几天前,我正在构建一个必须使用 OpenSSL 才能访问网页的 ruby 应用程序。一直连接不上网站https://regex.alf.nu ,所以我去了 stackoverflow,经过大量研究后我得出结论,我的 OpenSSL 在版本 0.9.8zc 上已经过时了。我进行了建议的更改(下面提供了详细信息),之后我的应用程序能够读取上述网站的文本。
今天我发现自从我进行这些更改后(从 4 月 12 日星期日 08:00:01 开始),我的系统几乎每小时都会生成一条错误邮件消息。这是最新邮件的正文:
From SamShiffman@Samuels-MBP.PK5001Z Thu Apr 16 12:00:01 2015
X-Original-To: SamShiffman
Delivered-To: SamShiffman@Samuels-MBP.PK5001Z
From: SamShiffman@Samuels-MBP.PK5001Z (Cron Daemon)
To: SamShiffman@Samuels-MBP.PK5001Z
Subject: Cron <SamShiffman@Samuels-MBP> /usr/local/Cellar/openssl-osx-ca/1.0.4/bin/openssl-osx-ca /usr/local/bin/brew
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=SamShiffman>
X-Cron-Env: <USER=SamShiffman>
X-Cron-Env: <HOME=/Users/SamShiffman>
Date: Thu, 16 Apr 2015 12:00:01 -0700 (PDT)
Usage error; try -help.
rehash failed to verify, something is wrong
check /tmp/openssl-osx-ca.f9SEDVyI/cert.pem for problems
我没有注意到对我的 MBP 有任何负面影响,但我有点担心前几天我进行这些 OpenSSL 更新时可能仍然“损坏”了某些东西。据我所知,cron 守护程序错误邮件在我运行这些命令后启动:
$ rvm osx-ssl-certs status all
>Certificates for /etc/openssl/cert.pem: Old.
>Certificates for /usr/local/etc/openssl/cert.pem: Up to date.
$ rvm osx-ssl-certs update all
> Updating certificates for /etc/openssl/cert.pem: Updating certificates in '/etc/openssl/cert.pem'.
> Updated.
> Updating certificates for /usr/local/etc/openssl/cert.pem: Already up to date.
此后我仍然无法连接到上述网站。经过更多研究后,我在 stackoverflow 中找到了一篇文章,其中提到了一种可能的修复工具。我跑了:
$ brew tap raggi/ale
$ brew install openssl-osx-ca
>==> Installing openssl-osx-ca from raggi/homebrew-ale
>==> Downloading https://github.com/raggi/openssl-osx-ca/archive/1.0.4.tar.gz
>######################################################################## 100.0%
>==> make install PREFIX='/usr/local/Cellar/openssl-osx-ca/1.0.4' BREW='/usr/loca
==> Caveats
>To uninstall remove the openssl-osx-ca line from your crontab. e.g.
> (crontab -l | grep -v openssl-osx-ca) | crontab -
>==> Summary
>🍺 /usr/local/Cellar/openssl-osx-ca/1.0.4: 4 files, 16K, built in 2 seconds
$ git clone https://github.com/mislav/ssl-tools.git
$ brew link openssl --force
Linking /usr/local/Cellar/openssl/1.0.2a-1... 1543 symlinks created
$ brew install curl-ca-bundle
Error: No available formula for curl-ca-bundle
Searching formulae...
Searching taps...
$ ruby ssl-tools/doctor.rb
/Users/SamShiffman/.rvm/rubies/ruby-2.0.0-p598/bin/ruby (2.0.0-p598)
OpenSSL 1.0.2a 19 Mar 2015: /usr/local/etc/openssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://status.github.com:443
/Users/SamShiffman/.rvm/rubies/ruby-2.0.0-p598/lib/ruby/2.0.0/openssl/buffering.rb:175:in `sysread_nonblock': end of file reached (EOFError)
$ ruby ssl-tools/doctor.rb 'regex.alf.nu'
/Users/SamShiffman/.rvm/rubies/ruby-2.0.0-p598/bin/ruby (2.0.0-p598)
OpenSSL 1.0.2a 19 Mar 2015: /usr/local/etc/openssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://regex.alf.nu:443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The server presented a certificate that could not be verified:
subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.alf.nu
issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
error code 20: unable to get local issuer certificate
Possible causes:
`/usr/local/etc/openssl/certs/' is empty
$ rvm osx-ssl-certs status all
Warning! PATH is not properly set up, '/Users/SamShiffman/.rvm/gems/ruby-2.0.0-p598/bin' is not at first place,
usually this is caused by shell initialization files - check them for 'PATH=...' entries,
it might also help to re-add RVM to your dotfiles: 'rvm get stable --auto-dotfiles',
to fix temporarily in this shell session run: 'rvm use ruby-2.0.0-p598'.
Certificates for /etc/openssl/cert.pem: Up to date.
Certificates for /usr/local/etc/openssl/cert.pem: Up to date.
在这一切之后,我仍然无法让应用程序连接到网站。我终于将它添加到我的代码中(来自 stackoverflow 帖子)并且它起作用了:
def get_html_string(url = @url)
uri = URI.parse(URI.encode(url.strip))
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
# http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
response.body
end
现在看来我为此采取的所有其他步骤都是不必要的,但我不知道。此时,在没有任何建议的情况下,我会使用以下方法从我的 crontab 中删除 openssl-osx-ca 行:
(crontab -l | grep -v openssl-osx-ca) | crontab -
...但是我想得到一些比我更了解这方面的代码老手的确认。
谢谢
更新 17Apr 11:00PDT
我升级了 brew,重新安装了 openssl 并重新创建了符号链接(symbolic link):
$ brew update
$ brew doctor
Binaries provided by keg-only formulae may override system binaries
with other strange results.
You may wish to `brew unlink` these brews:
openssl
$ brew reinstall openssl
$ brew link openssl --force
Linking /usr/local/Cellar/openssl/1.0.2a-1... 1543 symlinks created
$ brew upgrade
并且 cron 守护程序邮件停止了!从那以后就一直在摇滚。
最佳答案
我升级了 brew,重新安装了 openssl 并重新创建了符号链接(symbolic link):
$ brew update
$ brew doctor
Binaries provided by keg-only formulae may override system binaries
with other strange results.
You may wish to `brew unlink` these brews:
openssl
$ brew reinstall openssl
$ brew link openssl --force
Linking /usr/local/Cellar/openssl/1.0.2a-1... 1543 symlinks created
$ brew upgrade
并且 cron 守护程序邮件停止了!从那以后就一直在摇滚。
关于ruby - 每小时 cron 消息重新 openssl 证书使用错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/29686945/