerId }
] }.to_soap_xml
}
Any help is appreciated.
任何帮助都是感激。
4 个解决方案
#1
5
check your cert.pem and your key.pem
检查你的cert.pem和你的key.pem
the cert key should have one
证书键应该有一个
-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgIKG1DIagAAAAAAAzANBgkqhkiG9w0BAQsFADCBvDEkMCIG
....
-----END CERTIFICATE-----
your key.pem should have
你的关键。pem应该
-----BEGIN PRIVATE KEY-----
CSqGSIb3DQEJARYVY2Fjb250YWN0QGVzY3JlZW4uY29tMQswCQYDVQQGEwJVUzEP
....
-----END PRIVATE KEY-----
and it may have some certs in it but that doesn't matter for this case. (Although it does for me as curl doesn't work without the extra certs) The webservice I am talking to has a good root CA, but the client auth keys are not trusted so this is probably why the extra certs make curl work.
它可能有一些证书,但这对这个案子来说并不重要。(虽然对我来说是这样,因为curl没有额外的证书就不能工作)我正在与之交谈的web服务有一个很好的根CA,但是客户端身份密钥是不受信任的,所以这可能就是为什么这些额外的证书使curl工作的原因。
getting those out of your client certificate was what caused me the problems.
从你的客户证书中取出这些是导致我出现问题的原因。
here is what worked for me.
这是对我有用的。
openssl pkcs12 -in Client.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in Client.pfx -nodes -out key.pem
each will prompt you for the Import password and you can set a pem password if you want. (you would have to set that in the ruby code later)
每个将提示输入密码,如果需要,可以设置pem密码。(您必须在以后的ruby代码中设置它)
require 'savon'
client = Savon::Client.new "https://service/Service.asmx?wsdl"
client.http.auth.ssl.cert_key_file = "key.pem"
client.http.auth.ssl.cert_file = "cert.pem"
client.http.auth.ssl.verify_mode=:peer
p client.wsdl.soap_actions
you can also test with curl
你也可以用旋度来测试
curl -v -E key.pem https://services/Service.asmx?wsdl
#2
1
You need to provide the private key file that goes along with your certificate.
您需要提供与证书一起使用的私钥文件。
http.auth.ssl.cert_key_file = "mycert.pem"
If your private key file is encrypted, you'll need to supply the password too:
如果您的私钥文件已加密,您还需要提供密码:
http.auth.ssl.cert_key_password = "foobar"
#3
1
Putting the http.auth.ssl.verify_mode = :none inside the client.request block does not work for me.
把http.auth.ssl。verify_mode =:客户端内部没有。请求块对我不起作用。
I had to use:
我不得不使用:
client = Savon::Client.new do |wsdl, http|
http.auth.ssl.verify_mode = :none
wsdl.document = #YOUR_WSDL_URL_HERE
end
Using Savon 0.9.9 and Ruby 1.9.3-p125
使用Savon 0.9.9和Ruby 1.9.3-p125
#4
-1
Note: I was working with test automation in lower level environments that did not have properly signed certificates and would often throw errors due to domain signatures not matching. For the problem at hand, bypassing signatures was a plausible solution but it is not a solution to be used for production level development.
注意:我在较低级别的环境中使用测试自动化,这些环境没有正确签名的证书,而且由于域签名不匹配,经常会抛出错误。对于手边的问题,绕过签名是一个可行的解决方案,但它不是用于生产水平开发的解决方案。
My problem is that I am trying to validate a self-signed certificate. All I had to do was put the following code and omit anything to do with validating certificates.
我的问题是我正在尝试验证自签名证书。我所要做的就是放置以下代码,并省略与验证证书相关的任何东西。
I had to do this for both my SOAP and REST calls that were both experiencing the same issue.
对于我的SOAP和REST调用,我都必须这样做,因为它们都遇到了相同的问题。
SOAP using Savon
SOAP使用肥皂
client = Savon::Client.new order_svc
request = client.create_empty_cart { |soap, http|
http.auth.ssl.verify_mode = :none
http.headers = { "Content-Length" => "0", "Connection" => "Keep-Alive" }
soap.namespaces["xmlns:open"] = "http://schemas.datacontract.org/2004/07/Namespace"
soap.body = {
"wsdl:brand" => brand,
"wsdl:parnter" => [
{"open:catalogName" => catalogName, "open:partnerId" => partnerId }
] }.to_soap_xml
}
REST using HTTPClient
其他使用HTTPClient
client = HTTPClient.new
client.ssl_config.verify_mode=(OpenSSL::SSL::VERIFY_NONE)
resp = client.get(Methods)
#1
5
check your cert.pem and your key.pem
检查你的cert.pem和你的key.pem
the cert key should have one
证书键应该有一个
-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgIKG1DIagAAAAAAAzANBgkqhkiG9w0BAQsFADCBvDEkMCIG
....
