A mind that is stretched by a new experience can never go back to its old dimensions.

RVM, Rails, AWS, and ‘error was SSL_connect returned=1’ on OSX

November 20th, 2016 Posted in geek out

Failed to login, error was SSL_connect returned=1 errno=0 state=error: certificate verify failed

I have a rails application with the following versions:

$ rvm -v
rvm 1.27.0 (latest) by Wayne E. Seguin , Michal Papis [https://rvm.io/]

$ ruby --version
ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-darwin15]

$ gem list rails
*** LOCAL GEMS ***
..
rails (5.0.0.1)

$ gem list aws
*** LOCAL GEMS ***
aws-sdk (2.6.19)
aws-sdk-core (2.6.19)
aws-sdk-resources (2.6.19)

While running my Rails app and making my first actual service call to AWS, I get:
log_groups = cloudwatch.describe_log_groups
ERROR:
Seahorse::Client::NetworkingError (SSL_connect returned=1 errno=0 state=error: certificate verify failed):

SOLUTION:
Successful Solution:
The cert linked through OpenSSL’s distro wasn’t matching what AWS uses for it’s API endpoints. This fixes it:


require 'aws-sdk'
require 'aws-sdk-core'

Aws.use_bundled_cert! <---- THAT'S THE FUCKING MAGIC RIGHT THERE
creds = Aws::Credentials.new(@access_key, @secret_key)
cloudwatch_client = Aws::CloudWatchLogs::Client.new(region: session[:default_region], credentials: creds)

Failed Solution #1:
I tried RVM’s Suggested Solution, but it failed without a good answer:
$ rvm osx-ssl-certs update all
Updating certificates for /System/Library/OpenSSL/cert.pem: Updating certificates in '/System/Library/OpenSSL/cert.pem'.
tee: /System/Library/OpenSSL/cert.pem: Operation not permitted
Failed.
Updating certificates for /etc/openssl/cert.pem: Already up to date.
Updating certificates for /usr/local/etc/openssl/cert.pem: Already up to date.

There is nothing in /System/Library/OpenSSL/cert.pem , and I cannot even edit the file if i sudo, so I gave up on that solution.

Failed Solution #2:
Actually, this partially worked but would not work in production. The cert linked through OpenSSL’s distro wasn’t matching what AWS uses for it’s API endpoints.

I got AWS’s certificate bundle from:
https://raw.githubusercontent.com/aws/aws-sdk-ruby/master/aws-sdk-core/ca-bundle.crt

require 'aws-sdk'
require 'aws-sdk-core'
Aws.config[:ssl_ca_bundle] = "/full_path_to_my_app/vendor/assets/ca-bundle.crt"
creds = Aws::Credentials.new(@access_key, @secret_key)
cloudwatch = Aws::CloudWatchLogs::Client.new(region: session[:default_region], credentials: creds)

Post a Comment

CommentLuv badge