[jruby-user] Issue: Specifing jruby SSL keystore location

[Chason Choate]

Hello everyone,

I've been having some trouble specifying a custom keystore for use with SSL. I'm creating a local CA and then creating a self-signed cert from that CA. Now I want to be able to start a Jetty server and hit it with jruby. My current issue is I can't seem to get jruby to pick up the local keystore and trust it. I'm hopeful someone has ran into this issue before or can walk me through how to fix it. Below is my test case:

Env:

* CentOS 6.5

* Java 7

* jruby-complete-1.7.12

Steps to reproduce:

* Install this simple jetty server (http://blog.knoldus.com/2013/09/10/configure-ssl-on-jetty-server-to-run-it-with-https/)

* Run the commands to generate the CA and self-signed cert.

* Start the jetty server (should be on 8443)

* Use the following jruby script to contact the jetty server over SSL:

require 'java'

require 'net/https'

host = 'localhost'

path = '/'

puts 'javax.net.ssl.trustStore = ' + java.lang.System.getProperty('javax.net.ssl.trustStore')

puts 'javax.net.ssl.trustStorePassword = ' + java.lang.System.getProperty('javax.net.ssl.trustStorePassword')

https = Net::HTTP.new(host, 8443)

https.use_ssl = true

https.ssl_timeout = 2

https.verify_mode = OpenSSL::SSL::VERIFY_PEER

response = https.request(Net::HTTP::Get.new('/'))

puts response.body

* If everything is working correctly you should see HTML dumped to your terminal.

* Otherwise if there are issues verifying the certificates you'll see an error like: (which is what i'm seeing)

[vagrant@localhost ~]$ java -Djavax.net.ssl.trustStore=~/jetty-hightide-8.1.8.v20121106/etc/certs/keystore -D -Djavax.net.ssl.trustStorePassword=changeit -jar /path/to/jruby-complete-1.7.12.jar local.rb

javax.net.ssl.trustStore = ~/jetty-hightide-8.1.8.v20121106/etc/certs/keystore

javax.net.ssl.trustStorePassword = changeit

OpenSSL::SSL::SSLError: certificate verify failed

   connect at org/jruby/ext/openssl/SSLSocket.java:170

   connect at file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:799

   timeout at org/jruby/ext/timeout/Timeout.java:104

   connect at file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:799

  do_start at file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:755

     start at file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:744

   request at file:/synthesysserver/lib/jruby-complete-1.7.12.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:1292

    (root) at local.rb:13

--

Thanks,

Chason Choate

[Karol Bucek]

might be a JRuby-OpenSSL regression ... please try gem install jruby-openssl and make sure the installed gem gets loaded as some of the older 1.7.x releases had issues not allowing to override default gems. thus if possible I would upgrade JRuby 1.7.x as well - alternatively wait a few hours and get a freshly baked 1.7.20 :) !

K.