Using private_pub with SSL

1.1k views Asked by At

I have setup private pub with SSL according to https://github.com/ryanb/private_pub#serving-faye-over-https-with-thin, also adding in daemonize: true (tested with and without).

I can browse to https://mydomain.com:4443/faye.js and that loads.

There are no errors on the page.

However, nothing is actually working i.e. no real time events trigger. When trying to PrivatePub.publish_to in the console I get:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

When I run the thin server un-daemonized I can see it returns <SSL_incomp> when trying to publish_to.

The SSL on the server is working correctly, how do I go about fixing this?

2

There are 2 answers

2
Chris Edwards On BEST ANSWER

I managed to solve this by appending the contents of the ca-bundle to the crt file specified in the slim config

0
vijay k On

Please find the proper approach to resolve this issue.

When you use only yourdomain.crt file, private_pub wont work while its doing handshake with rails server.

So your SSL Certificate provider will provide you either the intermediate.crt or CAbundle files.

Just do If you have ca-bundle file provided by CA

*cat yourdomain.crt whatever.ca-bundle > yourdomainfinal.crt*

If you have intermediate certificate

*cat yourdomain.crt intermediate.crt > yourdomainfinal.crt*

Then use the yourdomainfinal.crt and your private key yourdomain.key for pointing to the ssl verify while running the server.

Please find the block for thin server

---
chdir: "/home/your/project/path"
environment: "your environment"
timeout: 30
log: "/home/your/project/path/log/thin.log"
pid: /home/your/project/path/tmp/pids/thin.pid
max_conns: 1024
require: []

max_persistent_conns: 1000
wait: 30
threadpool_size: 20
servers: 1
threaded: true
socket: /tmp/thin.sock

ssl: true
ssl_key_file: /home/your/project/path/ssl/yourdomain.key
ssl_cert_file: /home/your/project/path/ssl/yourdomainfinal.crt

For Private pub

To use private pub over the ssl, please use the below configuration in the private_pub_thin.yml

---
port: 4443
ssl: true
ssl_key_file: /path/to/yourdomain.key
ssl_cert_file: /path/to/yourdomainfinal.crt
environment: "your environment"
rackup: private_pub.ru

And then run the server with the following command

*thin -C config/private_pub_thin.yml start*

If you are using bundler please don't forget to use

*RAILS_ENV="your environment" bundle exec thin -C config/private_pub_thin.yml start*

The above command is important when you are using bundler, if you don't do it then your private pub will start and no issues while running server, but it wont publish messages. That's what I observed.

And note, please check weather you have port 4443 allowed in firewall settings in your server using **sudo ufw status**

Thats it!!! if you followed all the above specified steps you should have private_pub working on production or uat over SSL.