SSLCaertBadFile error heroku curb

Question

I have a rake task that pulls and parses JSON data over an SSL connection from an external API.

I use a gem that wraps this external API and have no problems running locally, but the task fails when run on heroku with #<Curl::Err::SSLCaertBadFile: Curl::Err::SSLCaertBadFile>

I installed the piggyback SSL add-on, hoping it might fix it, but no dice.

Any ideas?

UPDATE

I managed to fix it by disabling ssl verification on the curl request previously set by the following two fields:

request.ssl_verify_peer
request.ssl_verify_host

I don't know enough about SSL to know exactly why the error was caused by these settings in a heroku environment or what the implications of disabling this are, aside from reduced security.

Answer 1

It is a bad idea to disable certificate checking. See http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html, http://jamesgolick.com/2011/2/15/verify-none..html and associated references for more on that topic.

The issue is that your HTTP client doesn't know where to find the CA certificates bundle on heroku.

You don't mention what client you are using, but here is an example for using net/https on heroku:

require "net/https"
require "uri"

root_ca_path = "/etc/ssl/certs"

url = URI.parse "https://example.com"
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = (url.scheme == "https")

if (File.directory?(root_ca_path) && http.use_ssl?)
  http.ca_path = root_ca_path
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER
  http.verify_depth = 5
end

request = Net::HTTP::Get.new(url.path)
response = http.request(request)

Here is an example using Faraday:

Faraday.new "https://example.com", ssl: { ca_path: "/etc/ssl/certs" }

Good luck.