Embed URL


SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

Download a cacert.pem for RailsInstaller



There is a long standing issue in Ruby where the net/http library by default does not check the validity of an SSL certificate during a TLS handshake. Rather than deal with the underlying problem (a missing certificate authority, a self-signed certificate, etc.) one tends to see bad hacks everywhere. This can lead to problems down the road.

From what I can see the OpenSSL library that Rails Installer delivers has no certificate authorities defined. So, let's go fetch some from the curl website. And since this is for ruby, why don't we download and install the file with a ruby script?


The Ruby Way! (Fun)

This assumes your have already installed the Rails Installer for Windows.

Download the ruby script to your Desktop folder from Then in your command prompt, execute the ruby script:

ruby "%USERPROFILE%\Desktop\win_fetch_cacerts.rb"

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

To make this a permanent setting, add this in your control panel.

The Manual Way (Boring)

Download the cacert.pem file from Save this file to C:\RailsInstaller\cacert.pem.

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

To make this a permanent setting, add this in your control panel.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
require 'net/http'
# create a path to the file "C:\RailsInstaller\cacert.pem"
cacert_file = File.join(%w{c: RailsInstaller cacert.pem})
Net::HTTP.start("") do |http|
resp = http.get("/ca/cacert.pem")
if resp.code == "200"
open(cacert_file, "wb") { |file| file.write(resp.body) }
puts "\n\nA bundle of certificate authorities has been installed to"
puts "C:\\RailsInstaller\\cacert.pem\n"
puts "* Please set SSL_CERT_FILE in your current command prompt session with:"
puts " set SSL_CERT_FILE=C:\\RailsInstaller\\cacert.pem"
puts "* To make this a permanent setting, add it to Environment Variables"
puts " under Control Panel -> Advanced -> Environment Variables"
abort "\n\n>>>> A cacert.pem bundle could not be downloaded."

Thank you :D

Excellent!!!! Thanks a lot! :)

If you are using JRuby - just locate the file in lib\ruby\somedirectory under the jruby folder and assign the system environment variable

awesome !!

Using is more convient, imho:


ENV["SSL_CERT_FILE"] = "/usr/local/rvm/usr/ssl/certs/cacerts"

How do I specify a path with a space on Windows? I would like to do

cacert_file = File.join(%w{c: Users "User Name" cacert.pem})

Where "User Name" is something like Zeno Davatz.

How would that work?


cacert_file = File.join(%w{c: Users Zeno\ Davatz cacert.pem})

thank you so much!

I am getting this error like this using Ruby On Rails
Error:SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed,

I am following manual step
Stil i am getting same error,I am using win7 OS
pls help me

I am following first step also getting error

C:\Users\RUBY\Desktop>ruby win_fetch_cacerts.rb
win_fetch_cacerts.rb:2: syntax error, unexpected '<'
<!-- saved from url=(0063)http...
win_fetch_cacerts.rb:2: syntax error, unexpected tIDENTIFIER, expecting keyword_
do or '{' or '('
<!-- saved from url=(0063)https://gist.githu...
win_fetch_cacerts.rb:2: syntax error, unexpected tIDENTIFIER, expecting $end
...<!-- saved from url=(0063)
... ^

Thank you! It worked after I added it in control panel.

L2G commented

This is really useful info. If it wasn't for your gist, I wouldn't have ever known about the SSL_CERT_FILE variable. I've been tearing my hair out trying to get Bundler to talk to; now, finally, it works!

This is great, thank you!

Thank you so much for posting this! This error was driving me nuts. If anyone's interested, in order to make the fix self-contained to the Ruby script, I did this:

  1. Download cacerts.pem to same directory as ruby script (or the /config" sub-dir in my case)
  2. Add the following to your script:
    # Fixes SSL Connection Error in Windows execution of Ruby
    # Based on fix described at:
    ENV['SSL_CERT_FILE'] = File.expand_path(File.dirname(__FILE__)) + "/config/cacert.pem"

This may be worthwhile if you're distributing the script and don't want to make users have to set the environment variable.

sjaykr commented

I tried the above fix but I still get this error

endor/net/http/persistent/ssl_reuse.rb:70:in `connect': An established connectio
n was aborted by the software in your host machine. - SSL_connect (Errno::ECONNA

Thanks a lot, works like a charm ! :D

For the uninitiated : It works without Rails Installer also. Just copy cacert.pem to any folder of your choice and set the environment variable path accordingly.

