SSL errors out of the blue
43 views
Skip to first unread message
Chris McCann
May 29, 2015, 11:14:42 PM5/29/15
to sdr...@googlegroups.com
SD Ruby,
/usr/local/rvm/rubies/ruby-1.8.7-p352/lib/ruby/1.8/net/http.rb:586:in `connect'
A Rails app I've had in production for over 7 years developed an odd problem on Thursday. This change was not preceded by any code or server changes within the past few weeks.
It's a Rails 2.3 app running on Ruby 1.8.7 (yes, it's old, and I've been working on upgrading it for months). It runs on Ubuntu 10.04.4 LTS (I know, also old, and being upgraded).
It uses ActiveMerchant to process credit card payments via the Authorize.net gateway. This bit has worked essentially flawlessly for over 5 years.
This past Thursday my client tried to process a credit card payment and the app threw an error:
A OpenSSL::SSL::SSLError occurred in credit_card_payments#create:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
/usr/local/rvm/rubies/ruby-1.8.7-p352/lib/ruby/1.8/net/http.rb:586:in `connect'
Of course, this happened while I was on an airplane, and more ironically, flying to San Antonio to see my client.
Frantic Googling at 41,000 feet brought me to this: http://mislav.uniqpath.com/2013/07/ruby-openssl/
One of the suggestions in the mislav article is to do a CA certificate upgrade via apt-get (sounds of ominous bass notes in the background). Since the Ubuntu distro I have been using has been "end-of-lifed" (ELO'd), I cannot update the CA certificates on the distro, though all of the other checks indicate this isn't an issue.
Also mentioned in that article is the "doctor.rb" script to check things, and it reported all was "OK".
I contacted our SSL provider, RapidSSL, and they verified that our SSL certificate, and the others in the cert chain, were valid and installed correctly.
I have reached out to Authorize.net to ask them if anything changed on their end but haven't heard back yet.
My plea to SD Ruby: has anyone else encountered something like this? I'm at a loss as to what the cause might be or how to fix it, short of the long-delayed upgrade to Rails 4 and a new Linux distro.
Thanks,
Chris
James Miller
May 29, 2015, 11:25:04 PM5/29/15
to sdr...@googlegroups.com
Authorize.net disabled SSLv3 sometime recently. You'll need to upgrade whatever you're using to use TLS. Perhaps ActiveMerchant has an update that takes care of it...
--
--
SD Ruby mailing list
sdr...@googlegroups.com
http://groups.google.com/group/sdruby
---
You received this message because you are subscribed to the Google Groups "SD Ruby" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sdruby+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Chris McCann
May 29, 2015, 11:31:04 PM5/29/15
to sdr...@googlegroups.com
Thanks, Bensie, I'll look into that.
You received this message because you are subscribed to a topic in the Google Groups "SD Ruby" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sdruby/rhAsuBqZOYI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sdruby+un...@googlegroups.com.
Rob Kaufman
May 30, 2015, 12:36:56 AM5/30/15
to sdr...@googlegroups.com, sdr...@googlegroups.com
It comes down to trying to disable SSLv3. It's frankly pretty difficult in 1.8.7. You'll need to dig in to which http library you need to get started. If it is http.rb, get ready to patch your own Ruby. Here is a place to get started.
I know it's not exciting, but you can upgrade a 2.3 app to 1.9.3. It's worth doing even before you try and tackle the much bigger rails update.
--
Chris McCann
May 30, 2015, 12:46:25 AM5/30/15
to sdr...@googlegroups.com
Thanks, Rob. I did in fact spend about 4 hours last night trying to upgrade my Rails 2.3 app to Ruby 1.9.3. I ran into obstacle after obstacle and was finally halted by an inability to get Rails 2.3 to talk to MySQL 5.5+.
Has anyone else cracked that nut?
Chris
You received this message because you are subscribed to a topic in the Google Groups "SD Ruby" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sdruby/rhAsuBqZOYI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sdruby+un...@googlegroups.com.
Brian
May 31, 2015, 12:09:52 AM5/31/15
to sdr...@googlegroups.com
I had the same issue with authorize.net and was able to resolve it by updating the cacerts for activemerchant gem and restarting rails.
gem env #find path to gems
[root@ip-172-30-0-131 inumbr]# cd /usr/lib64/ruby/gems/1.8/gems/activemerchant-1.4.2/
[root@ip-172-30-0-131 activemerchant-1.4.2]# cd lib/certs/
[root@ip-172-30-0-131 certs]# ls
cacert.pem
[root@ip-172-30-0-131 certs]# mv cacert.pem cacert.pem.old
[root@ip-172-30-0-131 certs]# wget http://curl.haxx.se/ca/cacert.pem
2015-05-29 06:58:53 (548 KB/s) - ‘cacert.pem’ saved [258424/258424]
Chris McCann
May 31, 2015, 12:54:18 AM5/31/15
to sdr...@googlegroups.com
Brian,
DUDE! All your beers at SD Ruby are on me for the rest of this year. You just saved my bacon big time - thanks so much for the tip. That worked like a charm.
How did you come across this fix?
Cheers,
Chris
Brian
Jun 1, 2015, 5:27:28 AM6/1/15
to sdr...@googlegroups.com
Glad to hear it worked for you too. I was tipped off by an issue opened in the active_merchant repo: https://github.com/Shopify/active_merchant/issues/1643
Chris McCann
Jun 1, 2015, 12:14:49 PM6/1/15
to sdr...@googlegroups.com
Thanks for the point-out. Once again, how you ask the question on Google determines what you get for answers.
Note to anyone else encountering a situation like this: if I google "ActiveMerchant SSL_connect" the Github link Brian referenced is the very first search result.
In my somewhat frantic searching it didn't occur to me to try a variety of terms around the issue, and had I done so, I most likely would have found this. The main players in this problem were Rails, SSL, ActiveMerchant, SSLv3, etc. -- I should have tried many combinations of those terms.
Lastly, this app was started over 8 years ago and has not gotten the attention it needed in terms of Rails, Ruby, and gem version upgrades. I did manage to upgrade it to Rails 2.3 several years ago but that's as far as I got. Looking back, even an upgrade to ruby 1.9.3 might have prevented this.
Try to keep your apps and other major dependencies at least near the current major release. An ounce of prevention here is worth hundreds of pounds of cure later -- and reduces cranial bruising significantly!
Cheers,
Chris
Ylan Segal
Jun 1, 2015, 12:22:14 PM6/1/15
to sdr...@googlegroups.com
Chris,
I agree wholeheartedly. A few months ago I was thinking along the same lines and wrote a blog post about stagnation in old projects:
http://ylan.segal-family.com/blog/2015/01/05/stagnation/
—
Ylan Segal
yl...@segal-family.com
I agree wholeheartedly. A few months ago I was thinking along the same lines and wrote a blog post about stagnation in old projects:
http://ylan.segal-family.com/blog/2015/01/05/stagnation/
—
Ylan Segal
yl...@segal-family.com
Chris McCann
Jun 1, 2015, 1:13:57 PM6/1/15
to sdr...@googlegroups.com
Ylan,
You sure hit the nail on the head with your blog post -- well said, my friend! I am living proof that pretty much everything you said is spot-on.
Chris
Reply all
Reply to author
Forward
0 new messages