Problems using client certificates with net/https

Discussion in 'Ruby' started by Jim Clark, Nov 29, 2007.

  1. Jim Clark

    Jim Clark Guest

    I have a very basic script to access a SSL encrypted site that uses
    client certificates. Problem is that I continue to get 401 unauthorized
    error even though the certificate works in a browser and I've verified
    that the username/password used in the script to be the exact same
    values that work in a browser.

    Here is the script:

    #!c:/ruby/bin/ruby.exe
    CERT_FILE = "c:/certs/jim_nopw.pem"
    require 'net/https'
    https = Net::HTTP.new('some_website.com', 443)
    https.use_ssl = true
    https.cert = OpenSSL::X509::Certificate.new( File.read(CERT_FILE) )
    https.key = OpenSSL::pKey::RSA.new( File.read(CERT_FILE) )
    https.verify_mode = OpenSSL::SSL::VERIFY_NONE
    https.read_timeout = 120
    https.start do |https|
    request = Net::HTTP::Get.new('/default.asp')
    request.basic_auth 'DOMAIN\username', 'password'
    response = https.request(request)
    response.value
    puts response.body
    end

    This is the error output:
    401 "Unauthorized"
    C:/ruby/lib/ruby/1.8/net/http.rb:2106:in `error!'
    C:/ruby/lib/ruby/1.8/net/http.rb:2115:in `value'
    C:/MyApps/Ruby/webchecker2.rb:19
    C:/ruby/lib/ruby/1.8/net/http.rb:547:in `start'
    C:/MyApps/Ruby/webchecker2.rb:13
    C:/ruby/lib/ruby/1.8/net/http.rb:2106:in `error!': 401 "Unauthorized"
    (Net::HTTPServerException)
    from C:/ruby/lib/ruby/1.8/net/http.rb:2115:in `value'
    from C:/MyApps/Ruby/webchecker2.rb:19
    from C:/ruby/lib/ruby/1.8/net/http.rb:547:in `start'
    from C:/MyApps/Ruby/webchecker2.rb:13

    Getting back to the certificate, here is how I manipulated it from a
    browser to what I am feeding my Ruby script:

    - Export the certificate from IE7 to c:\certs\jim.pfx
    - Convert the certificate from PKCS12 format to non-password protected
    PEM format according to OpenSSL howto at
    http://www.madboa.com/geek/openssl/#cert-pkcs12:
    C:\OpenSSL\bin>openssl pkcs12 -in c:\certs\jim.pfx -out
    c:\certs\jim_nopw.pem -nodes
    Enter Import Password:
    MAC verified OK

    C:\OpenSSL\bin>type c:\certs\jim_nopw.pem
    Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: {65C0E138-9765-4B64-A591-ADC0CB302B31}
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
    Key Attributes
    X509v3 Key Usage: 10
    -----BEGIN RSA PRIVATE KEY-----
    MIICWwIBAAKBgQDGHTOVdo3SDvysWTh1OTinMWSjQhqpPcxO24KbDdyWQml7iInv
    ... lines deleted and characters changed to protect my private key
    Rf7cP02FJmftyH3D6hiK0Pzjv4a7d1vwWqj3naIB4Q==
    -----END RSA PRIVATE KEY-----
    Bag Attributes
    localKeyID: 01 00 00 00
    subject=/C=US/O=Organization/OU=ECA/OU=ORC/OU=Company/CN=Clark.James.ORC1000099999.ID
    issuer=/C=US/O=Organization/OU=ECA/OU=Certification Authorities/CN=ORC ECA
    -----BEGIN CERTIFICATE-----
    MIIEPjCCA6egAwIBAgICeYQwDQYJKoZIhvcNQWEFBQAwazELMAkG2ErEBhMCVVMx
    ... lines deleted and characters changed to alter certificate
    0/fVUv7Lx56ceXkQ7hDGiMXv32TWIp6CO+fkQkQhZ7wevA==
    -----END CERTIFICATE-----

    C:\OpenSSL\bin>


    Anyone have any thoughts on what else I should be doing?

