Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Fix OpenSSL certificate errors on Ruby 2.0

The reason why you might get certificate errors in Ruby 2.0 when talking HTTPS is because there isn't a default certificate bundle that OpenSSL (which was used when building Ruby) trusts.

Update: this problem is solved in edge versions of rbenv and RVM.

$ ruby -rnet/https -e "Net::HTTP.get URI('https://github.com')"
net/http.rb:917:in `connect': SSL_connect returned=1 errno=0 state=SSLv3
  read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

You can work around the issue by installing a certificate bundle that you trust. I trust Mozilla and curl.

WARNING: use the below code only if you're not terribly worried about maximum security:

  1. Note that the certificate bundle below is downloaded from curl.haxx.se over HTTP not HTTPS.
  2. Keep in mind that this installs a cert bundle that will never be automatically updated if a cert gets revoked.
curl -fsSL curl.haxx.se/ca/cacert.pem \
  -o "$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')"
@jjb

This comment has been minimized.

Show comment
Hide comment
@jjb

jjb Feb 25, 2013

And if you want to acquire that secure .pem file without being vulnerable to a MitM attack, here's how: https://gist.github.com/jjb/996292 :-D

jjb commented Feb 25, 2013

And if you want to acquire that secure .pem file without being vulnerable to a MitM attack, here's how: https://gist.github.com/jjb/996292 :-D

@jjb

This comment has been minimized.

Show comment
Hide comment
@jjb

jjb Feb 25, 2013

(i got them to switch to https in curl trunk, but then it got reverted later because the Perl library for https isn't reliable)

jjb commented Feb 25, 2013

(i got them to switch to https in curl trunk, but then it got reverted later because the Perl library for https isn't reliable)

@PikachuEXE

This comment has been minimized.

Show comment
Hide comment
@PikachuEXE

PikachuEXE Feb 25, 2013

Thanks it works
Let's hope RVM or something else will deal with this problem automatically later

Thanks it works
Let's hope RVM or something else will deal with this problem automatically later

@codeslinger

This comment has been minimized.

Show comment
Hide comment
@codeslinger

codeslinger Feb 25, 2013

Or...you could just link the existing cacert.pem to cert.pem in that same directory and fix the problem without having to download anything. ;-)

Or...you could just link the existing cacert.pem to cert.pem in that same directory and fix the problem without having to download anything. ;-)

@mislav

This comment has been minimized.

Show comment
Hide comment
@mislav

mislav Feb 25, 2013

@codeslinger: I just learned about that existing after I created the gist…

Owner

mislav commented Feb 25, 2013

@codeslinger: I just learned about that existing after I created the gist…

@turadg

This comment has been minimized.

Show comment
Hide comment
@jeevandongre

This comment has been minimized.

Show comment
Hide comment
@jeevandongre

jeevandongre Sep 20, 2013

Did not work for ruby 2.0.0-p195 actually. The most simple fix is to use without certificate.

Did not work for ruby 2.0.0-p195 actually. The most simple fix is to use without certificate.

@jeffstringer

This comment has been minimized.

Show comment
Hide comment
@jeffstringer

jeffstringer Apr 1, 2014

Thanks so much!

Thanks so much!

@fcheung

This comment has been minimized.

Show comment
Hide comment
@fcheung

fcheung May 11, 2015

You can built a default certificate store file from the OS X system roots (if on that OS) - approach shown in https://github.com/raggi/openssl-osx-ca

fcheung commented May 11, 2015

You can built a default certificate store file from the OS X system roots (if on that OS) - approach shown in https://github.com/raggi/openssl-osx-ca

@ddoherty03

This comment has been minimized.

Show comment
Hide comment
@ddoherty03

ddoherty03 May 7, 2016

Fixed this on ubuntu with

apt-get install ca-certificates

Just had some stale certificates around.

Fixed this on ubuntu with

apt-get install ca-certificates

Just had some stale certificates around.

@jjb

This comment has been minimized.

Show comment
Hide comment
@jjb

jjb May 23, 2016

@mislav is this still the state of the art solution? I just got this problem again with rbenv and ruby-build master building 2.3.1 on os x 10.10.

jjb commented May 23, 2016

@mislav is this still the state of the art solution? I just got this problem again with rbenv and ruby-build master building 2.3.1 on os x 10.10.

@jjb

This comment has been minimized.

Show comment
Hide comment
@jjb

jjb May 23, 2016

Looks like the curl folks fixed their https situation. this worked perfectly for me 💃 😌 😹:

curl https://curl.haxx.se/ca/cacert.pem -o "$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')"

jjb commented May 23, 2016

Looks like the curl folks fixed their https situation. this worked perfectly for me 💃 😌 😹:

curl https://curl.haxx.se/ca/cacert.pem -o "$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')"

@csaden

This comment has been minimized.

Show comment
Hide comment
@csaden

csaden Oct 21, 2016

I faced the same error (on Mac OSX 10.10.5 Yosemite).

ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

I deleted rvm and and re-installed but still faced the same problem. I could not brew link --force openssl and ended up stumbling upon this for the solution.

rvm install 2.2.4 --disable-binary
Install whatever ruby version you need.

http://stackoverflow.com/a/18344044/4830231

csaden commented Oct 21, 2016

I faced the same error (on Mac OSX 10.10.5 Yosemite).

ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

I deleted rvm and and re-installed but still faced the same problem. I could not brew link --force openssl and ended up stumbling upon this for the solution.

rvm install 2.2.4 --disable-binary
Install whatever ruby version you need.

http://stackoverflow.com/a/18344044/4830231

@flushentitypacket

This comment has been minimized.

Show comment
Hide comment
@flushentitypacket

flushentitypacket Nov 18, 2016

@csaden that worked for me, thank you!

@csaden that worked for me, thank you!

@Frostyjayy

This comment has been minimized.

Show comment
Hide comment
@Frostyjayy

Frostyjayy Dec 25, 2016

@csaden Worked for me as well! big thanks !

@csaden Worked for me as well! big thanks !

@samuels410

This comment has been minimized.

Show comment
Hide comment
@samuels410

samuels410 Jan 24, 2017

@jjb Worked for me! 👍

@jjb Worked for me! 👍

@wpromoteseo

This comment has been minimized.

Show comment
Hide comment
@wpromoteseo

wpromoteseo Jan 30, 2017

Worked for me! Thanks

Worked for me! Thanks

@nathanbirrell

This comment has been minimized.

Show comment
Hide comment

@csaden Thank you!

@dragon788

This comment has been minimized.

Show comment
Hide comment
@dragon788

dragon788 May 15, 2017

This would be much better if it created a new file in DEFAULT_CERT_DIR instead of clobbering whatever is already in DEFAULT_CERT_FILE.

This would be much better if it created a new file in DEFAULT_CERT_DIR instead of clobbering whatever is already in DEFAULT_CERT_FILE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment