Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
SSL Error with Ruby on Windows when trying to install a gem from command line.

[Solved] The SSL_connect returned=1 errno=0 state=SSLv3 read server certificate-Error on Ruby for Windows

The Issue

When you try to install (or update) a Ruby gem from your Windows command line and get an error like, for example, the following:

> gem install compass
ERROR:  Could not find a valid gem 'compass' (>= 0), here is why:
        Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)

you can (try to) fix it as follows.


Solution(s)

"Solution" #1: Change default source host from https:// to http://

This solution will work 100% and is the fastest on top. However, switching permanently to an insecure source connection is highly discouraged! That being said, here's how to do it:

# 1. Add insecure source
> gem sources -a http://rubygems.org/
https://rubygems.org is recommended for security over http://rubygems.org/

Do you want to add this insecure source? [yn]  y
http://rubygems.org/ added to sources

# 2. Remove secure source
> gem sources -r https://rubygems.org/
https://rubygems.org/ removed from sources

# 3. Update source cache
> gem sources -u
source cache successfully updated

That's it, you're all done. NO MORE SECURE CONNECTION!


Solution #2: Add Rubygems' latest SSL root CAs


1. Navigate to `C:\Ruby200-x64\lib\ruby\2.0.0\rubygems\ssl_certs` _(adjust to fit your install path)_. 2. If there're no such a files, download these new 1 trusted root certificates from the Rubygems' Github site into the folder: 1. Save [**this file**](https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/AddTrustExternalCARoot.pem) as **`AddTrustExternalCARoot.pem`**2. 2. Save [**this file**](https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/AddTrustExternalCARoot-2048.pem) as **`AddTrustExternalCARoot-2048.pem`**2, 3. 3. Now try again to install the gem. - `if (true): echo "Congrats, we're done."; exit; ` - `else: // try Solution #3`

--

1: As of Nov 2014. (Ref)
2: Make sure that the files are actually saved as .pem and not as .pem.txt files!
3: Required for some versions of OpenSSL. (Ref)


Solution #3 and #4: Convert Mozilla's SSL root Bundle-CAs


1. Navigate to `C:\Ruby200-x64\lib\ruby\2.0.0\rubygems\ssl_certs` _(adjust to fit your install path)_. 2. Download Mozilla's CA Bundle Certificate **as `ca-bundle.crt`** into the folder, using [**this link**](https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt). 3. Assuming `openssl` is in your `PATH`, from the command line, in the same folder, run: `openssl x509 -in ca-bundle.crt -out MozBundleCA.pem -outform PEM` 4. Now try to install the gem again. - `if (true): echo "Congrats, we're done."; exit; ` - `else: // repeat step 2 and 3 (but with another crt file)` 1. Download Mozilla's **deprecated** CA Bundle Certificate (/w RSA-1024 support) **as `ca-bundle-1024.crt`** into the folder, using [**this link**](https://github.com/bagder/ca-bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt). 2. Back on the command line run: `openssl x509 -in ca-bundle-1024.crt -out MozBundleCA.rsa1024.pem -outform PEM` - Now try again to install the gem. - `if (true): echo "Congrats, we're done."; exit; ` - `else: // try Solution #5`

Solution #5: Add older SSL root CAs (by Rubygems, Mozilla & startssl.com)


1. Navigate to `C:\Ruby200-x64\lib\ruby\2.0.0\rubygems\ssl_certs` _(adjust to fit your install path)_. 2. If there's no such a file, download DigiCert's High Assurance EV Root CA trust certificate from the rubygems Github site **as `DigiCertHighAssuranceEVRootCA.pem`** in to the folder, using [**this link**](https://raw.githubusercontent.com/rubygems/rubygems/0b5185e5ab9378edbeecba03bd9c93978c937e41/lib/rubygems/ssl_certs/DigiCertHighAssuranceEVRootCA.pem). 3. Download Mozilla's converted CA Certificate **as `cacert.pem`** from the cURL project website to the folder, using [**this link**](http://curl.haxx.se/ca/cacert.pem). 4. Download startssl.com's CA Bundle Certificate **as `ca-bundle-startssl.pem`** from their website to the folder, using [**this link**](https://www.startssl.com/certs/ca-bundle.pem). 5. Now try again to install the gem. - `if (true): echo "Congrats, we're done."; exit; ` - `else: // go drink a beer!`

References

@ceddlyburge

This comment has been minimized.

Copy link

commented Nov 1, 2016

Excellent page. Sadly only solution 1 worked for me.

@enzoariel

This comment has been minimized.

Copy link

commented Nov 4, 2016

Muchas Gracias!! La solución 5 funcionó en mi caso

@quebagunca

This comment has been minimized.

Copy link

commented Nov 8, 2016

Thank you so much, solved with #3

@jmauerhan

This comment has been minimized.

Copy link

commented Nov 16, 2016

Thank you so much! Solution #1 worked for me (Windows 10)

@deepakkj

This comment has been minimized.

Copy link

commented Nov 17, 2016

Thank you. It worked like magic !!

@vchinthakunta

This comment has been minimized.

Copy link

commented Nov 18, 2016

Thanks a ton.. Solution #3 worked for me...since I did not want to mess up with my security trying the solution #1(Windows 10)

@RanjitaNk

This comment has been minimized.

Copy link

commented Nov 19, 2016

Thank you so much. I was struggling for 3 days. got really frustrated. Finally it worked with Solution" #1:. Once again Thank you.

@alextselegidis

This comment has been minimized.

Copy link

commented Nov 21, 2016

Thanks!!!

@jacobvr

This comment has been minimized.

Copy link

commented May 4, 2017

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.