I still get this error...
WARNING: Error fetching data: SSL_connect returned=1 errno=0 state=SSLv3 read s
erver certificate B: certificate verify failed (
Updating rubygems-update
ERROR: While executing gem ... (TypeError)
can't modify frozen object

Thanks...This was really useful !!

I'm new to anything related to Ruby. I'm using WinXP Pro.

I notice that all google posts on any site seem to relate to rails. Therefore all the suggested solutions relate to rails.

I don't use rails. I want to use Watir and Watir-WebDriver for testing web applications.

So, my question is: how do I solve the SSL problem for the command:

gem install mini_magick -v 3.5 --no-document
ERROR: Could not find a valid gem 'mini_magick' (= 3.5), here is why:
Unable to download data from - SSL_connect retur
ned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (

BTW: mini_magick is part of DevKit, which is needed before installing Watir.

Thanks!!! This work for me to install the net-sftp gem on my Windows!!!

Thank you ! that saved me a lot of trouble !

Wow, thanks! That was really easy to solve!

Thank you for this post ! Fixed my ssl cert. error.

@sschwartzman - I like your idea of adding the cacerts.pem to the config, and then using it to set ENV['SSL_CERT_FILE']. I tried this in my Ruby command-line application, but it wasn't working - I was still getting the same error.

The problem is that when I build my gem, the "executable" that RubyGems generates has bootstrap code where it attempts to load my gem (which causes the OpenSSL error) before I ever have a chance to affect the ENV[] statement. Here is the generated bootstrap code:

C:\RailsInstaller\Ruby1.9.3\bin>type my_gem
# This file was generated by RubyGems.
# The application 'my_gem' is installed as part of a gem, and
# this file is here to facilitate running it.

require 'rubygems'

version = ">= 0"

if ARGV.first
  str = ARGV.first
  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
  if str =~ /\A_(.*)_\z/
    version = $1

gem 'my_gem', version
load Gem.bin_path('my_gem', 'my_gem', version)


And here is the error; you can see ruby running through the bootstrap code above, getting to the "load" line, and processing a 'require' statement in one of my dependencies (mixpanel_client), which eventually barfs.

C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verif
y failed (OpenSSL::SSL::SSLError)
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:799:in `connect'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:744:in `start'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:306:in `open_http'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:775:in `buffer_open'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:203:in `block in open_loop'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:201:in `catch'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:201:in `open_loop'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:146:in `open_uri'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:677:in `open'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/open-uri.rb:685:in `read'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/mixpanel_client-3.1.2/lib/mixpanel/uri.rb:22:in `get'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/mixpanel_client-3.1.2/lib/mixpanel/client.rb:55:in `request'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/lib/my_gem/mixpanel_services.rb:233:in `getVersions'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/lib/my_gem/mixpanel_services.rb:287:in `<module:MixpanelSer
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/lib/my_gem/mixpanel_services.rb:12:in `<top (required)>'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/lib/my_gem/runner.rb:13:in `require_relative'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/lib/my_gem/runner.rb:13:in `<top (required)>'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'
        from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/my_gem-0.0.6/bin/my_gem:11:in `<top (required)>'
        from C:/RailsInstaller/Ruby1.9.3/bin/my_gem:23:in `load'
        from C:/RailsInstaller/Ruby1.9.3/bin/my_gem:23:in `<main>'


I wonder, is there any way to tell RubyGems to put the ENV[] in its generated output. Probably not easily (I suppose I could hand-edit the file it generates, but this is not scalable).

Thanks for the suggestion!


