Ruby OpenSSL::SSL::SSLError on CentOS 6.2

Question

I'm trying to run the following code (taken from codeacademy) in CentOS 6.2:

require 'rubygems'
require 'oauth'



# Change the following values to those provided on dev.twitter.com

# The consumer key identifies the application making the request.

# The access token identifies the user making the request.

consumer_key = OAuth::Consumer.new(

    "MY_KEY",

    "MY_SECRET")

access_token = OAuth::Token.new(

    "STRING1",

    "STRING2")


# All requests will be sent to this server.

baseurl = "https://api.twitter.com"



# The verify credentials endpoint returns a 200 status if

# the request is signed correctly.

address = URI("#{baseurl}/1.1/account/verify_credentials.json")



# Set up Net::HTTP to use SSL, which is required by Twitter.

http = Net::HTTP.new address.host, address.port

http.use_ssl = true

http.verify_mode = OpenSSL::SSL::VERIFY_PEER


# Build the request and authorize it with OAuth.

request = Net::HTTP::Get.new address.request_uri

request.oauth! http, consumer_key, access_token


# Issue the request and return the response.

http.start

response = http.request request

puts "The response status was #{response.code}"

and get the following error message:

/usr/lib/ruby/1.8/net/http.rb:586:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

The keys have been omitted (tehy are, after all, secret), but i'm using correct ones. The neccessary gems are installed.

What might the problem be?

jww jww · Accepted Answer · 2014-05-14T14:51:25

http = Net::HTTP.new address.host, address.port
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
...

You also need:

http.ca_file = File.join(File.dirname(__FILE__), "ca-cert.pem")

Since its Tweeter:

$ openssl s_client -connect api.twitter.com:443
CONNECTED(00000003)
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Twitter, Inc./OU=Twitter Security/CN=api.twitter.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
...

You need the top issuer, (i: at level 1), which is VeriSign Class 3 Public Primary Certification Authority - G5. You can get that from Public Root CA - VeriSign. The filename is PCA-3G5.pem.

After you download the root, you can then run s_client again and the server certificate will verify:

$ openssl s_client -connect api.twitter.com:443 -CAfile PCA-3G5.pem

Ruby OpenSSL::SSL::SSLError on CentOS 6.2

1 Answers