On Mon, Jun 25, 2012 at 9:54 AM, Josh Cooper <j...@puppetlabs.com> wrote: > On Mon, Jun 25, 2012 at 5:11 AM, Ken Barber <k...@puppetlabs.com> wrote: >> >> (responding to puppet-dev) >> >> >>> I've managed to solve it on Linux by specifying: >> >>> https_object.ca_path = '/etc/ssl/certs' >> > >> > You managed to work around your broken build, I think. >> >> You mean Debian 6's broken build - Lol ... found this using the system >> ruby 1.8 from Debian, latest version :-). >> >> > We should use the system certificate set, and *ONLY* the system >> > certificate set, since that is the only that that will allow our users >> > control over what is or is not trusted. >> > >> > Anything where we adjust the default settings is a terrible mistake: >> > we are taking out of the hands of our users the right to manage trust. >> > >> > (With the obvious exception of our own private CA for internal use. :) >> >> Sure - good point. >> >> > On Linux that usually means installing `ca-certificates` or a >> > similarly named package. On the mac, with the system OpenSSL, that >> > comes from KeyChain. On Windows I don't actually know, but I would >> > expect it to integrate with the system trust store. >> > >> > The most common place I have run into this with is RVM, either using a >> > non-standard OpenSSL (eg: RVM package, or MacPorts), in which case the >> > solution is to configure your other OpenSSL correctly also. >> >> Sounds like I'll have to go through the various system Rubies and SSL >> variants and found out how broken or weird they are, and find out what >> is needed to make them work. >> > > I think you just want to call X509_STORE_set_default_paths[1], which will > load the ca certs from the platform-appropriate trust store. There seems to > be a ruby method for it[2]
That would be great to test - it shouldn't be necessary, since Ruby OpenSSL should do that by default, but if it fixes Ken's problem we might have some other latent ... dunno. Oddity. Change in semantics between Ruby versions. Something stupid like that. Generally, though, you don't need to *do* anything to get Ruby OpenSSL to validate commercial certificates. -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
