Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Download a cacert.pem for RailsInstaller

Why?

There is a long standing issue in Ruby where the net/http library by default does not check the validity of an SSL certificate during a TLS handshake. Rather than deal with the underlying problem (a missing certificate authority, a self-signed certificate, etc.) one tends to see bad hacks everywhere. This can lead to problems down the road.

From what I can see the OpenSSL library that Rails Installer delivers has no certificate authorities defined. So, let's go fetch some from the curl website. And since this is for ruby, why don't we download and install the file with a ruby script?

Installation

The Ruby Way! (Fun)

This assumes your have already installed the Rails Installer for Windows.

Download the ruby script to your Desktop folder from https://gist.github.com/raw/867550/win_fetch_cacerts.rb. Then in your command prompt, execute the ruby script:

ruby "%USERPROFILE%\Desktop\win_fetch_cacerts.rb"

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

To make this a permanent setting, add this in your control panel.

The Manual Way (Boring)

Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

To make this a permanent setting, add this in your control panel.

require 'net/http'
# create a path to the file "C:\RailsInstaller\cacert.pem"
cacert_file = File.join(%w{c: RailsInstaller cacert.pem})
Net::HTTP.start("curl.haxx.se") do |http|
resp = http.get("/ca/cacert.pem")
if resp.code == "200"
open(cacert_file, "wb") { |file| file.write(resp.body) }
puts "\n\nA bundle of certificate authorities has been installed to"
puts "C:\\RailsInstaller\\cacert.pem\n"
puts "* Please set SSL_CERT_FILE in your current command prompt session with:"
puts " set SSL_CERT_FILE=C:\\RailsInstaller\\cacert.pem"
puts "* To make this a permanent setting, add it to Environment Variables"
puts " under Control Panel -> Advanced -> Environment Variables"
else
abort "\n\n>>>> A cacert.pem bundle could not be downloaded."
end
end
@Vicente-M
Copy link

Vicente-M commented Oct 27, 2016

Thank you no longer get the error, these are the steps if anyone wants to follow

1.Install DEVELOPMENT KIT (depending on your version Ruby or Rails) in the path and folder C:\devkit
http://rubyinstaller.org/downloads/

2.Through the command prompt to access C:\devkit

3.Paste into the command prompt these commands

ruby dk.rb init

ruby dk.rb install

4.Download this file https://curl.haxx.se/ca/cacert.pem (with Firefox, File - Save as ...) and download in C:\RubyXX (if installed in C:)

5.set SSL_CERT_FILE=C:\RubyXX\cacert.pem (change after the equal sign, the path where cacert.pem was installed, ie in C:\RubyXX)

6.Paste into the command prompt

set SSL_CERT_FILE=C:\RubyXX\cacert.pem

7.Install this gem for devkit

gem install rdiscount --platform=ruby

8.Close the command prompt

9.Add environment variables SSL certificate

Control Panel - Security system - System - Advanced system settings - Environment Variables - System Variables - New - Variable name - (Paste "SSL_CERT_FILE" this without quotes) - Variable value - (Paste the path where cacert.pem was installed "C:\RubyXX\cacert.pem") - OK - OK - OK ;)

10.Try installing another gem

https://www.youtube.com/watch?v=xg_Zb9vGz-8

@drbrain
Copy link

drbrain commented Oct 28, 2016

Please don't fetch a CA bundle over HTTP, it's insecure.

I realize this is a bootstrap issue, but it's better to have instructions that give you a complete chain of trust when you're doing something that you're going to trust from start to finish.

@Pragatiiiee
Copy link

Pragatiiiee commented Oct 29, 2016

Hello please Help me ....m not able to download this..m not getting any option to download the certificate

@Vicente-M
Copy link

Vicente-M commented Oct 29, 2016

@Pragatiiiee It's just a suggestion, but if you want you can read the comment above and watch the video, only if you want

@andkirby
Copy link

andkirby commented Oct 31, 2016

GitBash for Windows.

Could not install this certificate because it requires this certificate. :D

So, it can be downloaded by HTTPS only. That's why use_ssl: true is missed.

Net::HTTP.start('curl.haxx.se', use_ssl: true) do |http|
#    [...]

So, it works with cURL:

$ mkdir ~/.ssl -p
$ curl https://curl.haxx.se/ca/cacert.pem -o ~/.ssl/cacert.pem

And .bashrc can be updated with line:

export SSL_CERT_FILE=~/.ssl/cacert.pem

@Mehrabi
Copy link

Mehrabi commented Nov 3, 2016

Excellent... Thanks :)

@waar19
Copy link

waar19 commented Nov 8, 2016

Thankyou :D :D

@JohnathanPratt
Copy link

JohnathanPratt commented Nov 8, 2016

This might be a dumb question, I am new to Ruby on Rails programming, but how are you supposed to download script?
Please someone give me an answer. Im getting desperate for help.

