Thanks for the point-out. Once again, how you ask the question on Google determines what you get for answers.
Note to anyone else encountering a situation like this: if I google "ActiveMerchant SSL_connect" the Github link Brian referenced is the very first search result. In my somewhat frantic searching it didn't occur to me to try a variety of terms around the issue, and had I done so, I most likely would have found this. The main players in this problem were Rails, SSL, ActiveMerchant, SSLv3, etc. -- I should have tried many combinations of those terms. Lastly, this app was started over 8 years ago and has not gotten the attention it needed in terms of Rails, Ruby, and gem version upgrades. I did manage to upgrade it to Rails 2.3 several years ago but that's as far as I got. Looking back, even an upgrade to ruby 1.9.3 might have prevented this. Try to keep your apps and other major dependencies at least near the current major release. An ounce of prevention here is worth hundreds of pounds of cure later -- and reduces cranial bruising significantly! Cheers, Chris On Mon, Jun 1, 2015 at 2:27 AM, Brian <[email protected]> wrote: > Glad to hear it worked for you too. I was tipped off by an issue opened > in the active_merchant repo: > https://github.com/Shopify/active_merchant/issues/1643 > > On Saturday, May 30, 2015 at 9:54:18 PM UTC-7, Chris McCann wrote: >> >> Brian, >> >> DUDE! All your beers at SD Ruby are on me for the rest of this year. >> You just saved my bacon big time - thanks so much for the tip. That worked >> like a charm. >> >> How did you come across this fix? >> >> Cheers, >> >> Chris >> >> On Sat, May 30, 2015 at 9:09 PM, Brian <[email protected]> wrote: >> >>> I had the same issue with authorize.net and was able to resolve it by >>> updating the cacerts for activemerchant gem and restarting rails. >>> >>> gem env #find path to gems >>> [root@ip-172-30-0-131 inumbr]# cd >>> /usr/lib64/ruby/gems/1.8/gems/activemerchant-1.4.2/ >>> [root@ip-172-30-0-131 activemerchant-1.4.2]# cd lib/certs/ >>> [root@ip-172-30-0-131 certs]# ls >>> cacert.pem >>> [root@ip-172-30-0-131 certs]# mv cacert.pem cacert.pem.old >>> [root@ip-172-30-0-131 certs]# wget http://curl.haxx.se/ca/cacert.pem >>> 2015-05-29 06:58:53 (548 KB/s) - ‘cacert.pem’ saved [258424/258424] >>> >>> >>> On Friday, May 29, 2015 at 9:46:25 PM UTC-7, Chris McCann wrote: >>>> >>>> Thanks, Rob. I did in fact spend about 4 hours last night trying to >>>> upgrade my Rails 2.3 app to Ruby 1.9.3. I ran into obstacle after obstacle >>>> and was finally halted by an inability to get Rails 2.3 to talk to MySQL >>>> 5.5+. >>>> >>>> Has anyone else cracked that nut? >>>> >>>> Chris >>>> >>>> On Fri, May 29, 2015 at 9:36 PM, Rob Kaufman <[email protected]> wrote: >>>> >>>>> It comes down to trying to disable SSLv3. It's frankly pretty >>>>> difficult in 1.8.7. You'll need to dig in to which http library you need >>>>> to >>>>> get started. If it is http.rb, get ready to patch your own Ruby. Here is a >>>>> place to get started. >>>>> >>>>> >>>>> https://www.ruby-lang.org/en/news/2014/10/27/changing-default-settings-of-ext-openssl/ >>>>> >>>>> I know it's not exciting, but you can upgrade a 2.3 app to 1.9.3. It's >>>>> worth doing even before you try and tackle the much bigger rails update. >>>>> >>>>> — >>>>> Sent from Mailbox <https://www.dropbox.com/mailbox> >>>>> >>>>> >>>>> On Fri, May 29, 2015 at 8:14 PM, Chris McCann <[email protected]> >>>>> wrote: >>>>> >>>>>> SD Ruby, >>>>>> >>>>>> A Rails app I've had in production for over 7 years developed an odd >>>>>> problem on Thursday. This change was not preceded by any code or server >>>>>> changes within the past few weeks. >>>>>> >>>>>> It's a Rails 2.3 app running on Ruby 1.8.7 (yes, it's old, and I've >>>>>> been working on upgrading it for months). It runs on Ubuntu 10.04.4 LTS >>>>>> (I >>>>>> know, also old, and being upgraded). >>>>>> >>>>>> It uses ActiveMerchant to process credit card payments via the >>>>>> Authorize.net gateway. This bit has worked essentially flawlessly for >>>>>> over >>>>>> 5 years. >>>>>> >>>>>> This past Thursday my client tried to process a credit card payment >>>>>> and the app threw an error: >>>>>> >>>>>> A OpenSSL::SSL::SSLError occurred in credit_card_payments#create: >>>>>> >>>>>> SSL_connect returned=1 errno=0 state=SSLv3 read server >>>>>> certificate B: certificate verify failed >>>>>> >>>>>> /usr/local/rvm/rubies/ruby-1.8.7-p352/lib/ruby/1.8/net/http.rb:586:in >>>>>> `connect' >>>>>> >>>>>> Of course, this happened while I was on an airplane, and more >>>>>> ironically, flying to San Antonio to see my client. >>>>>> >>>>>> Frantic Googling at 41,000 feet brought me to this: >>>>>> http://mislav.uniqpath.com/2013/07/ruby-openssl/ >>>>>> >>>>>> One of the suggestions in the mislav article is to do a CA >>>>>> certificate upgrade via apt-get (sounds of ominous bass notes in the >>>>>> background). Since the Ubuntu distro I have been using has been >>>>>> "end-of-lifed" (ELO'd), I cannot update the CA certificates on the >>>>>> distro, >>>>>> though all of the other checks indicate this isn't an issue. >>>>>> >>>>>> Also mentioned in that article is the "doctor.rb" script to check >>>>>> things, and it reported all was "OK". >>>>>> >>>>>> I contacted our SSL provider, RapidSSL, and they verified that our >>>>>> SSL certificate, and the others in the cert chain, were valid and >>>>>> installed >>>>>> correctly. >>>>>> >>>>>> I have reached out to Authorize.net to ask them if anything changed >>>>>> on their end but haven't heard back yet. >>>>>> >>>>>> My plea to SD Ruby: has anyone else encountered something like this? >>>>>> I'm at a loss as to what the cause might be or how to fix it, short of >>>>>> the >>>>>> long-delayed upgrade to Rails 4 and a new Linux distro. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Chris >>>>>> >>>>>> -- >>>>>> -- >>>>>> SD Ruby mailing list >>>>>> [email protected] >>>>>> http://groups.google.com/group/sdruby >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "SD Ruby" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>>> -- >>>>> SD Ruby mailing list >>>>> [email protected] >>>>> http://groups.google.com/group/sdruby >>>>> --- >>>>> You received this message because you are subscribed to a topic in the >>>>> Google Groups "SD Ruby" group. >>>>> To unsubscribe from this topic, visit >>>>> https://groups.google.com/d/topic/sdruby/rhAsuBqZOYI/unsubscribe. >>>>> To unsubscribe from this group and all its topics, send an email to >>>>> [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> -- >>> SD Ruby mailing list >>> [email protected] >>> http://groups.google.com/group/sdruby >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "SD Ruby" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/sdruby/rhAsuBqZOYI/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby > --- > You received this message because you are subscribed to a topic in the > Google Groups "SD Ruby" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/sdruby/rhAsuBqZOYI/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
