5

I have a Rails app that is configured to only use SSL. I also have free SSL certificates from StartSSL.

I use thin as my web server with this command: 

thin start -p 80 & thin start -p 443 --ssl --ssl-key-file ./.ssl/sslkey.key --ssl-cert-file ./.ssl/sslcert.cert &

This technically works-- visiting the http version of my site redirects to the https version. However, Chrome and Safari both prompt me when I visit the site to "Select a Certificate" from my local Keychain to validate with the server.

This behavior is not desirable. How do I set up thin with SSL in such a way that this dialog does not appear?

drewblaisdell
  • 609
  • 5
  • 16
  • 1
    In your sslcert.cert have you appended the root certificate of the issuing CA? Like said in examples: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1365&nav=0,96,1,95 Section `Combine (Concatenate) multiple certificates into one file`. I am not associated with COMODO. – SreekanthGS Apr 29 '14 at 05:05
  • 1
    Edit your post and show us the contents of `./.ssl/sslcert.cert`. `sslcert.cert` should have two certs in it. First is the server certifcate issued by Startcom; and second is the [`sub.class1.server.ca.pem`](https://www.startssl.com/certs/sub.class1.server.ca.pem) from Startcom's [Index of Certs](https://www.startssl.com/certs/). `sub.class1.server.ca.pem` is the intermediate signing cert, and you send it with the server certifcate. The client must have the Startcom CA Root and trust it. You *don't* send the CA Root. – jww Apr 29 '14 at 07:23
  • Ahhh, that was it. I was sending the CA Root as well. I removed that from the bundle certificate and it works now. If you post this as an answer, I can choose it. – drewblaisdell Apr 29 '14 at 21:17
  • 1
    FYI this might not be the right/correct/perfect resolution. It looks like it's rather a `thin` [issue](https://github.com/macournoyer/thin/issues/244), it is addressed [here](https://thin.lighthouseapp.com/projects/7212/changesets/85fdb1960039a7ed21ea3ad4badb49380493f11d). In the `thin` doc, see option `--ssl-disable-verify` ... however not available in version 1.6.2 Codename Doc Brown. There is a [commit](https://github.com/macournoyer/thin/commit/85fdb1960039a7ed21ea3ad4badb49380493f11d) that resolves this issue apparently, but it's not available in the release version (??). – zabumba Sep 10 '14 at 21:24
  • 1
    @joelmaranhao: I had the same issue, and your answer fixed it. The --ssl-disable-verify is now available in thin as well (see https://github.com/macournoyer/thin/issues/244). – Jelle Oct 27 '14 at 09:04
  • Yeap Jelle, please add your comment as an answer, I will tick it as the right answer. Thanks – zabumba Oct 27 '14 at 14:57

1 Answers1

4

As joelmaranho points out, this appears to be a thin issue. At the time of his writing, the solution, --ssl-disable-verify, was not yet available in thin, but is is now.

Solution: start thin with --ssl-disable-verify.

Jelle
  • 339
  • 1
  • 12