Skip to content

@mislav /OpenSSL fix.md
Last active

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Fix OpenSSL certificate errors on Ruby 2.0

The reason why you might get certificate errors in Ruby 2.0 when talking HTTPS is because there isn't a default certificate bundle that OpenSSL (which was used when building Ruby) trusts.

Update: this problem is solved in edge versions of rbenv and RVM.

$ ruby -rnet/https -e "Net::HTTP.get URI('https://github.com')"
net/http.rb:917:in `connect': SSL_connect returned=1 errno=0 state=SSLv3
  read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

You can work around the issue by installing a certificate bundle that you trust. I trust Mozilla and curl.

WARNING: use the below code only if you're not terribly worried about maximum security:

  1. Note that the certificate bundle below is downloaded from curl.haxx.se over HTTP not HTTPS.
  2. Keep in mind that this installs a cert bundle that will never be automatically updated if a cert gets revoked.
curl -fsSL curl.haxx.se/ca/cacert.pem \
  -o "$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')"
@jjb

And if you want to acquire that secure .pem file without being vulnerable to a MitM attack, here's how: https://gist.github.com/jjb/996292 :-D

@jjb

(i got them to switch to https in curl trunk, but then it got reverted later because the Perl library for https isn't reliable)

@PikachuEXE

Thanks it works
Let's hope RVM or something else will deal with this problem automatically later

@codeslinger

Or...you could just link the existing cacert.pem to cert.pem in that same directory and fix the problem without having to download anything. ;-)

@mislav
Owner

@codeslinger: I just learned about that existing after I created the gist…

@jeevandongre

Did not work for ruby 2.0.0-p195 actually. The most simple fix is to use without certificate.

@jeffstringer

Thanks so much!

@fcheung

You can built a default certificate store file from the OS X system roots (if on that OS) - approach shown in https://github.com/raggi/openssl-osx-ca

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.