The following error appeared upon upgrading JRuby:
OpenSSL::X509::StoreError: setting default path failed: Invalid keystore format
wget http://curl.haxx.se/ca/cacert.pem
sudo keytool -importcert -file cacert.pem -keystore /Users/youruser/.keystore
export SSL_CERT_FILE=/Users/youruser/.keystore
jruby -S gem install whatever
I have been plagued by this issue and used this solution for a long while (thank you!) but its has recently stopped working for me. I believe the cause was that the JRuby installer through RVM was installing an older version of jruby-openssl or simply relying on an out-of-date version of OpenSSL.
The solution for me was to brew uninstall and reinstall my local version of OpenSSL:
RVM implode (not sure if this is necessary but I wanted a fresh start)
Follow the steps here to uninstall/reinstall OpenSSL: http://apple.stackexchange.com/questions/126830/how-to-upgrade-openssl-in-os-x
Reinstall RVM/JRuby using: \curl -sSL https://get.rvm.io | bash -s stable --ruby=jruby
And I was good to go!
Hm... didn't work.
3098 ~/mydir$ sudo keytool -importcert -file cacert.pem -keystore /Users/grant/.keystore
Password:
Enter keystore password:
Re-enter new password:
keytool error: java.lang.Exception: Input not an X.509 certificate
@gbirchmeier did you solve the problem? Same thing here.
@gbirchmeier @edhana you need to fix any spacing issues in the pem file. You can just run this:
openssl x509 -in cacert.pem -out cacert.pem
before the step:
sudo keytool -importcert -file cacert.pem -keystore /Users/youruser/.keystore
Sadly I followed all of the above steps and I am still getting the same error. I'll report back if I figure it out.
When I use this method, other tools on my system begin failing with SSL errors, such as the heroku tool belt. Can anyone explain that?
Wrote up a tiny thing that helped me get around this issue: https://medium.com/@dpaola2/rvm-openssl-keystore-and-you-336bba50981#.lk89s25k7
There's definitely something going on w/ JRuby, rvm, and OpenSSL. I now am commenting and uncommenting environment variables out to get bundler working. This is insanity.
@dpaola2: thank you! That worked for me.
Sorry, I spoke too soon. The solution @dpaloa2 suggested did work for both jRuby and MRI, but then when I tried to install something with homebrew I get the same sort of X509 error.
If I unset the SSL_CERT_FILE variable, homebrew and MRI work, but jRuby doesn't. Very frustrating.
I'm going to try a full rvm implode and see if that changes the situation.
So, I tried all that... nuked rvm and homebrew... clean reinstall. Same problem.
What DID work for me was everything above, but with the addition of adding in the login and root certificates from the macOS Keychain.app and also adding an alias to each of the keystore imports:
wget http://curl.haxx.se/ca/cacert.pem
sudo keytool -importcert -file cacert.pem -alias mozilla-certs -keystore ~/.keystore
security find-certificate -a -p /Library/Keychains/System.keychain > LoginCerts.cer
sudo keytool -importcert -file LoginCerts.cer -alias login-certs -keystore ~/.keystore
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> RootCertificates.cer
sudo keytool -importcert -file RootCertificates.cer -alias root-certs -keystore ~/.keystoreThen adding this to ~/.zshrc (or ~/.bash_profile):
export SSL_CERT_FILE=~/.keystore
Thanks all for your help on this. Troubleshooting this killed a lot of my time but being a front-end dev I had no idea WTF I was doing and all your comments gave me some direction.
I came across the same errors as @suranyami did but to get this working with jRuby I reinstalled RVM, Homebrew, and updated my JDK.
$ ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'
/Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/jre/lib/security/cacerts
Thank you for this! I spent a fair amount of time on this problem, and this page was the most helpful. Want to make two additions:
Information about http://curl.haxx.se/ca/cacert.pem is at https://curl.haxx.se/docs/caextract.html
I found my problem to be only that my $JAVA_HOME/lib/security/cacerts file was corrupt in some way. I verified it by running this
command:
$ keytool -list -storepass changeit \
-keystore $(/usr/libexec/java_home -v 1.8)/jre/lib/security/cacerts
keytool error: java.io.IOException: Invalid keystore format
Taking the error message at its word, I simply removed and reinstalled the JDK. When the above command listed the keys in the cacerts file, then jruby installed fine without errors. I then was able to remove the ~/.keystore file and SSL_CERT_FILE setting.
+1 to everyone who posted all your helpful comments.
I've been dealing with this for months, commenting and uncommenting export SSL_CERT_FILE=... until I finally got fed up.
I tried pretty much everything listed here.
The steps that finally resolved everything for me.
brew install openssl/usr/local/bin/ -> {the location of the latest homebrew version}cd /Library/Java/JavaVirtualMachines/
sudo rm -rf jdk1.*
rvm implodeFinally everything is working, no SSL_CERT_FILE, no random keystore files, no failures
ALSO: I would avoid rvm osx-ssl-certs update all this breaks my jdk cert everytime.
I'd like to add a few of points to make the procedure 100% clear:
And to add to @madebysquares comment - I broke my install by running 'rvm osx-ssl-certs update all' too. RVM should not allow this to run on jruby until it does not break all jrubies.
how to solve invalid keystore format????????
how to solve invalid keystore error??????
how to solve invalid keystore error??????
nuking jdk seems to help
❤️ https://gist.github.com/kendagriff/adec3713b4dfe6a1abdf#gistcomment-1933072 this is EXACTLY how to fix. I have been dealing with this issue for months and setting that cert file every time.
/Library/Java/JavaVirtualMachinesexport SSL_CERT_FILE=/Users/youruser/.keystore
Lifesaver! Thanks for this.