Getting "SSL_connect returned = 1 errno = 0 state = error: certificate verification failed" when connecting to S3

Question

Getting "SSL_connect returned = 1 errno = 0 state = error: certificate verification failed" when connecting to S3

I am trying to upload a photo to my AWS bucket, but have encountered the error mentioned in the header. I understand that this is most likely due to my OpenSSL certificates, but any proposed solution that I tried has still failed.

I ran into this problem with ruby 2.3.1, Rails 4.1.8, aws-sdk-core 2.3.4 and 0.11.0 carrier-carrier on OSX Yosemite.

I also tried everything available in this similar problem, like the others (this is one from Windows): https://github.com/aws/aws-sdk-core-ruby/issues/166#issuecomment-111603660

Here are some of my files:

carrierwave.rb

CarrierWave.configure do |config|                     # required
  config.aws_credentials = {
    access_key_id:     Rails.application.secrets.aws_access_key_id, # required
    secret_access_key: Rails.application.secrets.aws_access_key,    # required
    region:            'eu-west-2'                  # optional, defaults to 'us-east-1'
  }

  config.aws_bucket = Rails.application.secrets.aws_bucket                        # required
  config.fog_attributes = { 'Cache-Control' => "max-age=#{365.day.to_i}" } # optional, defaults to {}
end

avatar_uploader.rb

class AvatarUploader < CarrierWave::Uploader::Base

  storage :aws

  def store_dir
    "uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
  end
end

EDIT (more):

stack trace:

    Seahorse::Client::NetworkingError - SSL_connect returned=1 errno=0 state=error: certificate verify failed:
  /Users/stevenharlow/.rbenv/versions/2.3.1/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock'
  /Users/stevenharlow/.rbenv/versions/2.3.1/lib/ruby/2.3.0/net/http.rb:933:in `connect'
  /Users/stevenharlow/.rbenv/versions/2.3.1/lib/ruby/2.3.0/net/http.rb:863:in `do_start'
  /Users/stevenharlow/.rbenv/versions/2.3.1/lib/ruby/2.3.0/net/http.rb:858:in `start'
  /Users/stevenharlow/.rbenv/versions/2.3.1/lib/ruby/2.3.0/delegate.rb:83:in `method_missing'
  aws-sdk-core (2.3.4) lib/seahorse/client/net_http/connection_pool.rb:292:in `start_session'
  aws-sdk-core (2.3.4) lib/seahorse/client/net_http/connection_pool.rb:104:in `session_for'
  aws-sdk-core (2.3.4) lib/seahorse/client/net_http/handler.rb:109:in `session'

Solutions tried:

Aws.use_bundled_cert!
Fog carrierwave-aws
ruby rbenv

CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3-us-west-2.amazonaws.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---

<certificate info>

No client certificate CA names sent
---
SSL handshake has read 2703 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: <session-id>
    Session-ID-ctx: 
    Master-Key: <master-key>
    Key-Arg   : None
    Start Time: 1463697130
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

+4

ruby-on-rails ssl amazon-web-services ssl-certificate

Steven Harlow 16 '16 15:13

3

Ruby-, AWS SDK .. . Ruby SDK. , , OpenSSL : / CA cert OpenSSL. , . .

OpenSSL, . Ruby 2.3.1/lib/ruby /2.3.0/net/http.rb. , OpenSSL.

openssl s_client :

depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2
verify error:num=20:unable to get local issuer certificate

Verify return code: 0 (ok) CA DigiCert Baltimore CA-2 s-client openssl, .

CA DigiCert Baltimore CA-2 CA OpenSSL . OpenSSL. , PEM, ca-certificate.crt certs.exe, SSL_CERT_FILE.

. , openssl s_client . , . OpenSSL CA cert, , .

+3

Rodrigo M 20 '16 2:15

Try using these gems and this setting :

Gemfile

gem "carrierwave", "~> 0.11.0"
gem 'carrierwave-aws', "~> 1.0.1"
gem "unf", "~> 0.1.4"

configurations /carrierwave.rb

require 'carrierwave'
require 'carrierwave/orm/activerecord'

  CarrierWave.configure do |config|
     config.storage    =  :aws                  # required
     config.aws_bucket =  Rails.application.secrets.aws_bucket       # required
     config.aws_acl    =  :public_read
     config.aws_credentials = {
         access_key_id:      Rails.application.secrets.aws_access_key_id,       # required
         secret_access_key:  Rails.application.secrets.aws_access_key     # required
     }
     config.aws_attributes = { 
         cache_control: 'max-age=31536000',
         expires: 1.year.from_now.httpdate
     }
  end

* _ uploader.rb

storage :aws

def store_dir
  "uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
end

# Use Heroku temp folder for uploads
def cache_dir
  "#{Rails.root}/tmp/uploads"
end

0

blnc May 20, '16 at 1:27

source share

BoraMa · Accepted Answer · 2016-05-20T18:41:45+0000

@RodrigoM . , :

openssl , Amazon ...
... , Aws.use_bundled_cert! . , ruby openssl CA aws-sdk-core gem CA , , 2 . CA CN=DigiCert Baltimore CA-2 G2 8 2015 ., , CA .

:

CA, , CA (CN=Baltimore CyberTrust Root), openssl trusted certs store. s_client. , ruby-. , OSX, SO.
, aws-sdk-ruby gem, ca-bundle.crt , CA ( CA ). :
- CA DigicertCA ( , )
- PEM ( DER) , openssl:
```
openssl x509 -in DigiCertBaltimoreCA-2G2.crt -inform DER >> ca-bundle.crt
```
  , ca-bundle.crt CA .
- Aws.use_bundled_cert! !
- , , github aws-sdk-ruby, ...

Getting "SSL_connect returned = 1 errno = 0 state = error: certificate verification failed" when connecting to S3

More articles: