-
-
Save rohitn/8684bba6c6a592549675 to your computer and use it in GitHub Desktop.
Creates an SSL_CERT_FILE on OSX (when using Homebrew) that won't break JRuby. Make sure you run this with normal ruby, not JRuby! See https://github.com/jruby/jruby-openssl/issues/56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # Parts stolen with no regret from Homebrew's OpenSSL formula. | |
| require 'fileutils' | |
| require 'openssl' | |
| require 'digest/md5' | |
| require 'digest/sha1' | |
| CERT_FILE = ENV.fetch('SSL_CERT_FILE', '/usr/local/etc/openssl/cert.pem') | |
| keychains = %w( | |
| /Library/Keychains/System.keychain | |
| /System/Library/Keychains/SystemRootCertificates.keychain | |
| ) | |
| # Get all the certs! | |
| # We filter out: | |
| # * Not yet valid certificates | |
| # * Expired certificates | |
| # * Certificates with multiple extendedKeyUsage extensions break Java/JRuby. | |
| # See https://github.com/jruby/jruby-openssl/issues/56 | |
| certs = `security find-certificate -a -p #{keychains.join(' ')}` | |
| .scan(/-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m) | |
| .map { |pem| OpenSSL::X509::Certificate.new pem } | |
| .reject { |cert| cert.not_before > Time.now } | |
| .reject { |cert| cert.not_after < Time.now } | |
| .reject { |cert| cert.extensions.map(&:oid).count { |x| x == 'extendedKeyUsage' } > 1 } | |
| # Write out the new certs. | |
| File.open(CERT_FILE, 'w') do |f| | |
| certs.each do |cert| | |
| md5_fingerprint = Digest::MD5.hexdigest(cert.to_der).upcase | |
| sha1_fingerprint = Digest::SHA1.hexdigest(cert.to_der).upcase | |
| f.puts | |
| f.puts '=' * 60 | |
| f.puts "Subject: #{cert.subject}" | |
| f.puts "Issuer: #{cert.issuer}" unless cert.issuer.to_s == cert.subject.to_s | |
| f.puts | |
| f.puts "Not Before: #{cert.not_before}" | |
| f.puts "Not After: #{cert.not_after}" | |
| f.puts "MD5 Fingerprint: #{md5_fingerprint}" | |
| f.puts "SHA1 Fingerprint: #{sha1_fingerprint}" | |
| f.puts | |
| f.puts cert.to_pem | |
| end | |
| end | |
| puts <<MESSAGE | |
| You need to ensure that you export the SSL_CERT_FILE environment variable. | |
| In sh/zsh/bash use: | |
| export SSL_CERT_FILE='#{CERT_FILE}' | |
| MESSAGE | |
| # EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment