几天前,我正在构建一个必须使用OpenSSL访问网页的ruby应用程序。它一直无法连接到网站https://regex.alf.nu,所以我去了stackoverflow,经过大量研究后我得出结论,我的OpenSSL已经过时了0.9.8zc版本。我做了推荐的更改(详情见下文),之后我的应用程序能够阅读上面提到的网站文本。
今天我发现自从我做出这些更改后,我的系统几乎每小时就生成一条错误邮件消息(从Sun Apr 12 08:00:01开始)。这是最新邮件的文本:
From SamShiffman@Samuels-MBP.PK5001Z Thu Apr 16 12:00:01 2015
X-Original-To: SamShiffman
Delivered-To: SamShiffman@Samuels-MBP.PK5001Z
From: SamShiffman@Samuels-MBP.PK5001Z (Cron Daemon)
To: SamShiffman@Samuels-MBP.PK5001Z
Subject: Cron <SamShiffman@Samuels-MBP> /usr/local/Cellar/openssl-osx-ca/1.0.4/bin/openssl-osx-ca /usr/local/bin/brew
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=SamShiffman>
X-Cron-Env: <USER=SamShiffman>
X-Cron-Env: <HOME=/Users/SamShiffman>
Date: Thu, 16 Apr 2015 12:00:01 -0700 (PDT)
Usage error; try -help.
rehash failed to verify, something is wrong
check /tmp/openssl-osx-ca.f9SEDVyI/cert.pem for problems
我没有注意到对我的MBP有任何负面影响,但我有点担心,当我进行OpenSSL更新时,我可能仍然“破坏”某些东西。据我所知,在运行这些命令后,cron守护程序错误邮件开始了:
$ rvm osx-ssl-certs status all
>Certificates for /etc/openssl/cert.pem: Old.
>Certificates for /usr/local/etc/openssl/cert.pem: Up to date.
$ rvm osx-ssl-certs update all
> Updating certificates for /etc/openssl/cert.pem: Updating certificates in '/etc/openssl/cert.pem'.
> Updated.
> Updating certificates for /usr/local/etc/openssl/cert.pem: Already up to date.
在此之后我仍然无法连接上述网站。经过更多研究后,我在stackoverflow中发现了一个帖子,它将工具称为可能的修复方法。我跑了:
$ brew tap raggi/ale
$ brew install openssl-osx-ca
>==> Installing openssl-osx-ca from raggi/homebrew-ale
>==> Downloading https://github.com/raggi/openssl-osx-ca/archive/1.0.4.tar.gz
>######################################################################## 100.0%
>==> make install PREFIX='/usr/local/Cellar/openssl-osx-ca/1.0.4' BREW='/usr/loca
==> Caveats
>To uninstall remove the openssl-osx-ca line from your crontab. e.g.
> (crontab -l | grep -v openssl-osx-ca) | crontab -
>==> Summary
> /usr/local/Cellar/openssl-osx-ca/1.0.4: 4 files, 16K, built in 2 seconds
$ git clone https://github.com/mislav/ssl-tools.git
$ brew link openssl --force
Linking /usr/local/Cellar/openssl/1.0.2a-1... 1543 symlinks created
$ brew install curl-ca-bundle
Error: No available formula for curl-ca-bundle
Searching formulae...
Searching taps...
$ ruby ssl-tools/doctor.rb
/Users/SamShiffman/.rvm/rubies/ruby-2.0.0-p598/bin/ruby (2.0.0-p598)
OpenSSL 1.0.2a 19 Mar 2015: /usr/local/etc/openssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://status.github.com:443
/Users/SamShiffman/.rvm/rubies/ruby-2.0.0-p598/lib/ruby/2.0.0/openssl/buffering.rb:175:in `sysread_nonblock': end of file reached (EOFError)
$ ruby ssl-tools/doctor.rb 'regex.alf.nu'
/Users/SamShiffman/.rvm/rubies/ruby-2.0.0-p598/bin/ruby (2.0.0-p598)
OpenSSL 1.0.2a 19 Mar 2015: /usr/local/etc/openssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://regex.alf.nu:443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The server presented a certificate that could not be verified:
subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.alf.nu
issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
error code 20: unable to get local issuer certificate
Possible causes:
`/usr/local/etc/openssl/certs/' is empty
$ rvm osx-ssl-certs status all
Warning! PATH is not properly set up, '/Users/SamShiffman/.rvm/gems/ruby-2.0.0-p598/bin' is not at first place,
usually this is caused by shell initialization files - check them for 'PATH=...' entries,
it might also help to re-add RVM to your dotfiles: 'rvm get stable --auto-dotfiles',
to fix temporarily in this shell session run: 'rvm use ruby-2.0.0-p598'.
Certificates for /etc/openssl/cert.pem: Up to date.
Certificates for /usr/local/etc/openssl/cert.pem: Up to date.
毕竟这仍然无法让应用程序连接到网站。我最后将这个添加到我的代码中(来自stackoverflow帖子)并且它可以工作:
def get_html_string(url = @url)
uri = URI.parse(URI.encode(url.strip))
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
# http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
response.body
end
现在看来我所采取的所有其他步骤都是不必要的,但我不知道。在没有任何建议的情况下,我将使用以下命令从crontab中删除openssl-osx-ca行:
(crontab -l | grep -v openssl-osx-ca) | crontab -
...但我想要一些比我更了解此事的老兵的确认。
谢谢
我升级了brew,重新安装了openssl并重新创建了符号链接:
$ brew update
$ brew doctor
Binaries provided by keg-only formulae may override system binaries
with other strange results.
You may wish to `brew unlink` these brews:
openssl
$ brew reinstall openssl
$ brew link openssl --force
Linking /usr/local/Cellar/openssl/1.0.2a-1... 1543 symlinks created
$ brew upgrade
并且cron守护进程邮件停止了!从那时起就一直摇滚'。罗林'。
答案 0 :(得分:0)
我升级了brew,重新安装了openssl并重新创建了符号链接:
$ brew update
$ brew doctor
Binaries provided by keg-only formulae may override system binaries
with other strange results.
You may wish to `brew unlink` these brews:
openssl
$ brew reinstall openssl
$ brew link openssl --force
Linking /usr/local/Cellar/openssl/1.0.2a-1... 1543 symlinks created
$ brew upgrade
并且cron守护进程邮件停止了!被摇滚&#39; &#39; n rollin&#39;从那以后。