SOAP4R and SSL: unable to get local issuer certificate

After enabling SSL on a couple of apps, I got an email from one of my cron jobs telling me my SOAP API was no longer working.  (This is why you always want to have an entry in /etc/aliases forwarding root’s email to an account you will read)

The error message was “unable to get local issuer certificate.”  I thought, no big deal, there must be an easy way to get SOAP4R to find all the root CA certificates.  Unfortunately it took a while searching Google to find the right answer, so I’m posting it here to make it easier for the next person (which just might be me next week).

It turns out SOAP4R will read a file called “soap/property” in your ruby library path (which can usually be the directory your app is in).  You can place certain configuration options in this file to control how SOAP4R behaves.  In this case, I needed to add

client.protocol.http.ssl_config.ca_file=/etc/ssl/certs/ca-certificates.crt

This fixed the “unable to get local issuer certificate” error right away.

There was another problem though; it was complaining about the hostname not matching the certificate. Since I’m using a wildcard certificate, I assume this means OpenSSL doesn’t respect wildcard certificates. I grudgingly added this to soap/property file

client.protocol.http.ssl_config.verify_mode=OpenSSL::SSL::VERIFY_NONE

And it’s fine now.

This entry was posted in sysadmin and tagged , , . Bookmark the permalink.

One Response to SOAP4R and SSL: unable to get local issuer certificate

  1. Thank you so much for posting this. I had no idea that you had to put the config in soap/properties. This solved several of my problems (though I now have several more).

Leave a Reply

Your email address will not be published. Required fields are marked *