annoying openssl error - facebook graph api, authlogic, oauth2

a strange bug i encountered that doesn't seem well-documented anywhere out there on the internetz: i've been trying to get authlogic, oauth2, and facebook's graph api to all cooperate with each other.  everything works fine except i get an error after authorizing facebook:


OpenSSL::SSL::SSLError in UsersController#create

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed



quick fix is to tell openssl to ignore certificate verification by opening /opt/local/lib/ruby/<version of ruby>/openssl/ssl.rb

change the line:

:verify_mode => OpenSSL::SSL::VERIFY_PEER

to this:

:verify_mode => OpenSSL::SSL::VERIFY_NONE

edit: another fix i found to work on rails 3 where the fix above didn't work can be found on stackoverflow.

hacker news directory: meet people from other companies who read hacker news

for hacker news directory, we thought it would be useful for students who go off to do summer internships at companies like google and facebook to be able to find others who also are interested in startups and read hacker news.  jon speiser has added support for companies, similar to how we currently support students from different schools.  you can also look at is as a way to potentially find cofounders from either the company you work at, or someone from another company.

you can login, see a list of companies, the employees that work there, along with programming languages they know, startups they've worked at, their hacker news id, what they majored in at school, and so on.

tell us if you'd like your company e-mail address added, and who knows, maybe you'll find someone else who works there and is interested in startups.

at some point, we want to open it up to allow students at schools to communicate with employees at companies (would this be useful?).  for now, the two groups are separate and cannot see each other.  if you join, you can see employees from other companies, but you can't see any students (and students cannot see you).

if you're a student and already have an account, just create a new one using your company e-mail.  we currently don't link the two accounts, but might in the future.

let us know what you think.  current list of companies in there: facebook, twitter, google, apple, mozilla, microsoft, ycombinator, and loopt.  we hope this grows.

ssl certificates with godaddy and heroku

none of the guides out there are very good for this.  a very high-level description of these steps is included at the very end of this article.

to setup ssl certificates with a godaddy domain and heroku hosting:

from godaddy's control panel:

  1. purchase an ssl certificate from godaddy ($30/year)
  2. set the certificate up, using "" as the domain name (if you don't know what you're doing, be sure to use, and not "")
  3. you might see a screen where they ask you for a certificate or key.  leave this screen in the background for now, we'll come back to it.

from your ruby on rails project root folder (ie one level above /app), do the following from terminal:

  1. mkdir ssl-cert
  2. cd ssl-cert
  3. openssl genrsa -des3 -out host.key 2048
  4. (enter a passphrase that you can remember when asked, you'll need it later)
  5. openssl req -new -key host.key -out host.csr
  6. (answer all the questions, but be very careful to use "" under the "organizational unit name" and "common name" fields)

here's an example:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Mountain View
Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Company Name
Organizational Unit Name (eg, section) []
Common Name (eg, YOUR name) []

Email Address []

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

from your rails project:

  1. copy the contents of host.csr and paste them into godaddy's form, where they ask for your certificate signing request.  note: if you screw something up and do these steps over, you can just "rekey" your ssl certificate (although if you create a certificate using something like "" you have to start all over with a new certificate--call godaddy, get a refund, and build a new certificate from scratch using the proper domain name)
  2. download the certificate from godaddy (either via e-mail or the control panel) and unzip the file to your desktop.  it's very important that you combine the two files in this zip file now, so run the following in terminal from your desktop:
  3. cat gd_bundle.crt > mydomain_combined.crt
  4. move your mydomain_combined.crt file to your ssl-cert file in your rails project
  5. cat host.key > host.pem

now we need to remove the pass phrase for heroku to properly boot the ssl certificate.  from your rails project:

  1. openssl rsa -in host.pem -out nopassphrase.pem
  2. openssl x509 -in host.pem >>nopassphrase.pem
  3. openssl rsa -in host.key -out nopassphrase.key

and finally, add the keys to heroku and be sure you have all the proper add-ons.  from your rails project:

  1. heroku ssl:add ssl-cert/nopassphrase.pem ssl-cert/nopassphrase.key
  2. heroku addons:add custom_domains:basic
  3. heroku domains:add
  4. heroku addons:add ssl:hostname

this adds a $20/month fee for ssl.  heroku will e-mail you a domain that looks like  you need to go back to godaddy and insert a CNAME record with this domain pointing to

test it out from your rails project using "host" and be sure the output is your domain (and not

after all of this, you should be able to visit without any errors or warnings.

here's how all of this works:


  1. you use godaddy as an ssl certificate provider
  2. you create your keys with proper certificate information about yourself in your rails project, send them to godaddy, and godaddy provides you with downloadable certificate files
  3. you send your keys to heroku and use the ssl hostname add-on
  4. when a user visits your site using, they're hitting your godaddy CNAME record, which points to an amazonaws address which effectively routes the request to heroku's grid, and a secure connection gets established from there following the standard SSL handshake process.

was this helpful? this can usually be a tedious process, if you felt this was helpful, please consider donating a beer or two.

re: the web sucks

TL;DR: what are you trying to do right now that you can't already on the web?

i've followed the discussion about the web sucks with some interest.  i've spoken with a few people about it, and i've decided that i just don't understand what's being proposed.

i asked joe hewitt what exactly he was trying to accomplish.  his response: "anything that involves a camera, a microphone, or a video stream."  i responded that it's already possible, unless he's referring to mobile devices.  am i missing something here?

i can understand that the web feels like one giant bandaid.  i feel exactly the same way.  but you can do almost anything on the web that you want to right now, outside of accessing some of the native iphone functionality, for example. there are conflicting interests when you try and get specific about some of this stuff.

"browsers should throw standards out the window, just be innovative"

it's not my opinion, but i think most of the developers out there share this sentiment.  it's a hassle to build your product to work across different browsers.  i don't consider it being lazy, i just am not attracted to that scene.  i went through that in the 90s.  in order for me to be lazy, i need to actually want what the browser is offering, and then refuse to build for it.  otherwise it's just unnecessary to me.

i would guess that most people are drawn to iphone development because there are so many people using iphones.  cocoa and xcode are great tools to work with, but i don't think that's the primary reason a lot of developers are choosing to develop for the iphone.

i'll build something if it's cool but only works for one browser.  but that approach won't work for companies with a larger user base.  they now have to make every single change across different browsers, and possibly different versions within each browser.

"the web is dying"

i don't think the web is dying.  i think there's just more usage outside the web.

you may use facebook on your iphone, but you also use it on your laptop or desktop.  the only thing that happened with the proliferation of mobile devices is you're now able to use the applications more than you could have before.  so now when i'm standing in line at starbucks, i can write on a friend's wall.  but when i'm back at home on my computer, i'm still living in the browser.  i definitely don't use the browser as much while i'm on my phone, but that doesn't really take away from time i would be spending from my work/personal computer.

in order for the web to disappear, people have to get rid of their computers, because they live in their browsers on their computers.  maybe if the ipad replaces the laptop, that's possible.  but in a world where everyone uses an ipad to work from, i think they're still going to live in their browser.  are they going to launch the native wikipedia app every time they want to do a search there, or will they just open a new tab in their safari browser?  i would think the latter.

i think one example used was abc.  the argument is because the native app is better, people will end up going to far less often.  i doubt i'm going to pick up my iphone and open the abc app, when i'm here on my computer and could just open a new tab.  if the app is that much better on the iphone, maybe could benefit from a ui/ux redesign.  there's nothing on the iphone that makes it better which you can't already do on the web (including the ui elements, animation effects, gps awareness, etc).

i'm all for doing things a better way, but if people are going to rant, it'd be nice if they suggested something specific.  maybe write out their thoughts in an essay, because i can't understand it in 25 tweets.

it's nice to have a culture that isn't happy with the status quo.  but all of this doesn't really translate to anything productive if we can't at the end of the day actually do something to improve the web.  if someone is trying to create an interest in a new browser, you've got my attention and i'm eager to learn about it.  but beyond that, i wouldn't depend on the w3c to change their ways.

at the very least, i want to understand what's being proposed before i get behind it.  right now, i can't say that i really do.

i disagree with you, dave

this is a response to dave mcclure's post on check-ins and coupons vs. game mechanics.

first off, i don't think this type of stuff is well received in general because it's written by what looks like a lolcats text generator. but i'm the guy who uses lowercase all the time, so i can't really criticize (lowercase is cooler though, seriously).

point by point:

1) coupons

yeah coupons are cool, and they're more valuable than a badge or point. that's obvious. however, any LBS app deals with a chicken and egg problem. without users, you cannot attract retailer deals. and consider that these apps, with the check-in capability, require a gps-enabled device. how many penny-pinching people out there both own a high-end smartphone and also chase after coupons? coupons on a mobile device are cool, but the majority of people with gps devices are using expensive phones and expensive plans.  if anything, the game mechanics are a fun way to get users engaged and it makes sense that coupons would follow.

i like the way elon musk answered a particular question (9:00) about lowering gas prices and its potential negative effect on tesla:

"i don't think [the lowered gas prices] was a huge impact [on us]. most people aren't buying a $100,000 sports car to save money on gas."

even at that, coupons already exist in many apps.  loopt has coupons in the form of advertisements in its core product, and coupons also exist in foursquare.  unless groupon decides to focus exclusively on location-based coupon redemption, i don't know of an app that is growing faster than loopt or foursquare which offers location deals on mobile devices.

the business needs to benefit too.  they can't just give money away, that's not part of their business model.  you have to require users to check-in no matter what, so what's the problem with adding extra incentives?