@brycelewis
Copy link

brycelewis commented Nov 10, 2016

the "ruby" way doesn't work

@Vicente-M
Copy link

Vicente-M commented Nov 11, 2016

@andymagill
Copy link

andymagill commented Nov 16, 2016

This did not work for me. Fortunately, this official workaround worked great :

https://gist.github.com/luislavena/f064211759ee0f806c88

@maheswaripanda
Copy link

maheswaripanda commented Nov 17, 2016

It worked for me....thanks a lot for the solution I was getting the error "SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed" and by trying the above solution my issue got resolved and I was able to install all the gems.

Regards,
Maheswari

@RogerioPST
Copy link

RogerioPST commented Nov 19, 2016

It worked for me too...thank you so much...

best regards,
Rogerio

@cAstraea
Copy link

cAstraea commented Nov 21, 2016

thx andkirby worked for me on windows 10 + git bash

@dwbodine
Copy link

dwbodine commented Nov 22, 2016

THANK YOU SO MUCH!! So many hacky solutions out there, this one was the only one that was simple and actually worked.

@acrolink
Copy link

acrolink commented Nov 27, 2016

Thank you :-)

@mickaellalande
Copy link

mickaellalande commented Dec 2, 2016

Super thank you, it worked for me too on Windows 7. The Ruby way didn't work but the Manual one perfectly, then I changed the environment variable (otherwise every time you reboot you have to set back the variable on the command, so it's more convenient to do it permanently). I had a little hard to do it, I've seen another comment a little up that explains how to do it, but here is back if it can help you :

Go on the Control Panel -> Security system -> System ->Advanced system settings -> Environment Variables -> System Variables :
Here click on New and copy paste for the name : SSL_CERT_FILE, and for the variable : C:\RailsInstaller\cacert.pem (if you did put the cacert.pem at this place like told in this article).
Finally reboot your computer and it should work (I was trying without rebooting and it was not working...)

Enjoy !

@houssemFat
Copy link

houssemFat commented Dec 21, 2016

Hi,
But the first approach doesn't work , 302 redirection for using http://curl.haxx.se , even with using https with :use_ssl .

The second solution works fine.

Thank you for your work !

@Sarafian
Copy link

Sarafian commented Feb 9, 2017

I've followed all possible suggestions but one Windows 10 operating system doesn't want to work

C:\>gem --version
2.6.10
C:\>gem which rubygems
C:/tools/ruby23/lib/ruby/site_ruby/2.3.0/rubygems.rb

For the this path I've followed the manual steps on the official guide

Additional to this I tried to SET SSL_CERT_FILE=C:\tools\ruby23\lib\ruby\2.3.0\rubygems\ssl_certs\AddTrustExternalCARoot.pem and still it doesn't work.

My openssl is

ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.2j  26 Sep 2016

@realvjy
Copy link

realvjy commented Feb 15, 2017

The ruby way not worked. @Doremiska Thank! Reboot helps, after setup environment variable.

@jiayuc
Copy link

jiayuc commented Feb 26, 2017

@sschwartzman Using Rubymine on windows10, this one works! Thanx so much

@shen-sat
Copy link

shen-sat commented Aug 2, 2017

Manual method worked for me! I was trying to use Nokogiri gem to download a webpage, but it wouldn't work until I came across this solution - thank you! I use Windows 10 and I only have Ruby 2.2.6 installed.

PS make sure you use follow Doremiska's comment (above) to go into control panel and set an environment variable to point to the cacert.pem file

@russellhoff
Copy link

russellhoff commented Nov 15, 2017

It solved my problem with Zendesk Application Framework v2 :)

@samiggapps
Copy link

samiggapps commented Aug 9, 2018

Thank you so much for this solved my SSL issue, was pulling my hair out over this! 💯 👍
Remember to restart your computer after making the changes and follow @Doremiska

@jamesyoungdigital
Copy link

jamesyoungdigital commented Sep 8, 2018

None of the suggestions worked for me at all, with the latest RailsInstaller on Windows 10. I used 'gem certified' and followed those instructions. I tried manual ways. I tried updating my PATH, and ruby -ropen-uri -e 'eval open("https://git.io/vQhWq").read'. This appeared to work, but still gave an error in Chrome when accessing my form and submitting it. I don't know if it has anything to do with adding a Google ReCaptcha to my form in my app, which I test on localhost. So I just figured switching to IE Edge might work out because it's "less secure," and it worked. If you're on Windows, try everything you can, then use IE Edge. Maybe it will work out => I mean for development. You will want a proper fix for production of course.

@TexasNeo
Copy link

TexasNeo commented Oct 14, 2018

Ruby on Windows 10, setting the env via "Advanced System Settings" worked. setting it in the ruby code, i.e. ENV["SSL_CERT_FILE"] did not.

@subatta
Copy link

subatta commented Nov 4, 2018

Ruby on Windows 10, setting the env via "Advanced System Settings" worked. setting it in the ruby code, i.e. ENV["SSL_CERT_FILE"] did not.

This was true for me as well.

@george-chakhidze
Copy link

george-chakhidze commented Oct 15, 2019

Looks like JRuby on Windows ignores SSL_CERT_FILE environment variable.

@houssemFat-DDF
Copy link

houssemFat-DDF commented Feb 14, 2020

Thank you !!

@dirktay
Copy link

dirktay commented Oct 27, 2021

Thanks! Did it years ago on my old machine. Forgot about it. Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment