fl8 Wiki

この文書は読取専用です。文書のソースを閲覧することは可能ですが、変更はできません。もし変更したい場合は管理者に連絡してください。
====== 2024.01.18 RailsでSSLエラー ======



===== エラー =====

<code>
OpenSSL::SSL::SSLError in RecruitsController#update
SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
</code>

こちらも「unable to get local issuer certifi」になってしまう。
<code>
# openssl s_client -showcerts -host valid-isrgrootx1.letsencrypt.org -port 443
Verification error: unable to get local issuer certificate
</code>


==== 対応 ====

=== rubyが利用しているルート証明書のパス ===

ruby は、/usr/local/ssl/cert.pem を利用していました。
<code|ssl_path.rb>
require 'openssl'
p OpenSSL::X509::DEFAULT_CERT_FILE
</code>

<code>
ruby ssl_path.rb 
"/usr/local/ssl/cert.pem"
</code>

ワンライナーで実行する方法
<code>
ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE"
</code>

しかし対象のパスにルート証明書が存在しない

<code>
# ll /usr/local/ssl/cert.pem
ls: cannot access '/usr/local/ssl/cert.pem': No such file or directory
</code>


これはリンクを張ってあげる

<code>
# ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem  /usr/local/ssl/cert.pem

# ll /usr/local/ssl/cert.pem
lrwxrwxrwx. 1 root root 49 Jan 18 15:13 /usr/local/ssl/cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
</code>

=== なぜかルート証明書も更新できず。 ===


<code>
# yum update ca-certificates
Last metadata expiration check: 0:29:05 ago on Thu Jan 18 14:57:01 2024.
Dependencies resolved.
=========================================================================================================================
 Package                      Architecture        Version                                      Repository           Size
=========================================================================================================================
Upgrading:
 ca-certificates              noarch              2023.2.60_v7.0.306-90.1.el9_2                baseos              835 k

Transaction Summary
=========================================================================================================================
Upgrade  1 Package

Total download size: 835 k
Is this ok [y/N]: y
Downloading Packages:
                                              [===                                     ] ---  B/s |   0  B     --:-- ETA
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Error downloading packages:
  Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://mirrors.almalinux.org/mirrorlist/9/baseos [error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt]
</code>

これは下記で実行すると解決

<code>
# yum --setopt='sslverify=false' update ca-certificates
</code>

{{tag>日記 openssl ruby}}
fl8 Wiki

ユーザ用ツール

サイト用ツール

ページ用ツール