2) user acquisition

twitter took 2 years to gain 1 million users.  that's a fair comparison because they started as a mobile company.  you cannot compare web startups to mobile startups; the cost of acquisition is enormously higher. on an iphone, you have to tell the user what your app is called, they need to type it into the app store, download it, open it, and register using a small keypad.  on the computer, they fill out a form and they're done.  facebook cannot be used as a comparison or benchmark, nor any other web startup.  there is only one exception that i know of here: bump.

3) funds required

didn't read much into this.  a lot of assumptions made, and random numbers.

some of the best things have been built because the founders were frugal and didn't have access to $500mm to acquire users.  i'd say most LBS apps are still ahead of their time considering the cost and reach of gps-enabled phones.

hacker news directory: search + projects

two new features were added to hacker news directory today, which has close to 700 undergraduate hackers from colleges in the united states.  jonathan speiser (@jspeis), an undergrad studying computer science at the university of maryland, gets the credit for these.

i added jonathan to the git account and i've been impressed by how quickly he has contributed code to the project.  he had no prior understanding of php before getting involved, and i explained the entire code base within an hour over the phone.  he added both the search and projects features below in 2 days.  we hope these are useful, particularly if you are an undergrad and seeking a cofounder.


you can now search the entire directory for hackers with particular tags in their profiles. a few sample searches:

  • there are 21 hackers who know "ruby"
  • there are 47 hackers who know "python"
  • there are 32 hackers who know "php"
  • there is 1 hacker who knows "vb" (private sub form_load!)


projects are a way to get feedback on what you're building and may encourage people to work on projects together (it's important that you do this stuff while you're in school so that establish trust with friends and are able to do startups successfully in the future).


you'll now receive an e-mail whenever a student joins your network (your school).


getting "out of space" errors on the iphone

found something strange happen, my iphone said 11 GB of space was taken by "other" inside of itunes.  SSH'ed to the phone and ran this command: find . -size +500M

saw that the log file for an app called Rock was 11 GB.  deleted it and rebooted, all fixed.

"he's got the whole world in his hand"

"What's this?" asked one of the policemen.

"A music synthesizer," Wozniak replied.

"What's this orange button for?"

"Oh, that's for callibration," Jobs interrupted.

"It's a computer-controlled synthesizer," Wozniak elaborated.

"Where's the computer then?"

"That plugs inside," Jobs said.

But the most lucrative and amusing part was the blue box. Wozniak showed its virtues to his friends. Wozniak made some calls to his sister who was working on a kibbutz in Israel.  On Jobs's urging the pair turned a pastime into a small business and began selling the devices. "He wanted money," Wozniak said of his partner.

The pair employed their own marketing techniques for uncovering customers and boosting sales. They crept along the corridors of male dormitories at Berkeley (convinced that few women would be interested in their little device), knocking on doors and measuring the response to their rehearsed patter.  "Is George here?" one of them would ask cagily. "George?" came the surprised response. "Yeah, George. You know the blue-box guy. The guy who does the phone tricks. The guy who has the blue box to make free long-distance phone calls." Jobs and Wozniak watched the expression of their potential customer. If they were greeted with puzzled, timid looks they apologized for knocking on the wrong door and padded off down the hallway. If their ploy provoked a curious response, the potential customer was invited to attend a blue-box demonstration.

After a few weeks the dormitory sales pitches assumed a pattern. Wozniak hooked a tape recorder to the telephone with some alligator clips and he and Jobs explained the basic principles of the blue box.  Then they followed up with a display of its power. Wozniak, in particular, relished being the center of attention. "It was a big show-off thing." On one occasion Jobs used the box to make room reservations for a large party at the Ritz Hotel in London and, unable to suppress his giggles, handed the receiver to Wozniak. Another time Wozniak pretended to be the Secretary of State Henry Kissinger and phoned the Vatican asking to be connected to the Pontiff.

The demonstrations provoked curiosity and Jobs and Wozniak made cassette tapes of tones that friends would need to call their favorite long-distance numbers.  Jobs arranged a supply of about $40 worth of parts and Wozniak took about four hours to wire a box which was then sold for about $150. To cut down on time it took to build boxes the pair decided to stop wiring the boxes by hand and to have a printed circuit board made. Instead of spending four hours wiring a box, Wozniak could now finish a box within an hour. He also added another feature that turned one button into an automatic dialer. A small speaker and battery were attached to the printed circuit board, a keypad glued to the lid, and when all was finished, a card bearing a message in purple felt pen was taped to the bottom. It read "He's got the whole world in his hand" and it was linked to an informal guarantee. Wozniak promised that if a faulty box was returned and still contained the card he would repair it free of charge.

Return to Little Kingdom, Michael Moritz