Trusting Self-Signed Certificates from Ruby
I use Ruby as my primary general-purpose scripting language, and prefer to use it to automate repetitive / awkward tasks.
But working in a corporate environment, I don't always have the right certs trusted by my Operating System.
Let's say that we have the following code to reach out to an endpoint that knowingly uses a self-signed certificate:
uri = URI.parse('https://keystore.openbanking.org.uk/001580000103UAQAA2/001580000103UAQAA2.jwks')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
data = http.get(uri.request_uri)
p data.to_hash
If the cert is not trusted, we'll receive the following exception:
/usr/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) (OpenSSL::SSL::SSLError)
from /usr/lib/ruby/2.6.0/net/protocol.rb:44:in `ssl_socket_connect'
from /usr/lib/ruby/2.6.0/net/http.rb:996:in `connect'
from /usr/lib/ruby/2.6.0/net/http.rb:930:in `do_start'
from /usr/lib/ruby/2.6.0/net/http.rb:919:in `start'
from /usr/lib/ruby/2.6.0/net/http.rb:1470:in `request'
from /usr/lib/ruby/2.6.0/net/http.rb:1228:in `get'
from http.rb:8:in `<main>'
This doesn't help us do our work, so we have some options to get around the issue.
The most effective solution is following your Operating System's guidelines for installing a certificate globally.
Alternatively, we can use one of the two OpenSSL environment variables to get around it:
env SSL_CERT_DIR=/path/to/certs/folder ruby http.rb
env SSL_CERT_FILE=/path/to/cert.crt ruby http.rb
I've had some difficulty getting SSL_CERT_DIR
working, so maybe expect a follow-up post on that.
Update 2019-12-04: I've written up how to get SSL_CERT_DIR
working in my blog post Setting up a directory for OpenSSL's `SSL_CERT_DIR.