    My environment:
    Windows XP sp2
    ruby 1.8.6 (2007-09-24 patchlevel 111) [i386-mswin32]

    Thanks in advance,
    Jim
    Jim Clark, Nov 29, 2007
    #1
    1. Advertising

  2. Jim Clark

    yermej Guest

    On Nov 29, 3:31 pm, Jim Clark <> wrote:
    > I have a very basic script to access a SSL encrypted site that uses
    > client certificates. Problem is that I continue to get 401 unauthorized
    > error even though the certificate works in a browser and I've verified
    > that the username/password used in the script to be the exact same
    > values that work in a browser.
    >
    > Here is the script:
    > <...snip...>
    >
    > Anyone have any thoughts on what else I should be doing?
    >
    > My environment:
    > Windows XP sp2
    > ruby 1.8.6 (2007-09-24 patchlevel 111) [i386-mswin32]
    >
    > Thanks in advance,
    > Jim


    The SSL portion looks right. Are you certain the server is using basic
    authentication? The error doesn't look like any errors I've gotten
    when having client cert problems.
    yermej, Nov 30, 2007
    #2
    1. Advertising

  3. > I have a very basic script to access a SSL encrypted site that uses=20
    > client certificates. Problem is that I continue to get 401=20
    > unauthorized=20
    > https.start do |https|
    > request =3D Net::HTTP::Get.new('/default.asp')
    > request.basic_auth 'DOMAIN\username', 'password'
    > response =3D https.request(request)
    > response.value
    > puts response.body
    > end
    >=20
    > This is the error output:
    > 401 "Unauthorized"


    Given the fact that you're username looks like a windows domain user
    name, I'm guessing that the server is using NTLM authentication and not
    basic authentication.

    Dan.
    Daniel Sheppard, Nov 30, 2007
    #3
  4. Jim Clark

    Jim Clark Guest

    Daniel Sheppard wrote:
    > Given the fact that you're username looks like a windows domain user
    > name, I'm guessing that the server is using NTLM authentication and not
    > basic authentication

    As Homer would say, "D'oh!". I checked the web server and it is indeed
    running "Integrated Windows Authentication". Thank you for pointing out
    what was staring me in the face.

    To get NTLM authentication working with net/https, I found
    http://code.google.com/p/ruby-httpclient/wiki/Home and thought this
    would be a good option. Reading up on it would seem all I would need to
    do is apply the patch files to ntlm.rb and open-uri.rb and change my
    authentication line from:

    request.basic_auth 'DOMAIN\username', 'password'
    to
    request.ntlm_auth 'DOMAIN\username', 'password'

    No dice though... http.rb still has no clue about NTLM authentication. I
    started to modify http.rb to handle NTLM authentication based on the
    example in rubyntlm that uses sockets but found myself getting far
    deeper into NTLM auth than I wanted to for what should be a fairly short
    and simple project.

    So, being lazy and pressed for time, I took another look and found the
    httpclient-2.1.2 library. However, documentation is sparse so does
    anyone have any good examples of it in use?

    Thanks in advance!

    -Jim
    Jim Clark, Nov 30, 2007
    #4
  5. =20
    > To get NTLM authentication working with net/https, I found=20
    > http://code.google.com/p/ruby-httpclient/wiki/Home and thought this=20
    > would be a good option. Reading up on it would seem all I=20
    > would need to=20
    > do is apply the patch files to ntlm.rb and open-uri.rb and change my=20
    > authentication line from:
    >=20
    > request.basic_auth 'DOMAIN\username', 'password'
    > to
    > request.ntlm_auth 'DOMAIN\username', 'password'


    Alternatively, if you just want to get it working, you might want
    to look at proxying your requests through
    http://ntlmaps.sourceforge.net/

    Dan.
    Daniel Sheppard, Dec 3, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. okapi
    Replies:
    0
    Views:
    3,036
    okapi
    Mar 7, 2005
  2. HTTPS certificates

    , May 20, 2008, in forum: Java
    Replies:
    0
    Views:
    434
  3. News123
    Replies:
    9
    Views:
    3,059
    vilas
    Feb 15, 2012
  4. n33470

    Are SSL certificates and x.509 certificates the same?

    n33470, Dec 14, 2005, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    176
    n33470
    Dec 14, 2005
  5. orangekay

    Client certificates with https

    orangekay, Sep 27, 2005, in forum: Ruby
    Replies:
    1
    Views:
    132
    orangekay
    Sep 30, 2005
Loading...

Share This Page