altitdb/win-ruby-ssl-error.md

## win-ruby-ssl-error.md

      
    Raw
  

              win-ruby-ssl-error.md
            
          
    [Solved] The SSL_connect returned=1 errno=0 state=SSLv3 read server certificate-Error on Ruby for Windows

The Issue

When you try to install (or update) a Ruby gem from your Windows command line and get an error like, for example, the following:
> gem install compass
ERROR:  Could not find a valid gem 'compass' (>= 0), here is why:
        Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)

you can (try to) fix it as follows.

Solution(s)

"Solution" #1: Change default source host from https:// to http://

This solution will work 100% and is the fastest on top. However, switching permanently to an insecure source connection is highly discouraged! That being said, here's how to do it:
# 1. Add insecure source
> gem sources -a http://rubygems.org/
https://rubygems.org is recommended for security over http://rubygems.org/

Do you want to add this insecure source? [yn]  y
http://rubygems.org/ added to sources

# 2. Remove secure source
> gem sources -r https://rubygems.org/
https://rubygems.org/ removed from sources

# 3. Update source cache
> gem sources -u
source cache successfully updated

That's it, you're all done. NO MORE SECURE CONNECTION!

Solution #2: Add Rubygems' latest SSL root CAs


1. Navigate to `C:\Ruby200-x64\lib\ruby\2.0.0\rubygems\ssl_certs` _(adjust to fit your install path)_.
2. If there're no such a files, download these new ¹ trusted root certificates from the Rubygems' Github site into the folder:  
   1. Save [**this file**](https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/AddTrustExternalCARoot.pem) as **`AddTrustExternalCARoot.pem`**².
   2. Save [**this file**](https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/AddTrustExternalCARoot-2048.pem) as **`AddTrustExternalCARoot-2048.pem`**^{2, 3}.
3. Now try again to install the gem.
   - `if (true): echo "Congrats, we're done."; exit; `
   - `else: // try Solution #3` 
--


¹: As of Nov 2014. (Ref)

²: Make sure that the files are actually saved as .pem and not as .pem.txt files!

³: Required for some versions of OpenSSL. (Ref)


Solution #3 and #4: Convert Mozilla's SSL root Bundle-CAs


1. Navigate to `C:\Ruby200-x64\lib\ruby\2.0.0\rubygems\ssl_certs` _(adjust to fit your install path)_.
2. Download Mozilla's CA Bundle Certificate **as `ca-bundle.crt`** into the folder, 
   using [**this link**](https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt).
3. Assuming `openssl` is in your `PATH`, from the command line, in the same folder, run:  
   `openssl x509 -in ca-bundle.crt -out MozBundleCA.pem -outform PEM`
4. Now try to install the gem again.  
   - `if (true): echo "Congrats, we're done."; exit; `
   - `else: // repeat step 2 and 3 (but with another crt file)`  
     1. Download Mozilla's **deprecated** CA Bundle Certificate (/w RSA-1024 support)  
        **as `ca-bundle-1024.crt`** into the folder, using [**this link**](https://github.com/bagder/ca-bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt).
     2. Back on the command line run:  
     `openssl x509 -in ca-bundle-1024.crt -out MozBundleCA.rsa1024.pem -outform PEM`
   - Now try again to install the gem.
     - `if (true): echo "Congrats, we're done."; exit; `
     - `else: // try Solution #5` 

Solution #5: Add older SSL root CAs (by Rubygems, Mozilla & startssl.com)


1. Navigate to `C:\Ruby200-x64\lib\ruby\2.0.0\rubygems\ssl_certs` _(adjust to fit your install path)_.
2. If there's no such a file, download DigiCert's High Assurance EV Root CA trust certificate from the rubygems Github site **as `DigiCertHighAssuranceEVRootCA.pem`** in to the folder, using [**this link**](https://raw.githubusercontent.com/rubygems/rubygems/0b5185e5ab9378edbeecba03bd9c93978c937e41/lib/rubygems/ssl_certs/DigiCertHighAssuranceEVRootCA.pem).
3. Download Mozilla's converted CA Certificate **as `cacert.pem`** from the cURL project website to the folder, using [**this link**](http://curl.haxx.se/ca/cacert.pem).
4. Download startssl.com's CA Bundle Certificate **as `ca-bundle-startssl.pem`** from their website to the folder, using [**this link**](https://www.startssl.com/certs/ca-bundle.pem).
5. Now try again to install the gem.
   - `if (true): echo "Congrats, we're done."; exit; `
   - `else: // go drink a beer!` 

References


Rubygems Help Forum (help.rubygems.org)
Rubygems Bugtracker, Issue #704 (github.com)
Rubygems Bugtracker, Issue #1050 (github.com)
Rubygems Command Reference (guides.rubygems.org)
Rubygems Commit/Patch #1 (github.com)
Rubygems Commit/Patch #2 (github.com)
Rubygems Commit/Patch #3 (github.com)
Solution #2 (github.com)
Solution #4 (github.com)
"Automatically converted CA Certs from mozilla.org" (curl.haxx.se)
"Gradually Sunsetting SHA-1" (blog.chromium.org)
"Workaround RubyGems' SSL errors on Ruby for Windows" (gist.github.com), by @luislavena

A copy of this guide (guides.rubygems.org)!?