using certificates with ActiveResource

I'm trying to hack ActiveResource to use a self-signed certificate when connecting to my RESTful rails app (seems like a pretty glaring hole that it doesn't offer this out of the box... though I guess it is alpha software).

I started out going through the ActiveResource code looking for somewhere I could set the cert and key. Didn't find it, so I took the approach of overriding Net::HTTP#cert and Net::HTTP#key to return my cert and key:

(environment.rb)
require 'net/https'

class Net::HTTP
   def cert
     OpenSSL::X509::Certificate.new(File.read(RAILS_ROOT + "/config/certs/client_signed.pem"))
   end
   def key
     OpenSSL::PKey::RSA.new(File.read(RAILS_ROOT + "/config/certs/client.key"))
   end
end

That still wasn't working... I think I was getting an SSL error. So, I took a detour off to write a standalone ruby script to do the connection using the cert and key. After much trial and error, I finally got Apache to accept the cert. I wasn't able to get the actual data from the REST service because my xml input gets url-encoded, but that's ok... I really want to get this working with ActiveResource, not by using Net:HTTP directly.

The solution that ultimately made Apache happy with that standalone code was to also set Net::HTTP.verify_mode to OpenSSL::SSL::VERIFY_PEER and to provide the certificate authority file that I used to sign the cert to Net:HTTP and Apache.

So, I added these things to environment.rb, giving me:

class Net::HTTP
   def cert
     OpenSSL::X509::Certificate.new(File.read(RAILS_ROOT + "/config/certs/client_signed.pem"))
   end
   def key
     OpenSSL::PKey::RSA.new(File.read(RAILS_ROOT + "/config/certs/client.key"))
   end
   def ca_file
     RAILS_ROOT + "/config/certs/cacert.pem"
   end
   def verify_mode
     OpenSSL::SSL::VERIFY_PEER
   end
end

But ActiveResource gives me no love... or rather Apache once again gives me the error I was getting before I added the CA stuff to my standalone script:

SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification?

I've put debug statements in ActiveResource::Connection right before it makes the call and it is ssl, it is verify peer, it has my cert, my key and my cert authority... but it doesn't work.

Any help, ideas, suggestions... anything would be great.

Ben