OpenSSL::SSL::SSLError: hostname does not match the server certificate

Ratatouille picture Ratatouille · Apr 21, 2014 · Viewed 8.2k times · Source

All of sudden today morning my HTTP client (HTTParty) threw an error OpenSSL::SSL::SSLError: hostname does not match the server certificate

Firstly I'm not able to understand which so today we have been make that api call almost all day number times from past 2 years without any issue

Secondly I don't understand how do I solve it since it internal to HTTParty

The only thing I know of is that I cant set SSL_CERT_FILE in ENV but as said I already have ROOT CA listed in my /etc/ssl/certs (SSL_CERT_DIR)

Here my output

irb(main):001:0> require "openssl"
=> true
irb(main):002:0> puts OpenSSL::OPENSSL_VERSION
OpenSSL 1.0.1 14 Mar 2012
=> nil
irb(main):003:0> puts "SSL_CERT_FILE: %s" % OpenSSL::X509::DEFAULT_CERT_FILE
SSL_CERT_FILE: /usr/lib/ssl/cert.pem
=> nil
irb(main):004:0> puts "SSL_CERT_DIR: %s" % OpenSSL::X509::DEFAULT_CERT_DIR
SSL_CERT_DIR: /usr/lib/ssl/certs

Lastly as said nothing has change on Openssl and code wise only thing that has happen is the patch the openssl version citing HEARTBLEED vulnerability

Mind you we just patch the openssl version but didnt recompile the RUBY could that be a issue for this

Ruby in question is ruby 1.9.3p327

Net::HTTP library is version httparty-0.13.0

NOTE: - As a solution I didn't except to have VERIFY_NONE options in OPENSSL

Answer

Steffen Ullrich picture Steffen Ullrich · Apr 21, 2014

It's hard to be sure without knowing host you are connecting too, but I guess that they simply changed the certificate at the servers end. The problem might be, that your script does not support SNI (server name indication, e.g. multiple host names and certificates behind the same IP), but the server providers now changed the default certificate for this site (the one which is used if client does not support SNI).

But like I said, it's hard to be sure with this lack of details in the question.