Errori Ruby OpenSSL - Cerere CA mancanti (chi è Justin?)

Question

Sto scrivendo un piccolo script di utilità che si occupa di alcune API RESTful su HTTPS utilizzando il modulo Net :: HTTP di Ruby su Windows. Ho sempre ottengo questo errore:

C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) 
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `block in connect' 
    from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:74:in `timeout' 
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect' 
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:863:in `do_start' 
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:852:in `start' 
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:1375:in `request' 

Secondo this post mi manca i certificati CA di default. Ho fatto funzionare il suo script "ssl dottore" e mi ha dato questa diagnosi:

C:\Users\Megaflux\Documents\GitHub\Github_Backup> ruby doctor.rb 
C:/Ruby22-x64/bin/ruby (2.2.2-p95) 
OpenSSL 1.0.1l 15 Jan 2015: C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl 
SSL_CERT_DIR="" 
SSL_CERT_FILE="" 

HEAD https://status.github.com:443 
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed 

The server presented a certificate that could not be verified: 
    subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA 
    issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA 
    error code 20: unable to get local issuer certificate 

Possible causes: 
    `C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/cert.pem' does not exist 
    `C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/certs/' is empty 

sto bene il download di alcuni certificati CA radice e la loro installazione a quella directory, che non è difficile. Ma chi è Justin? Non ho quell'utente sulla mia macchina, e preferirei non creare quelle cartelle se non dovessi farlo. Qualcuno sa come cambiare la directory dei certificati ssl di default?

Molte grazie.

Edit: Per completezza, mi butto lo script che è stato generando l'errore qui

require 'open-uri' 
open("https://www.google.com/") {|f| 
    f.each_line {|line| p line} 
} 

Answer 1

RubyInstaller issue #153

OpenSSL::X509::DEFAULT_CERT_FILE with personal hardcoded path

The problem is OpenSSL that has hardcoded values. Search to closed issues and also RubyInstaller group and will see this happens from time to time.

OpenSSL needs to be fixed, but no patch to solve this issue has proposed to OpenSSL itself. See oneclick/rubyinstaller#47

cert.pem is already provided by RubyGems and is included, please take a look here:

https://github.com/ruby/ruby/tree/ruby_2_0_0/lib/rubygems/ssl_certs

That is part of Ruby and thus, RubyInstaller release.

RubyGems is capable of installing gems from rubygems.org, however, like you pointed in the Bundler issue, you need a list of other CAs so connect to the private/custom RubyGems server works.

For that you need to set SSL_CERT_FILE environment variable pointing to the CA certs file.

See oneclick/rubyinstaller#86 and oneclick/rubyinstaller#148

tl; dr: Justin è la persona che ha compilato il tuo OpenSSL binario.