A Blog

An occasional data tap into Peter Burkholder’s brain

Fixing #sensuapp OpenSSL Peer Cert Validation Issues

| Comments

Today I used Chef to configure a test sensu-server, but my Hipchat notifications were failing with this snippet in the logs:

/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:917:in `connect’‘: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)\n”

I soon determined that the httparty gem was at 0.11.0 on the prod sensu servers, and at 0.12.0 on the new one. Further, that httparty had (wisely) been changed to verify peer certs. No problem, but where to put the CA (Certificate Authority) bundle?

Tracking this down took more of the afternoon than ideal, but eventually I determined that the default SSL cert path can be determined with:

irb

irb(main):001:0> require ‘’openssl’‘ => true irb(main):002:0> File.dirname OpenSSL::Config::DEFAULT_CONFIG_FILE => “/opt/sensu/embedded/ssl”

To get the CA certs into embedded ruby we can update the default sensu install with a bit of Chefery

cookbook_file ‘’/opt/sensu/embedded/ssl/cert.pem’‘ do source “cert.pem” mode 0755 end

Where cert.pem contents are pulled from ‘http://curl.haxx.se/ca/cacert.pem%E2%80%99 so we have a complete list of acceptable Certificate Authorites.

Ideally, would submit a PR to https://github.com/sensu/sensu-build/pulls, but for now I’ll have to content myself with an issue report.

References:

http://www.rdoc.info/stdlib/openssl/OpenSSL/X509/Store:set_default_paths http://www.rubyinside.com/nethttp-cheat-sheet-2940.html https://github.com/emboss/ruby-openssl/blob/282912788da2247d10281988a2c35818ee14912f/ext/openssl/lib/openssl/ssl-internal.rb Update: - https://github.com/sensu/sensu-build/pull/79 has a PR to sensu Omnibus to fix this.