Skip to content

Instantly share code, notes, and snippets.

@h007

h007/howto-manually-add-trust-cert-to-rubygems.md

Created December 4, 2020 05:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save h007/ec2f2d32602eee4d5595c0461820e27f to your computer and use it in GitHub Desktop.
Save h007/ec2f2d32602eee4d5595c0461820e27f to your computer and use it in GitHub Desktop.
Download ZIP
Workaround RubyGems' SSL errors on Ruby for Windows (RubyInstaller)
Raw
howto-manually-add-trust-cert-to-rubygems.md

SSL upgrades on rubygems.org and RubyInstaller versions

UPDATE 2016-12-01: Please refer to the official guide instead of this process.

UPDATE 2014-12-21: RubyGems 1.8.30, 2.0.15 and 2.2.3 have been released. It requires manual installation, please see instructions below.

Hello,

If you reached this page, means you've hit this SSL error when trying to pull updates from RubyGems:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

This error is produced by changes in rubygems.org infrastructure, please keep reading to better understand it.

If you're one of those too long, didn't read just skip to the guide on how to workaround it.

Background

For those who are not familiar with SSL and certificates, there are many parts that make secure serving of content possible.

SSL certificates are used on the website, which are obtained from a certificate authority (CA) and generated from a private key, along with its respective signature.

Normally and up until a few months ago, private key signatures used SHA-1 as way to provide a digest (or checksum) of the private key without distributing the key itself (remember, needs to remain private).

SHA-1 has been encountered weak and lot of web servers and sites have been upgrading towards SHA-2 (specifically SHA256 or higher) in order to prepare for the browsers changes.

Specific problem with RubyGems

The particular case of RubyGems (the command line tool) is that it requires to bundle inside of its code the trust certificates, which allow RubyGems to establish a connection with the servers even when base operating system is unable to verify the identity of them.

Up until a few months ago, this certificate was provided by one CA, but newer certificate is provided by a different one.

Because of this, existing installations of RubyGems would have to been updated before the switch of the certificate and give enough time for the change to spread (and people to update).

As what normally happens with software, things might get out of sync and coordinate such effort, to the size and usage of rubygems.org is almost impossible.

I've described this on Issue #1050

We had discussed also on IRC, and patches and backports were provided to all major branches of RubyGems: 1.8, 2.0, 2.2, 2.4 and 2.6

Please understand this could happen to anyone. Release multiple versions of any software in a short span of time and be very time sensitive is highly complicated.

Even if we have official releases of any of the versions that correct the issue, it will not be possible install those via RubyGems (chicken-egg problem described before).

Installing using update packages

RubyGems has covered this in the official guides, please follow the instructions here

It involves:

  • Manually downloading the latest .gem file.
  • Installing it using gem install --local
  • Run the update_rubygems command
  • Profit

You should now be able to install gems normally.

If you still experience any issue, please search for any existing issue on RubyGems Issue Tracker or report a new one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment