SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (OpenSSL::SSL::Error)

[olegantonyan]

crystal 0.19.4 and 0.20.0
openSUSE Tumbleweed 64-bit

require "http/client"
client = HTTP::Client.new("github.com", 443, true)
response = client.get("/")
puts response.status_code

throws an error:

usr/lib64/gcc/x86_64-suse-linux/6/../../../../x86_64-suse-linux/bin/ld: skipping incompatible /usr/lib/libssl.so when searching for -lssl
/usr/lib64/gcc/x86_64-suse-linux/6/../../../../x86_64-suse-linux/bin/ld: skipping incompatible /usr/lib/libcrypto.so when searching for -lcrypto
SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (OpenSSL::SSL::Error)
[4544887] *CallStack::unwind:Array(Pointer(Void)) +87
[4544778] *CallStack#initialize:Array(Pointer(Void)) +10
[4544730] *CallStack::new:CallStack +42
[4513704] *raise<OpenSSL::SSL::Error>:NoReturn +24
[4829180] *OpenSSL::SSL::Socket::Client#initialize<TCPSocket, OpenSSL::SSL::Context::Client, Bool, String>:Nil +412
[4828734] *OpenSSL::SSL::Socket::Client::new:context:sync_close:hostname<TCPSocket, OpenSSL::SSL::Context::Client, Bool, String>:OpenSSL::SSL::Socket::Client +142
[4800429] *HTTP::Client#socket:(OpenSSL::SSL::Socket+ | TCPSocket+) +365
[4799613] *HTTP::Client#exec_internal<HTTP::Request>:HTTP::Client::Response +45
[4799286] *HTTP::Client#exec<HTTP::Request>:HTTP::Client::Response +38
[4798566] *HTTP::Client#exec<String, String, Nil, Nil>:HTTP::Client::Response +22
[4798535] *HTTP::Client#get<String>:HTTP::Client::Response +39
[4455658] ???
[4511449] main +41
[139651033834129] __libc_start_main +241
[4453818] _start +42
[0] ???

First 2 lines look suspicious. Why is it trying to load /usr/lib/libssl.so if I'm on 64-bit OS? It should look into /usr/lib64

Same crystal version and the same code work fine on openSUSE 13.2 64-bit. The problem is only with Tumbleweed.

[RX14]

Was the binary compiled on the same system it's being run on?

[olegantonyan]

Yes.
Actually, if I compile binary on another system (13.2) and run here (Tumbleweed) it will work.

[bararchy]

I think your real issue is this :

SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (OpenSSL::SSL::Error)

This error means the client could not verify the certificate on the target server.
Setting VERIFY_NONE or making sure the server has valid certificate (not self signed etc..) Should resolve this issue.

[ysbaddaden]

It's unlikely for github.com to have an invalid certificate. Maybe a problem accessing local certificates, preventing validation of the remote host?

[ysbaddaden]

Note that VERIFY_NONE is never a solution.

[bararchy]

@ysbaddaden I's a solution to find out what the problem is :)
If we can see that the problem go away when VERIFY_NONE is used, this means that it's a certificate validation issue, if it wont, then we know something (like the linked lib or w\e) is the cause (or even mismatched protocols or cipher suits)

[olegantonyan]

Thanks for the replies.

How to set VERIFY_NONE?

btw, same problem with 0.20.0

[bmmcginty]

require "http/client"
require "openssl"
client = HTTP::Client.new("github.com", 443, true)
#this _disables verification
client.tls.verify_mode=OpenSSL::SSL::VerifyMode::NONE
response = client.get("/")
puts response.status_code

[olegantonyan]

Thank you @bmmcginty
It works
So the problem is that crystal cannot find certificates installed on my system

[ysbaddaden]

We merely delegate to OpenSSL which should be searching for certificates. Sounds like the OpenSSL versions difference are somewhat incompatible, or a configuration difference at compile time?

[olegantonyan]

How to check this/where to start? OpenSSL definitely works on my system

[rdp]

working OK on my local box (OS X) possibly your OpenSSL is misconfigured [?]

$ crystal run --release go.cr
200

[olegantonyan]

No longer reproduces.
After a few months of disto updates this problem solved.