Trusting Self-Signed Certificates from Ruby

I use Ruby as my primary general-purpose scripting language, and prefer to use it to automate repetitive / awkward tasks.

But working in a corporate environment, I don't always have the right certs trusted by my Operating System.

Let's say that we have the following code to reach out to an endpoint that knowingly uses a self-signed certificate:

uri = URI.parse('https://keystore.openbanking.org.uk/001580000103UAQAA2/001580000103UAQAA2.jwks')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
data = http.get(uri.request_uri)
p data.to_hash

If the cert is not trusted, we'll receive the following exception:

/usr/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) (OpenSSL::SSL::SSLError)
	from /usr/lib/ruby/2.6.0/net/protocol.rb:44:in `ssl_socket_connect'
	from /usr/lib/ruby/2.6.0/net/http.rb:996:in `connect'
	from /usr/lib/ruby/2.6.0/net/http.rb:930:in `do_start'
	from /usr/lib/ruby/2.6.0/net/http.rb:919:in `start'
	from /usr/lib/ruby/2.6.0/net/http.rb:1470:in `request'
	from /usr/lib/ruby/2.6.0/net/http.rb:1228:in `get'
	from http.rb:8:in `<main>'

This doesn't help us do our work, so we have some options to get around the issue.

The most effective solution is following your Operating System's guidelines for installing a certificate globally.

Alternatively, we can use one of the two OpenSSL environment variables to get around it:

env SSL_CERT_DIR=/path/to/certs/folder ruby http.rb
env SSL_CERT_FILE=/path/to/cert.crt ruby http.rb

I've had some difficulty getting SSL_CERT_DIR working, so maybe expect a follow-up post on that.

Update 2019-12-04: I've written up how to get SSL_CERT_DIR working in my blog post Setting up a directory for OpenSSL's `SSL_CERT_DIR.