Thanks, this worked well!

Thank you. It worked pretty well.

Thank you for this amazing Work.


Same error as @mandlaanilbabu here.

The Ruby way works for me. But how do I make it permanent? What should I paste in the environment variables?

I followed your instruction, but it didn't work. Any alternative?

I tried the first command that gave me an error.
Why am i not able to run win_fetch_cacerts.rb ruby file thats there in my desktop?

C:\Users\punitha\aggregator>ruby "%USERPROFILE%\Desktop\win_fetch_cacerts.rb"
ruby: No such file or directory -- C:/Users/punitha/Desktop/win_fetch_cacerts.rb

thanks it works happily :-)

Thanks a lot, it's work for me :)

Awesome, worked like a charm!

just don't use "net/http" (if possible), use the "httpi" gem because this does the right thing by default !


It may be worth noting that this does more than just "grab some certificates" from the Curl project, when they are actually sourced from Mozilla and converted to the required format with Curl's lib\ script.

We are seeing this in SketchUp 2014 which uses embedded Ruby 2.0. I found that by setting ENV["SSL_CERT_FILE"] to point to the cert file here will make HTTP with SSL work. But since a SketchUp user has many extensions installed there is no guaranty that one extension has not required the net/http lib without doing this - then it break for everyone else.

Can you shed some more light to where this cert file comes from? And is there a way Ruby can be rebuilt to use it? We're trying to figure out if we can fix this out of the box for SketchUp.

Nice bro! everything working here!

Did not work for me. First of all, it gave an error due to the directory RailsInstaller not existing. So I manually created it, but after doing it I still got the SSL error. I even added the env var to the control panel. Didn't help.

First of all thank you! this has worked wonders for me. However, yesterday the auth on my app stopped working (I get 401:Unauthorized). I also noticed that if I don't run the script, I used to get the Faraday Error but I now get the 401. The oauth settings on my app (key, secret, url, etc.) remain unchanged from the last time I used them. Any idea why this might be happening?

Thank you!

D:\My Documents\Ruby>ruby "%USERPROFILE%\Desktop\win_fetch_cacerts.rb"
C:/Users/Owner/Desktop/win_fetch_cacerts.rb:9:in initialize': No such file or d
irectory @ rb_sysopen - c:/RailsInstaller/cacert.pem (Errno::ENOENT)
from C:/Users/Owner/Desktop/win_fetch_cacerts.rb:9:in
from C:/Users/Owner/Desktop/win_fetch_cacerts.rb:9:in block in <main>'
from C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:853:in
from C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:583:in start'
from C:/Users/Owner/Desktop/win_fetch_cacerts.rb:6:in

This was fixed by changing the rubyinstaller drectory in the the win_fetch_cacerts.rb file:
cacert_file = File.join(%w{c: RubyInstaller cacert.pem})
cacert_file = File.join(%w{c: Ruby21-x64 cacert.pem})
...or whatever your ruby install dir was...

Sadly this didn't work for me =(
Still getting the same error

FYI, you don't have to open the control panel to make the change permanent, just use setx instead of set

Thanks, very helpful.

works fine since I fixed my "installation" folder, thank you!

Did I say thanks, thanks!

btw, I think the up-to-date explanation for another but similar problem is

Works great!

Thanks a lot.

Just for reference, my installation details:

  • Windows 7 Pro x64
  • Ruby 2.1.5p273

Works like a charm. Thx!

Still working. Thanks!

Thank you! After so many options of solutions, this was my "last ditch effort" before moving on to a non-ruby solution.

Nice solution!! Thanks!! :smile:

Thank you :blush:

worked like a charm for me thank you

Amazing! Cheers! May be you can edit your documentation "The Ruby fun way", because I needed to create manually a folder named "C:\RailsInstaller\". Otherwise I got:

/win_fetch_cacerts.rb:9:in `initialize': No such file or directory @ rb_sysopen - c:/RailsInstaller/cacert.pem (Errno::ENOENT)

works great

Thank you very much for this. The Ruby (fun) way gave me trouble, but I got through it with the Manual (boring) way. Thanks for being so thorough!

C:\Users\Me>ruby "%USERPROFILE%\Desktop\win_fetch_cacerts.rb"
C:/Users/Me/Desktop/win_fetch_cacerts.rb:9:in `initialize': No such file or directory @ rb_sysopen - c:/RailsInstaller/cacert.pem
        from C:/Users/Me/Desktop/win_fetch_cacerts.rb:9:in `open'
        from C:/Users/Me/Desktop/win_fetch_cacerts.rb:9:in `block in <main>'
        from C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:853:in `start'
        from C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:583:in `start'
        from C:/Users/Me/Desktop/win_fetch_cacerts.rb:6:in `<main>'

I don't have a C:\Railsinstaller folder. I don't have or need or use or want Rails. I think. Just ruby really.

Great !

Thanks...Works for me

Great!! Thanks a lot! I just downloaded the cacert.pem file in user directory C:\Users\username\cacert.pem and set the variable SSL_CERT_FILE using set SSL_CERT_FILE=C:\Users\username\cacert.pem and everything started working as expected.

Man you are the greatest ....coming from an inspired noob developer

Thank you for this instruction mate, worked like a charm! :smile:

Much appreciated!

Thank you. Couldn't get the "Ruby way" to work, but the "Manual way" works like a charm.

thanks man, you saved my ass.

not able to download cacert.pem

Oh bloody hell! I can't get it to work at all. I fixed the SSL error and now I get this:

DL is deprecated, please use Fiddle
C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/shopify_theme-0.0.21/lib/shopify_theme.rb:57:in `asset_list': undefined method `collect' for nil:NilClass (NoMethodError)
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/shopify_theme-0.0.21/lib/shopify_theme/cli.rb:78:in `download'
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
        from C:/Programs/Ruby/lib/ruby/gems/2.1.0/gems/shopify_theme-0.0.21/bin/theme:24:in `<top (required)>'
        from C:/Programs/Ruby/bin/theme:23:in `load'
        from C:/Programs/Ruby/bin/theme:23:in `<main>'

How do I fix this? Please help!

Thank you! I did the manually steps and it is working perfectly now.

Thank you so much Fletcher
I used your cert file and modified my env on windows and it works with the newest ruby !

C:\software\ruby\bin>cat setrbvars.bat
REM Determine where is RUBY_BIN (where this script is)
PUSHD %~dp0.
REM RUBY_BIN takes higher priority to avoid other tools
REM conflict with our own (mainly the DevKit)
set SSL_CERT_FILE=C:\users\root\cacert.pem
REM Display Ruby version

ruby.exe -v
C:\software\ruby\bin>ruby -v
ruby 2.1.5p273 (2014-11-13 revision 48405) [x64-mingw32]

this really help. thanks you so much Fletcher..

Excellent!!!! Thanks a lot ! :)

And there was much rejoicing!

Awesome ! Thank you for explaining the problem, and methodically resolving the issue.

Thank you. It is very helpful!!! :smiley:

that's what i was looking for 2 days. Awesome . Worked like charm. Thank you very much. :smile: :relaxed:

I am getting the following error message even after installing and setting
set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

Error message:

SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/net-http-persistent-2.9.4/lib/net/http/persistent/ssl_reu
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/timeout.rb:55:in
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/timeout.rb:100:in timeout'
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/net-http-persistent-2.9.4/lib/net/http/persistent/ssl_reu
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:756:in
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/net/http.rb:751:in start'
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:700:
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:631:
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:994:
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/mechanize-2.7.3/lib/mechanize/http/agent.rb:259:in
from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/mechanize-2.7.3/lib/mechanize.rb:440:in get'
from first.rb:19:in

I am trying to login to using mechanize gem in ruby.

OMG lifesaver. thank you so much.

Worked perfectly, thanks!

Dear Gist,

Thank you... again. This never gets old.

very cool, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.