Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Download a cacert.pem for RailsInstaller


There is a long standing issue in Ruby where the net/http library by default does not check the validity of an SSL certificate during a TLS handshake. Rather than deal with the underlying problem (a missing certificate authority, a self-signed certificate, etc.) one tends to see bad hacks everywhere. This can lead to problems down the road.

From what I can see the OpenSSL library that Rails Installer delivers has no certificate authorities defined. So, let's go fetch some from the curl website. And since this is for ruby, why don't we download and install the file with a ruby script?


The Ruby Way! (Fun)

This assumes your have already installed the Rails Installer for Windows.

Download the ruby script to your Desktop folder from Then in your command prompt, execute the ruby script:

ruby "%USERPROFILE%\Desktop\win_fetch_cacerts.rb"

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

To make this a permanent setting, add this in your control panel.

The Manual Way (Boring)

Download the cacert.pem file from Save this file to C:\RailsInstaller\cacert.pem.

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

To make this a permanent setting, add this in your control panel.

require 'net/http'
# create a path to the file "C:\RailsInstaller\cacert.pem"
cacert_file = File.join(%w{c: RailsInstaller cacert.pem})
Net::HTTP.start("") do |http|
resp = http.get("/ca/cacert.pem")
if resp.code == "200"
open(cacert_file, "wb") { |file| file.write(resp.body) }
puts "\n\nA bundle of certificate authorities has been installed to"
puts "C:\\RailsInstaller\\cacert.pem\n"
puts "* Please set SSL_CERT_FILE in your current command prompt session with:"
puts " set SSL_CERT_FILE=C:\\RailsInstaller\\cacert.pem"
puts "* To make this a permanent setting, add it to Environment Variables"
puts " under Control Panel -> Advanced -> Environment Variables"
abort "\n\n>>>> A cacert.pem bundle could not be downloaded."

Thank you :D

Excellent!!!! Thanks a lot! :)

Odelya commented Aug 7, 2012

If you are using JRuby - just locate the file in lib\ruby\somedirectory under the jruby folder and assign the system environment variable

awesome !!

Using is more convient, imho:


ENV["SSL_CERT_FILE"] = "/usr/local/rvm/usr/ssl/certs/cacerts"

zdavatz commented Jan 15, 2013

How do I specify a path with a space on Windows? I would like to do

cacert_file = File.join(%w{c: Users "User Name" cacert.pem})

Where "User Name" is something like Zeno Davatz.

How would that work?


cacert_file = File.join(%w{c: Users Zeno\ Davatz cacert.pem})

thank you so much!

I am getting this error like this using Ruby On Rails
Error:SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed,

I am following manual step
Stil i am getting same error,I am using win7 OS
pls help me

I am following first step also getting error

C:\Users\RUBY\Desktop>ruby win_fetch_cacerts.rb
win_fetch_cacerts.rb:2: syntax error, unexpected '<'

allybee commented Mar 6, 2013

Thank you! It worked after I added it in control panel.

L2G commented Apr 10, 2013

This is really useful info. If it wasn't for your gist, I wouldn't have ever known about the SSL_CERT_FILE variable. I've been tearing my hair out trying to get Bundler to talk to; now, finally, it works!

jesalg commented Apr 23, 2013

This is great, thank you!

Thank you so much for posting this! This error was driving me nuts. If anyone's interested, in order to make the fix self-contained to the Ruby script, I did this:

  1. Download cacerts.pem to same directory as ruby script (or the /config" sub-dir in my case)
  2. Add the following to your script:
    # Fixes SSL Connection Error in Windows execution of Ruby
    # Based on fix described at:
    ENV['SSL_CERT_FILE'] = File.expand_path(File.dirname(__FILE__)) + "/config/cacert.pem"

This may be worthwhile if you're distributing the script and don't want to make users have to set the environment variable.

sjaykr commented Jul 31, 2013

I tried the above fix but I still get this error

endor/net/http/persistent/ssl_reuse.rb:70:in `connect': An established connectio
n was aborted by the software in your host machine. - SSL_connect (Errno::ECONNA

Thanks a lot, works like a charm ! :D

For the uninitiated : It works without Rails Installer also. Just copy cacert.pem to any folder of your choice and set the environment variable path accordingly.

I still get this error...
WARNING: Error fetching data: SSL_connect returned=1 errno=0 state=SSLv3 read s
erver certificate B: certificate verify failed (
Updating rubygems-update
ERROR: While executing gem ... (TypeError)
can't modify frozen object

Thanks...This was really useful !!

I'm new to anything related to Ruby. I'm using WinXP Pro.

I notice that all google posts on any site seem to relate to rails. Therefore all the suggested solutions relate to rails.

I don't use rails. I want to use Watir and Watir-WebDriver for testing web applications.

So, my question is: how do I solve the SSL problem for the command:

gem install mini_magick -v 3.5 --no-document
ERROR: Could not find a valid gem 'mini_magick' (= 3.5), here is why:
Unable to download data from - SSL_connect retur
ned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (

BTW: mini_magick is part of DevKit, which is needed before installing Watir.

Thanks!!! This work for me to install the net-sftp gem on my Windows!!!

Thank you ! that saved me a lot of trouble !

Gabri3l commented Oct 29, 2013

Wow, thanks! That was really easy to solve!

Thank you for this post ! Fixed my ssl cert. error.

jishaq commented Nov 15, 2013

@sschwartzman - I like your idea of adding the cacerts.pem to the config, and then using it to set ENV['SSL_CERT_FILE']. I tried this in my Ruby command-line application, but it wasn't working - I was still getting the same error.

The problem is that when I build my gem, the "executable" that RubyGems generates has bootstrap code where it attempts to load my gem (which causes the OpenSSL error) before I ever have a chance to affect the ENV[] statement. Here is the generated bootstrap code:

C:\RailsInstaller\Ruby1.9.3\bin>type my_gem
# This file was generated by RubyGems.
# The application 'my_gem' is installed as part of a gem, and
# this file is here to facilitate running it.

require 'rubygems'

version = ">= 0"

if ARGV.first
  str = ARGV.first
  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
  if str =~ /\A_(.*)_\z/
    version = $1

gem 'my_gem', version
load Gem.bin_path('my_gem', 'my_gem', version)


And here is the error; you can see ruby running through the bootstrap code above, getting to the "load" line, and processing a 'require' statement in one of my dependencies (mixpanel_client), which eventually barfs.

C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verif
y failed (OpenSSL::SSL::SSLError)
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:799:in `connect'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:744:in `start'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:306:in `open_http'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:775:in `buffer_open'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:203:in `block in open_loop'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:201:in `catch'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:201:in `open_loop'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:146:in `open_uri'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:677:in `open'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:685:in `read'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/mixpanel_client-3.1.2/lib/mixpanel/uri.rb:22:in `get'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/mixpanel_client-3.1.2/lib/mixpanel/client.rb:55:in `request'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/lib/my_gem/mixpanel_services.rb:233:in `getVersions'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/lib/my_gem/mixpanel_services.rb:287:in `<module:MixpanelSer
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/lib/my_gem/mixpanel_services.rb:12:in `<top (required)>'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/lib/my_gem/runner.rb:13:in `require_relative'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/lib/my_gem/runner.rb:13:in `<top (required)>'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/bin/my_gem:11:in `<top (required)>'
        from C:/RailsInstaller/Ruby1.9.3/bin/my_gem:23:in `load'
        from C:/RailsInstaller/Ruby1.9.3/bin/my_gem:23:in `<main>'


I wonder, is there any way to tell RubyGems to put the ENV[] in its generated output. Probably not easily (I suppose I could hand-edit the file it generates, but this is not scalable).

Thanks for the suggestion!


Thanks, this worked well!

Thank you. It worked pretty well.

Thank you for this amazing Work.


Same error as @mandlaanilbabu here.

The Ruby way works for me. But how do I make it permanent? What should I paste in the environment variables?

I followed your instruction, but it didn't work. Any alternative?

I tried the first command that gave me an error.
Why am i not able to run win_fetch_cacerts.rb ruby file thats there in my desktop?

C:\Users\punitha\aggregator>ruby "%USERPROFILE%\Desktop\win_fetch_cacerts.rb"
ruby: No such file or directory -- C:/Users/punitha/Desktop/win_fetch_cacerts.rb

loki4u commented Apr 1, 2014

thanks it works happily :-)

Thanks a lot, it's work for me :)

Awesome, worked like a charm!

jules345 commented Aug 1, 2014

just don't use "net/http" (if possible), use the "httpi" gem because this does the right thing by default !


It may be worth noting that this does more than just "grab some certificates" from the Curl project, when they are actually sourced from Mozilla and converted to the required format with Curl's lib\ script.

We are seeing this in SketchUp 2014 which uses embedded Ruby 2.0. I found that by setting ENV["SSL_CERT_FILE"] to point to the cert file here will make HTTP with SSL work. But since a SketchUp user has many extensions installed there is no guaranty that one extension has not required the net/http lib without doing this - then it break for everyone else.

Can you shed some more light to where this cert file comes from? And is there a way Ruby can be rebuilt to use it? We're trying to figure out if we can fix this out of the box for SketchUp.

Nice bro! everything working here!

Did not work for me. First of all, it gave an error due to the directory RailsInstaller not existing. So I manually created it, but after doing it I still got the SSL error. I even added the env var to the control panel. Didn't help.

First of all thank you! this has worked wonders for me. However, yesterday the auth on my app stopped working (I get 401:Unauthorized). I also noticed that if I don't run the script, I used to get the Faraday Error but I now get the 401. The oauth settings on my app (key, secret, url, etc.) remain unchanged from the last time I used them. Any idea why this might be happening?

Thank you!

D:\My Documents\Ruby>ruby "%USERPROFILE%\Desktop\win_fetch_cacerts.rb"
C:/Users/Owner/Desktop/win_fetch_cacerts.rb:9:in initialize': No such file or d irectory @ rb_sysopen - c:/RailsInstaller/cacert.pem (Errno::ENOENT) from C:/Users/Owner/Desktop/win_fetch_cacerts.rb:9:inopen'
from C:/Users/Owner/Desktop/win_fetch_cacerts.rb:9:in block in <main>' from C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:853:instart'
from C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:583:in start' from C:/Users/Owner/Desktop/win_fetch_cacerts.rb:6:in


This was fixed by changing the rubyinstaller drectory in the the win_fetch_cacerts.rb file:
cacert_file = File.join(%w{c: RubyInstaller cacert.pem})
cacert_file = File.join(%w{c: Ruby21-x64 cacert.pem})
...or whatever your ruby install dir was...

Sadly this didn't work for me =(
Still getting the same error

sjackman commented Nov 7, 2014


FYI, you don't have to open the control panel to make the change permanent, just use setx instead of set


Thanks, very helpful.

works fine since I fixed my "installation" folder, thank you!

Did I say thanks, thanks!

btw, I think the up-to-date explanation for another but similar problem is

tasos-ch commented Dec 8, 2014

Works great!

Thanks a lot.

Just for reference, my installation details:

  • Windows 7 Pro x64
  • Ruby 2.1.5p273

Works like a charm. Thx!

Still working. Thanks!

Thank you! After so many options of solutions, this was my "last ditch effort" before moving on to a non-ruby solution.

Nice solution!! Thanks!! πŸ˜„


Thank you 😊

worked like a charm for me thank you

stenit commented Dec 19, 2014

Amazing! Cheers! May be you can edit your documentation "The Ruby fun way", because I needed to create manually a folder named "C:\RailsInstaller". Otherwise I got:

/win_fetch_cacerts.rb:9:in `initialize': No such file or directory @ rb_sysopen - c:/RailsInstaller/cacert.pem (Errno::ENOENT)

works great

vbsql7 commented Dec 20, 2014

Thank you very much for this. The Ruby (fun) way gave me trouble, but I got through it with the Manual (boring) way. Thanks for being so thorough!

thany commented Dec 21, 2014

C:\Users\Me>ruby "%USERPROFILE%\Desktop\win_fetch_cacerts.rb"
C:/Users/Me/Desktop/win_fetch_cacerts.rb:9:in `initialize': No such file or directory @ rb_sysopen - c:/RailsInstaller/cacert.pem
        from C:/Users/Me/Desktop/win_fetch_cacerts.rb:9:in `open'
        from C:/Users/Me/Desktop/win_fetch_cacerts.rb:9:in `block in <main>'
        from C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:853:in `start'
        from C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:583:in `start'
        from C:/Users/Me/Desktop/win_fetch_cacerts.rb:6:in `<main>'

I don't have a C:\Railsinstaller folder. I don't have or need or use or want Rails. I think. Just ruby really.

saninb commented Dec 23, 2014

Great !

Thanks...Works for me

rahulmr commented Jan 2, 2015

Great!! Thanks a lot! I just downloaded the cacert.pem file in user directory C:\Users\username\cacert.pem and set the variable SSL_CERT_FILE using set SSL_CERT_FILE=C:\Users\username\cacert.pem and everything started working as expected.

Man you are the greatest ....coming from an inspired noob developer

Thank you for this instruction mate, worked like a charm! πŸ˜„

Much appreciated!

Thank you. Couldn't get the "Ruby way" to work, but the "Manual way" works like a charm.

thanks man, you saved my ass.

not able to download cacert.pem

Oh bloody hell! I can't get it to work at all. I fixed the SSL error and now I get this:

DL is deprecated, please use Fiddle
C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/shopify_theme-0.0.21/lib/shopify_theme.rb:57:in `asset_list': undefined method `collect' for nil:NilClass (NoMethodError)
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/shopify_theme-0.0.21/lib/shopify_theme/cli.rb:78:in `download'
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/shopify_theme-0.0.21/bin/theme:24:in `<top (required)>'
        from C:/Programs/Ruby/bin/theme:23:in `load'
        from C:/Programs/Ruby/bin/theme:23:in `<main>'

How do I fix this? Please help!

Thank you! I did the manually steps and it is working perfectly now.

Thank you so much Fletcher
I used your cert file and modified my env on windows and it works with the newest ruby !

C:\software\ruby\bin>cat setrbvars.bat
@echo OFF
REM Determine where is RUBY_BIN (where this script is)
PUSHD %~dp0.
REM RUBY_BIN takes higher priority to avoid other tools
REM conflict with our own (mainly the DevKit)
set SSL_CERT_FILE=C:\users\root\cacert.pem
REM Display Ruby version

ruby.exe -v
C:\software\ruby\bin>ruby -v
ruby 2.1.5p273 (2014-11-13 revision 48405) [x64-mingw32]

kyusufm commented Jan 23, 2015

this really help. thanks you so much Fletcher..

s4sanjoy commented Feb 1, 2015

Excellent!!!! Thanks a lot ! :)

kmne68 commented Feb 4, 2015

And there was much rejoicing!

Awesome ! Thank you for explaining the problem, and methodically resolving the issue.

Thank you. It is very helpful!!! πŸ˜ƒ

that's what i was looking for 2 days. Awesome . Worked like charm. Thank you very much. πŸ˜„ ☺️

Chuchoo commented Feb 19, 2015

I am getting the following error message even after installing and setting
set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

Error message:

C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/net-http-persistent-2.9.4/lib/net/http/persistent/ssl_reuse.rb:70:in SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/net-http-persistent-2.9.4/lib/net/http/persistent/ssl_reu from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/timeout.rb:55:intimeout'
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/timeout.rbπŸ’―in timeout' from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/net-http-persistent-2.9.4/lib/net/http/persistent/ssl_reu from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:756:indo_start'
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:751:in start' from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:700: from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:631: from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:994: from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/mechanize-2.7.3/lib/mechanize/http/agent.rb:259:infetch
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/mechanize-2.7.3/lib/mechanize.rb:440:in get' from first.rb:19:in


I am trying to login to using mechanize gem in ruby.

OMG lifesaver. thank you so much.

Worked perfectly, thanks!

Dear Gist,

Thank you... again. This never gets old.

Stoffo commented Mar 9, 2015

very cool, thank you!

odytrice commented Apr 6, 2015

None of this is fun. Is having the list of CA Certs embeded in the ssl gem or source too much to ask? I know it is not your fault and thank you so much for your solution.. But I have been pulling my hair out for an issue that should never have existed in the first place. sigh

nandox commented Apr 10, 2015

Thanks a lot! It fixed the problem perfectly. I'm concerned about RailsInstaller not fixing this problem since 2012!

thank you so much!!

re9ulus commented Apr 26, 2015

Thank you, it works.

pitrik commented May 7, 2015

So, this works for me, but I have to do it every session. I've tried adding it to my control panel environment variables, to no avail. Does anyone have any tips for doing this? Maybe I'm doing something wrong.

It's not the end of the world to type it in each time, but it's a small quality of life thing!

ravuthz commented May 12, 2015

This is great, thank you.

@allybee why i failed even after i set the environmental variable?

Done in the same way but getting below error....any idea?????

C:/Ruby193/lib/ruby/gems/1.9.1/gems/httpclient- add_file': PEM lib (OpenSSL::X509::StoreError) from C:/Ruby193/lib/ruby/gems/1.9.1/gems/httpclient-'
from C:/Ruby193/lib/ruby/gems/1.9.1/gems/httpclient- add_trust_ca' from C:/Ruby193/lib/ruby/gems/1.9.1/gems/httpi-2.4.1/lib/httpi/adapter/httpclient.rb:62:insetup_ssl_auth'
from C:/Ruby193/lib/ruby/gems/1.9.1/gems/httpi-2.4.1/lib/httpi/adapter/httpclient.rb:44:in setup_client' from C:/Ruby193/lib/ruby/gems/1.9.1/gems/httpi-2.4.1/lib/httpi/adapter/httpclient.rb:25:inrequest'
from C:/Ruby193/lib/ruby/gems/1.9.1/gems/httpi-2.4.1/lib/httpi.rb:161:in request' from C:/Ruby193/lib/ruby/gems/1.9.1/gems/httpi-2.4.1/lib/httpi.rb:127:inget'
from C:/Ruby193/lib/ruby/gems/1.9.1/gems/wasabi-3.5.0/lib/wasabi/resolver.rb:43:in load_from_remote' from C:/Ruby193/lib/ruby/gems/1.9.1/gems/wasabi-3.5.0/lib/wasabi/resolver.rb:33:inresolve'
from C:/Ruby193/lib/ruby/gems/1.9.1/gems/wasabi-3.5.0/lib/wasabi/document.rb:142:in xml' from C:/Ruby193/lib/ruby/gems/1.9.1/gems/wasabi-3.5.0/lib/wasabi/document.rb:160:inparse'
from C:/Ruby193/lib/ruby/gems/1.9.1/gems/wasabi-3.5.0/lib/wasabi/document.rb:147:in parser' from C:/Ruby193/lib/ruby/gems/1.9.1/gems/wasabi-3.5.0/lib/wasabi/document.rb:64:insoap_actions'
from C:/Ruby193/lib/ruby/gems/1.9.1/gems/savon-2.11.1/lib/savon/operation.rb:22:in ensure_exists!' from C:/Ruby193/lib/ruby/gems/1.9.1/gems/savon-2.11.1/lib/savon/operation.rb:15:increate'
from C:/Ruby193/lib/ruby/gems/1.9.1/gems/savon-2.11.1/lib/savon/client.rb:32:in operation' from C:/Ruby193/lib/ruby/gems/1.9.1/gems/savon-2.11.1/lib/savon/client.rb:36:incall'
from C:/Users/lrtm432/My Documents/Aptana Studio 3 Workspace/EDRS REQUEST WSDL/SSLFIX.rb:66:in `


Befzz commented Jul 28, 2015

for Windows with PowerShell installed

Installing Windows PowerShell

Paste this 1line code in command console: (WIN + R, cmd)

powershell -Command "& {$fname='cacert.pem'; $outpath=\"$($(Get-ChildItem Env:USERPROFILE).Value)/$fname\"; Invoke-WebRequest$fname -OutFile \"$outpath\"; [Environment]::SetEnvironmentVariable('SSL_CERT_FILE', \"$outpath\", 'User')}"

Script will do:

  1. Download
  2. Save it as %USERPROFILE%/cacert.pem ( C:\Users\__you__\cacert.pem)
  3. Set persistent environment variable for current user SSL_CERT_FILE as %USERPROFILE%/cacert.pem

jjgh commented Aug 3, 2015

@Befzz I did that and fixed it, thanks!

But I wonder, shouldn't Windows (or generally any modern O.S. "for the people"), manage this automatically ? I mean, what if the official cacert.pem file changes? Maybe there is an "official" folder where Windows automatically stores cacert.pem (periodically updating it with most recent version) ?

Or is this important aspect all left to what developers do? What if they supply a malicious cacert.pem file?
Probably it won't do much bad because it would still need to be verified against other keys.. but still.. I'd expect a modern O.S. to download this file before anything else on the very first Internet connection.. or am I just overrating this?

jjgh commented Aug 4, 2015

Damnit! I spent the last 3 hours fighting with this!

I did not want to set a permanent environment variable in Windows, so I was doing:

ENV['SSL_CERT_FILE'] = Dir.pwd + '/cacert.pem'

by which I was simply trying to set a process-life time-spanning environment variable (pointing to "cacert.pem" in the app directory) just for my script.... but it was erroring out again as before, despite that debugging with system 'set SSL_CERT_FILE' (which would just print the value of the env var) was reporting the variable to be set correctly. The only clue I had was that in the following little script with just the minimum lines of code it was working!

ENV['SSL_CERT_FILE'] = Dir.pwd + '/cacert.pem' 
require 'yt'
videos =
puts videos.where(order: 'viewCount').first.title

So after disabling almost everything step by step in my real script at the end I was baffled to find out that for some obscure reason I just needed to put ENV['SSL_CERT_FILE'] = Dir.pwd + '/cacert.pem' at the top of the file for it to work!

..and they just call em "gotchas".. phew!
hope it helps someone else..

Thanks @jjgh saved me!

Thanks ! It saved me a lot of time

πŸ‘ worked on Windows 10, thank's

Another happy coder! Thanks a bunch!


Fletcher - per northworld/google_calendar#79 - is it expected that this would be necessary on a Mac? I see it under Chefdk. Thanks, M.

thanks a lot!!!

Wow sir, you are a god among men, πŸ‘

Onumis commented Oct 5, 2015

Thanks, you 🎸

You saved my day!
I am new to programming and it's my very first day to learn ruby.
I got so frustrated trying to solve this SSL problem.
I have been looking for solutions for hours and I am so lucky to finally find your post.
Thank you so much!

Taym95 commented Oct 29, 2015

Thank you so much

mc07 commented Nov 4, 2015

I just followed the above transaction.

But I can't access my project using 'https://myProject:3000/signin'.

How will it work. I am using jruby.


Yes, I forgot about this little "quirk". Thanks!

A thanks from China, It is very helpful!!! πŸ˜ƒ

This SSL error was driving me bananas, the same snippet of code worked OK on Ubuntu but when ported to Win it will not run :-( until I read your solution... a BIG thanks!

oooh now i can breath! a BIG THANKS! finally am back on track... thanks alot.

Thank you!

Thank you!! It did work!!

Thanks Fletcher - nice script. Automation worked for me on Win 10.

westche commented Feb 9, 2016

I completed these steps but still getting the Faraday::SSLError in HomeController#index ? Any other ideas!
using W10 -
ruby 2.1.5p273 (2014-11-13 revision 48405) [i386-mingw32] -
'rails', '4.1.8'

thank you!

lalehmb commented Feb 20, 2016


how can i get it work on linux? i've followed the manual instruction , and instead of windows path i gave it linux paths to the mentioned file. but it didn't work.

may you help me please?

Great solution. Did it the boring way though :)

jgadbois commented Mar 3, 2016

Works for me on some sites, but fails on others...any way to get a more complete cert?

aarmora commented Mar 17, 2016

This suddenly failed for me on the three computers I've been using it on. I've been using this method for more than a year. I've tried multiple URLs.

Anyone else have this issue?

Not working for me. I'm still getting the certificate verify failed error.
c:/RailsInstaller/Ruby2.2.0/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

Please help!

hitmany commented Mar 28, 2016

Ohh man! Many thanks!

I have resolved this error by including a line of code in gemfile as below:
gem 'certified'
Run bundle install. A latest version of certified will be added to your External Libraries.

Edchel commented Apr 4, 2016

Edchel@Edchel-PC MINGW64 /d/MyWeb
$ ruby "win_fetch_cacerts.rb"

A cacert.pem bundle could not be downloaded.

It looks like, which is required for this solution to work, has gone offline. I tested on two machines locally and on a remote one with a separate internet connection and get a timeout on all of them.

@WasabiFan Nope, is online, you can open it in your browser.

The manual way worked. Thank you soo much!

kamok commented Aug 11, 2016

Is it me or did the cacert.pem file from the URL broke today.

It's not working for me Desktop and laptop. Was working a few months back.

Elkont33 commented Sep 8, 2016

Thank you the manual way worked ok

A bundle could not be downloaded.

Is this a error message???

bdetail commented Oct 8, 2016

Doesn't work. I'm getting "A bundle could not be downloaded."

edit: it worked doing it manually.

1312148 commented Oct 13, 2016

Error: A bundle could not be downloaded.

Thanks a lot. That worked for me just fine.

I was very close on giving up Ruby completely after spending hours following official ruby links and solutions e.g.,, It's shame that they provide broken fixes..

samseen commented Oct 16, 2016

Thanks buddy... It works. [The manual way]

Thanks a lot. It worked for me.

Kova93 commented Oct 20, 2016

Thanks a lot, it finally worked.

skjo0c commented Oct 20, 2016

Sadly didn't work for me somehow :(

moayman commented Oct 24, 2016

It worked for me. Why isn't this the first search result on google..?
Thanks a lot.

It worked!
Thank you very much!

I would say this is awesome!!
Easy and efficient~~ Thank you sososososo much~~

dthor commented Oct 26, 2016

this does not work for me on windows

Vicente-M commented Oct 27, 2016

Thank you no longer get the error, these are the steps if anyone wants to follow

1.Install DEVELOPMENT KIT (depending on your version Ruby or Rails) in the path and folder C:\devkit

2.Through the command prompt to access C:\devkit

3.Paste into the command prompt these commands

ruby dk.rb init

ruby dk.rb install

4.Download this file (with Firefox, File - Save as ...) and download in C:\RubyXX (if installed in C:)

5.set SSL_CERT_FILE=C:\RubyXX\cacert.pem (change after the equal sign, the path where cacert.pem was installed, ie in C:\RubyXX)

6.Paste into the command prompt

set SSL_CERT_FILE=C:\RubyXX\cacert.pem

7.Install this gem for devkit

gem install rdiscount --platform=ruby

8.Close the command prompt

9.Add environment variables SSL certificate

Control Panel - Security system - System - Advanced system settings - Environment Variables - System Variables - New - Variable name - (Paste "SSL_CERT_FILE" this without quotes) - Variable value - (Paste the path where cacert.pem was installed "C:\RubyXX\cacert.pem") - OK - OK - OK ;)

10.Try installing another gem

drbrain commented Oct 28, 2016

Please don't fetch a CA bundle over HTTP, it's insecure.

I realize this is a bootstrap issue, but it's better to have instructions that give you a complete chain of trust when you're doing something that you're going to trust from start to finish.

Hello please Help me ....m not able to download this..m not getting any option to download the certificate

@Pragatiiiee It's just a suggestion, but if you want you can read the comment above and watch the video, only if you want

andkirby commented Oct 31, 2016

GitBash for Windows.

Could not install this certificate because it requires this certificate. :D

So, it can be downloaded by HTTPS only. That's why use_ssl: true is missed.

Net::HTTP.start('', use_ssl: true) do |http|
#    [...]

So, it works with cURL:

$ mkdir ~/.ssl -p
$ curl -o ~/.ssl/cacert.pem

And .bashrc can be updated with line:

export SSL_CERT_FILE=~/.ssl/cacert.pem

Mehrabi commented Nov 3, 2016

Excellent... Thanks :)

waar19 commented Nov 8, 2016

Thankyou :D :D

JohnathanPratt commented Nov 8, 2016

This might be a dumb question, I am new to Ruby on Rails programming, but how are you supposed to download script?
Please someone give me an answer. Im getting desperate for help.

the "ruby" way doesn't work

This did not work for me. Fortunately, this official workaround worked great :

It worked for me....thanks a lot for the solution I was getting the error "SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed" and by trying the above solution my issue got resolved and I was able to install all the gems.


It worked for me too...thank you so much...

best regards,

thx andkirby worked for me on windows 10 + git bash

THANK YOU SO MUCH!! So many hacky solutions out there, this one was the only one that was simple and actually worked.

Thank you :-)

Super thank you, it worked for me too on Windows 7. The Ruby way didn't work but the Manual one perfectly, then I changed the environment variable (otherwise every time you reboot you have to set back the variable on the command, so it's more convenient to do it permanently). I had a little hard to do it, I've seen another comment a little up that explains how to do it, but here is back if it can help you :

Go on the Control Panel -> Security system -> System ->Advanced system settings -> Environment Variables -> System Variables :
Here click on New and copy paste for the name : SSL_CERT_FILE, and for the variable : C:\RailsInstaller\cacert.pem (if you did put the cacert.pem at this place like told in this article).
Finally reboot your computer and it should work (I was trying without rebooting and it was not working...)

Enjoy !

houssemFat commented Dec 21, 2016

But the first approach doesn't work , 302 redirection for using , even with using https with :use_ssl .

The second solution works fine.

Thank you for your work !

Sarafian commented Feb 9, 2017

I've followed all possible suggestions but one Windows 10 operating system doesn't want to work

C:\>gem --version
C:\>gem which rubygems

For the this path I've followed the manual steps on the official guide

Additional to this I tried to SET SSL_CERT_FILE=C:\tools\ruby23\lib\ruby\2.3.0\rubygems\ssl_certs\AddTrustExternalCARoot.pem and still it doesn't work.

My openssl is

ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.2j  26 Sep 2016

realvjy commented Feb 15, 2017

The ruby way not worked. @Doremiska Thank! Reboot helps, after setup environment variable.

jiayuc commented Feb 26, 2017

@sschwartzman Using Rubymine on windows10, this one works! Thanx so much

shen-sat commented Aug 2, 2017

Manual method worked for me! I was trying to use Nokogiri gem to download a webpage, but it wouldn't work until I came across this solution - thank you! I use Windows 10 and I only have Ruby 2.2.6 installed.

PS make sure you use follow Doremiska's comment (above) to go into control panel and set an environment variable to point to the cacert.pem file

It solved my problem with Zendesk Application Framework v2 :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment