SSL_connect error

[Donovan Neethling Snr]

Hi 

I am a new to this and I hope to find some guidance in this forum :)

Running: 

Windows 7

ruby 2.3.3p222 (2016-11-21 revision 56859) [x64-mingw32]

*** LOCAL GEMS ***

aws-sdk (2.9.20)

aws-sdk-core (2.9.20)

aws-sdk-resources (2.9.20)

aws-sigv4 (1.0.0)

bigdecimal (1.2.8)

did_you_mean (1.0.0)

io-console (0.4.5)

jmespath (1.3.1)

json (1.8.3)

minitest (5.8.5)

net-telnet (0.1.1)

power_assert (0.2.6)

psych (2.1.0)

rake (10.4.2)

rdoc (4.2.1)

test-unit (3.1.5)

I am busy with the AWS  Ruby-SDK tutorial

The code that I am running looks as follows:

require 'aws-sdk'


s3 = Aws::S3::Resource.new(region: 'us-west-2', access_key_id: 'A9A9A9A9A9AAA9A9AA9Q', secret_access_key: '0howrZ/cDagc21Z6SU43I1j+6rpjYtuA1geGnANk')


s3.buckets.limit(50).each do |b|
  puts "#{b.name}"
end

When I run this I encounter the following:

C:/Ruby23-x64/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError)

        from C:/Ruby23-x64/lib/ruby/2.3.0/net/http.rb:933:in `connect'

        from C:/Ruby23-x64/lib/ruby/2.3.0/net/http.rb:863:in `do_start'

        from C:/Ruby23-x64/lib/ruby/2.3.0/net/http.rb:858:in `start'

        from C:/Ruby23-x64/lib/ruby/2.3.0/delegate.rb:83:in `method_missing'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/seahorse/client/net_http/connection_pool.rb:285:in `start_session'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/seahorse/client/net_http/connection_pool.rb:92:in `session_for'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/seahorse/client/net_http/handler.rb:119:in `session'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/seahorse/client/net_http/handler.rb:71:in `transmit'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/seahorse/client/net_http/handler.rb:45:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/seahorse/client/plugins/content_length.rb:12:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/s3_request_signer.rb:88:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/s3_request_signer.rb:23:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/xml/error_handler.rb:8:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:10:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/s3_request_signer.rb:65:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/s3_redirects.rb:15:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/retry_errors.rb:88:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/retry_errors.rb:119:in `retry_request'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/retry_errors.rb:102:in `retry_if_possible'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/retry_errors.rb:90:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/retry_errors.rb:119:in `retry_request'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/retry_errors.rb:102:in `retry_if_possible'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/retry_errors.rb:90:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/retry_errors.rb:119:in `retry_request'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/retry_errors.rb:102:in `retry_if_possible'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/retry_errors.rb:90:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/s3_dualstack.rb:32:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/s3_md5s.rb:31:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/s3_expect_100_continue.rb:21:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/s3_bucket_name_restrictions.rb:12:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/s3_bucket_dns.rb:31:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/rest/handler.rb:7:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/user_agent.rb:12:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/seahorse/client/plugins/endpoint.rb:41:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/param_validator.rb:21:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/seahorse/client/plugins/raise_response_errors.rb:14:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/s3_sse_cpk.rb:19:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/s3_dualstack.rb:24:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/idempotency_token.rb:18:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/param_converter.rb:20:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/aws-sdk-core/plugins/response_paging.rb:26:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/seahorse/client/plugins/response_target.rb:21:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/seahorse/client/request.rb:70:in `send_request'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-core-2.9.20/lib/seahorse/client/base.rb:207:in `block (2 levels) in define_operation_methods'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-resources-2.9.20/lib/aws-sdk-resources/request.rb:24:in `call'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-resources-2.9.20/lib/aws-sdk-resources/operations.rb:139:in `all_batches'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-resources-2.9.20/lib/aws-sdk-resources/operations.rb:151:in `limited_batches'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-resources-2.9.20/lib/aws-sdk-resources/collection.rb:18:in `each'

        from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/aws-sdk-resources-2.9.20/lib/aws-sdk-resources/collection.rb:18:in `each'

        from buckets.rb:5:in `<main>'

However, when I do the same on a CentOs machine, everything works.

I am also able to use the AWS CLI

Any advise will be appreciated

Don

[Carsten Bormann]

Hi Don,

rubyinstaller ships with a non-working TLS (vulgo SSL) and everybody seems to think that is fine.

Well, maybe not quite that, but everybody who could fix this thinks that somebody else should fix this.

(And maybe they are all very much in the right about that, but that doesn't help.)

So it stays unfixed.

The underlying problem is that OpenSSL assumes that your OS distribution will provide a set of cert roots in the form of files that OpenSSL can directly use.  That is probably a reasonable assumption.

Windows of course doesn't come with such files.  It has its own cert root store that can be programmatically accessed.  (OpenSSL just doesn't, and, again, I think that is reasonable.)

Ruby links in OpenSSL in a way that assumes a fixed path towards those cert root files.  Absolutely reasonable for Linux.  Broken for Windows, of course.  You are supposed to procure your own cert root files to make Ruby work under WIndows.

Rubyinstaller doesn't.  Reasonably, they have decided that they are not in the business of providing cert roots.  (That is a complicated and politically charged thing, so I don't blame them.). Also, they don't think they should be fixing what is a bug in Ruby's Windows support: The fixed path name pointing to those cert root files.

Nobody seems to have written code to milk the Windows cert root store and produce the files that OpenSSL needs.

But even if there were code for that, it wouldn't be clear where to put those files.

If you think this is all a Kafkaesque nightmare, I don't blame you either.

The best workaround I have found so far is the "certified" gem.   Install that and require 'certified'; then you get cert root files that are two years outdated.  Better (but also less secure) than nothing.  And you can even update them from the command line to something slightly less outdated.  (Well, this does not work for out-of-the box experiences.)

Grüße, Carsten

[Lars Kanis]

Hi Carsten,

the situation has changed with RubyInstaller-2.4.1. It ships a default certificate list. See https://github.com/oneclick/rubyinstaller2/blob/master/resources/ssl/README-SSL.md

--

Kind Regards,

Lars

[Carsten Bormann]

On Jun 2, 2017, at 23:14, Lars Kanis <la...@greiz-reinsdorf.de> wrote:
>
> Hi Carsten,
>
> the situation has changed with RubyInstaller-2.4.1. It ships a default certificate list. See https://github.com/oneclick/rubyinstaller2/blob/master/resources/ssl/README-SSL.md

This is amazing!

Thank you.

So the advice for Don should be to just upgrade to 2.4.1. I’d like to know whether that solves the problem for him.

Grüße, Carsten

[Carsten Bormann]

 Hmm, the Rubyinstaller downloads page recommends installing Ruby 2.2.  This means that people are likely to still run into the issue.

What is the reason for that nostalgia?  It's not like newer releases are deteriorating, and at least a current 2.n.1 should be unconditionally recommended.

Grüße, Carsten

[Luis Lavena]

On Thursday, June 8, 2017 at 4:01:31 PM UTC-4, Carsten Bormann wrote:

 Hmm, the Rubyinstaller downloads page recommends installing Ruby 2.2.  This means that people are likely to still run into the issue.

What is the reason for that nostalgia?  It's not like newer releases are deteriorating, and at least a current 2.n.1 should be unconditionally recommended.

Site code has been recently ported and migrated to a more manageable environment. You can find the nostalgia bit here:

https://github.com/oneclick/rubyinstaller.org-website/blob/master/_includes/download_hints.markdown

If you have a GitHub account, you can send a pull request to modify the current copy.

Cheers.

Luis Lavena