1

Two days ago, I started seeing this error on the production server of my app (on staging everything works fine). I found a lot of topics here on SO, but none of them solved this issue for me.

Here's the piece of code that's causing this error message:

  @client = Savon.client(wsdl: wsdl_url)
  #@client = Savon.client(wsdl: wsdl_url, ssl_verify_mode: :none) # this sovles the problem, but I don't want to skip the verification

On SO, I also found that a possible solution might be to create an initializer file and put there the following:

require 'open-uri'
require 'net/https'

module Net
  class HTTP
    alias_method :original_use_ssl=, :use_ssl=

    def use_ssl=(flag)
      #self.ca_path = Rails.root.join('lib/ca-bundle.crt').to_s
      self.ssl_version = :TLSv1_2 # added
      self.ca_file = '/etc/ssl/certs/ca-certificates.crt' # the file exists
      self.verify_mode = OpenSSL::SSL::VERIFY_PEER
      self.original_use_ssl = flag
    end
  end
end

But this, unfortunately, didn't solve the error. I also tried to reinstall the certificate on the production Ubuntu (14.04) server

sudo apt-get install openssl ca-certificates

The package has been upgraded, but the error is unfortunately still here.

Any tips what could I do yet and get rid of the error?

EDIT: How or where should I start debugging?

user984621
  • 46,344
  • 73
  • 224
  • 412
  • I would suggest that you examine the server certificate with OpenSSL CLI tools like so: `openssl s_client -connect example.com:443` The certificate of the host you are connecting to might actually be invalid (i.e., expired). – eyevan Mar 07 '18 at 10:42

2 Answers2

0

I also started getting this error a few days ago.

Removing geocoder fixed the issue.

Per Heroku support, sometimes these errors occur when an external provider changes their SSL configuration.

Reply to comment:

Nothing in logs specifically saying geocoder, but I saw in my error reports (via exception notifier gem) that the app crashed, with this error, on lines making a request to geocoder.

I also had a callback on the users model, and noticed the app crashed anytime a user was saved/updated.

Lucky guess I suppose.

tim_xyz
  • 11,573
  • 17
  • 52
  • 97
0

Run openssl s_client -showcerts -connect server_you_are_connecting_to.com:443 and examine the certificate. After this you should find yourself in one of the following situations:

  1. The certificate is valid (has valid expiry date and common name), but it is signed by the certificate authority (CA) that isn't trusted by your system. If that's the case, you would need to add the CA's certificate to the trusted store or update the ca-bundle package on your system.

  2. The certificate is invalid (is expired or has the wrong common name). If disabling peer SSL certificate verification isn't an option for you, then you can implement your own certificate verification callback, for example as described here -- in this case the code wouldn't be relying on system's trusted store, but rather check that the peer server uses a specific certificate.

Hope this helps.

eyevan
  • 1,475
  • 8
  • 20
  • Thanks - I ran the command and it doesn't show me any certificates - this the output: `gethostbyname failure connect:errno=0` – user984621 Mar 08 '18 at 20:44
  • @user984621 seems like a network issue and not an SSL issue. Are you sure you are using the correct hostname in the command? – eyevan Mar 08 '18 at 21:13