[jruby-user] Issue: Specifing jruby SSL keystore location

17 views
Skip to first unread message

Chason Choate

unread,
May 1, 2015, 11:43:40 AM5/1/15
to us...@jruby.codehaus.org
Hello everyone,

I've been having some trouble specifying a custom keystore for use with SSL. I'm creating a local CA and then creating a self-signed cert from that CA. Now I want to be able to start a Jetty server and hit it with jruby. My current issue is I can't seem to get jruby to pick up the local keystore and trust it. I'm hopeful someone has ran into this issue before or can walk me through how to fix it. Below is my test case:

Env:

* CentOS 6.5
* Java 7
* jruby-complete-1.7.12

Steps to reproduce:

* Run the commands to generate the CA and self-signed cert.
* Start the jetty server (should be on 8443)
* Use the following jruby script to contact the jetty server over SSL:

require 'java'
require 'net/https'
host = 'localhost'
path = '/'

puts 'javax.net.ssl.trustStore = ' + java.lang.System.getProperty('javax.net.ssl.trustStore')
puts 'javax.net.ssl.trustStorePassword = ' + java.lang.System.getProperty('javax.net.ssl.trustStorePassword')

https = Net::HTTP.new(host, 8443)
https.use_ssl = true
https.ssl_timeout = 2
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
response = https.request(Net::HTTP::Get.new('/'))
puts response.body

* If everything is working correctly you should see HTML dumped to your terminal.
* Otherwise if there are issues verifying the certificates you'll see an error like: (which is what i'm seeing)

[vagrant@localhost ~]$ java -Djavax.net.ssl.trustStore=~/jetty-hightide-8.1.8.v20121106/etc/certs/keystore -D -Djavax.net.ssl.trustStorePassword=changeit -jar /path/to/jruby-complete-1.7.12.jar local.rb
javax.net.ssl.trustStore = ~/jetty-hightide-8.1.8.v20121106/etc/certs/keystore
javax.net.ssl.trustStorePassword = changeit
OpenSSL::SSL::SSLError: certificate verify failed
   connect at org/jruby/ext/openssl/SSLSocket.java:170
   connect at file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:799
   timeout at org/jruby/ext/timeout/Timeout.java:104
   connect at file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:799
  do_start at file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:755
     start at file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:744
   request at file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:1292
    (root) at local.rb:13


--
Thanks,
Chason Choate

Karol Bucek

unread,
May 5, 2015, 3:42:10 AM5/5/15
to us...@jruby.codehaus.org

might be a JRuby-OpenSSL regression ... please try gem install jruby-openssl and make sure the installed gem gets loaded as some of the older 1.7.x releases had issues not allowing to override default gems. thus if possible I would upgrade JRuby 1.7.x as well - alternatively wait a few hours and get a freshly baked 1.7.20 :) !

K.
Reply all
Reply to author
Forward
0 new messages