Skip to content
This repository has been archived by the owner on Apr 24, 2021. It is now read-only.

Setting up SSL certificate locations in Linux

Jump to bottom
eric-hu edited this page May 11, 2011 · 3 revisions

Omniauth uses Faraday to process SSL requests, such as the Facebook authenticate callback. By default, Faraday isn't aware of where your SSL certificates are on your server. If this is the case, you may see an error similar to:

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):

To fix this, modify your provider setup to include your certificates path. For example, you could have a setup file called omniauth.rb in config/init (Rails 3.0.x)

Rails.application.config.middleware.use OmniAuth::Builder  do
  provider :facebook, APP_ID, APP_SECRET,
     {:client_options => {:ssl => {:ca_path => "/etc/ssl/certs"}}}  # Modify this with your SSL certificates path
end

Alternatively, the above code can be placed in application.rb

Your certificates folder may not be /etc/ssl/certs. Linux users can type in the terminal openssl version -a to determine their system ssl certs folder, listed as OPENSSLDIR. You will likely have to append /certs onto this folder name. Note that the reported directory may be a symbolic link on your system to another folder (for Ubuntu 10.10, /usr/lib/ssl/certs points to /etc/ssl/certs, so either will work).

Note that this fix is written specifically for Omniauth 0.2.2. If you have an earlier version, you will have to update in order to specify your SSL certificates path.

Heroku, Fedora, CentOS

Users reported having to point to a specific file on these systems (example for Heroku)

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, 'YOUR_APP_ID', 'YOUR_SECRET_KEY',
           {:scope => 'PERMISSION_1, PERMISSION_2, ETC', :client_options => {:ssl => {:ca_file => '/usr/lib/ssl/certs/ca-certificates.crt'}}}
end

Ensure that any Facebook permissions you require are in the same hash as :client_options.

On Fedora and CentOS, use /etc/pki/tls/certs/ca-bundle.crt instead, or find your system path with openssl version -a.

##Solutions to avoid

Some online posts suggest disabling SSL with a command similar to the following:

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

This isn't advisable in production code as you're weakening security on private user information (in the Facebook or other third party callback hash).

User Docs

Strategy Developers

Project Resources

Clone this wiki locally