-----END CERTIFICATE-----
your key.pem should have
你的关键。pem应该
-----BEGIN PRIVATE KEY-----
CSqGSIb3DQEJARYVY2Fjb250YWN0QGVzY3JlZW4uY29tMQswCQYDVQQGEwJVUzEP
....
-----END PRIVATE KEY-----
and it may have some certs in it but that doesn't matter for this case. (Although it does for me as curl doesn't work without the extra certs) The webservice I am talking to has a good root CA, but the client auth keys are not trusted so this is probably why the extra certs make curl work.
它可能有一些证书,但这对这个案子来说并不重要。(虽然对我来说是这样,因为curl没有额外的证书就不能工作)我正在与之交谈的web服务有一个很好的根CA,但是客户端身份密钥是不受信任的,所以这可能就是为什么这些额外的证书使curl工作的原因。
getting those out of your client certificate was what caused me the problems.
从你的客户证书中取出这些是导致我出现问题的原因。
here is what worked for me.
这是对我有用的。
openssl pkcs12 -in Client.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in Client.pfx -nodes -out key.pem
each will prompt you for the Import password and you can set a pem password if you want. (you would have to set that in the ruby code later)
每个将提示输入密码,如果需要,可以设置pem密码。(您必须在以后的ruby代码中设置它)
require 'savon'
client = Savon::Client.new "https://service/Service.asmx?wsdl"
client.http.auth.ssl.cert_key_file = "key.pem"
client.http.auth.ssl.cert_file = "cert.pem"
client.http.auth.ssl.verify_mode=:peer
p client.wsdl.soap_actions
you can also test with curl
你也可以用旋度来测试
curl -v -E key.pem https://services/Service.asmx?wsdl
#2
1
You need to provide the private key file that goes along with your certificate.
您需要提供与证书一起使用的私钥文件。
http.auth.ssl.cert_key_file = "mycert.pem"
If your private key file is encrypted, you'll need to supply the password too:
如果您的私钥文件已加密,您还需要提供密码:
http.auth.ssl.cert_key_password = "foobar"
#3
1
Putting the http.auth.ssl.verify_mode = :none inside the client.request block does not work for me.
把http.auth.ssl。verify_mode =:客户端内部没有。请求块对我不起作用。
I had to use:
我不得不使用:
client = Savon::Client.new do |wsdl, http|
http.auth.ssl.verify_mode = :none
wsdl.document = #YOUR_WSDL_URL_HERE
end
Using Savon 0.9.9 and Ruby 1.9.3-p125
使用Savon 0.9.9和Ruby 1.9.3-p125
#4
-1
Note: I was working with test automation in lower level environments that did not have properly signed certificates and would often throw errors due to domain signatures not matching. For the problem at hand, bypassing signatures was a plausible solution but it is not a solution to be used for production level development.
注意:我在较低级别的环境中使用测试自动化,这些环境没有正确签名的证书,而且由于域签名不匹配,经常会抛出错误。对于手边的问题,绕过签名是一个可行的解决方案,但它不是用于生产水平开发的解决方案。
My problem is that I am trying to validate a self-signed certificate. All I had to do was put the following code and omit anything to do with validating certificates.
我的问题是我正在尝试验证自签名证书。我所要做的就是放置以下代码,并省略与验证证书相关的任何东西。
I had to do this for both my SOAP and REST calls that were both experiencing the same issue.
对于我的SOAP和REST调用,我都必须这样做,因为它们都遇到了相同的问题。
SOAP using Savon
SOAP使用肥皂
client = Savon::Client.new order_svc
request = client.create_empty_cart { |soap, http|
http.auth.ssl.verify_mode = :none
http.headers = { "Content-Length" => "0", "Connection" => "Keep-Alive" }
soap.namespaces["xmlns:open"] = "http://schemas.datacontract.org/2004/07/Namespace"
soap.body = {
"wsdl:brand" => brand,
"wsdl:parnter" => [
{"open:catalogName" => catalogName, "open:partnerId" => partnerId }
] }.to_soap_xml
}
REST using HTTPClient
其他使用HTTPClient
client = HTTPClient.new
client.ssl_config.verify_mode=(OpenSSL::SSL::VERIFY_NONE)
resp = client.get(Methods)