Skip to content

Instantly share code, notes, and snippets.

@mislav

mislav/OpenSSL fix.md

Last active June 8, 2023 07:48
Show Gist options
  • Star 52 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save mislav/5026283 to your computer and use it in GitHub Desktop.
Save mislav/5026283 to your computer and use it in GitHub Desktop.
Download ZIP
Fix OpenSSL certificate errors on Ruby 2.0
Raw
OpenSSL fix.md

The reason why you might get certificate errors in Ruby 2.0 when talking HTTPS is because there isn't a default certificate bundle that OpenSSL (which was used when building Ruby) trusts.

Update: this problem is solved in edge versions of rbenv and RVM.

$ ruby -rnet/https -e "Net::HTTP.get URI('https://github.com')"
net/http.rb:917:in `connect': SSL_connect returned=1 errno=0 state=SSLv3
  read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

You can work around the issue by installing a certificate bundle that you trust. I trust Mozilla and curl.

WARNING: use the below code only if you're not terribly worried about maximum security:

  1. Note that the certificate bundle below is downloaded from curl.haxx.se over HTTP not HTTPS.
  2. Keep in mind that this installs a cert bundle that will never be automatically updated if a cert gets revoked.
curl -fsSL curl.haxx.se/ca/cacert.pem \
  -o "$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')"
@jjb
Copy link

jjb commented Feb 25, 2013

And if you want to acquire that secure .pem file without being vulnerable to a MitM attack, here's how: https://gist.github.com/jjb/996292 :-D

@jjb
Copy link

jjb commented Feb 25, 2013

(i got them to switch to https in curl trunk, but then it got reverted later because the Perl library for https isn't reliable)

@PikachuEXE
Copy link

Thanks it works
Let's hope RVM or something else will deal with this problem automatically later

@codeslinger
Copy link

Or...you could just link the existing cacert.pem to cert.pem in that same directory and fix the problem without having to download anything. ;-)

@mislav
Copy link
Author

mislav commented Feb 25, 2013

@codeslinger: I just learned about that existing after I created the gist…

@turadg
Copy link

turadg commented Mar 5, 2013

This is a good write-up: http://railsapps.github.com/openssl-certificate-verify-failed.html

For a full script to install Ruby 2.0:
https://gist.github.com/turadg/5092528

@jeevandongre
Copy link

Did not work for ruby 2.0.0-p195 actually. The most simple fix is to use without certificate.

@jeffstringer
Copy link

Thanks so much!

@fcheung
Copy link

fcheung commented May 11, 2015

You can built a default certificate store file from the OS X system roots (if on that OS) - approach shown in https://github.com/raggi/openssl-osx-ca

@ddoherty03
Copy link

Fixed this on ubuntu with

apt-get install ca-certificates

Just had some stale certificates around.

@jjb
Copy link

jjb commented May 23, 2016

@mislav is this still the state of the art solution? I just got this problem again with rbenv and ruby-build master building 2.3.1 on os x 10.10.

@jjb
Copy link

jjb commented May 23, 2016

Looks like the curl folks fixed their https situation. this worked perfectly for me 💃 😌 😹:

curl https://curl.haxx.se/ca/cacert.pem -o "$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')"

@csaden
Copy link

csaden commented Oct 21, 2016
edited

I faced the same error (on Mac OSX 10.10.5 Yosemite).

ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

I deleted rvm and and re-installed but still faced the same problem. I could not brew link --force openssl and ended up stumbling upon this for the solution.

rvm install 2.2.4 --disable-binary
Install whatever ruby version you need.

http://stackoverflow.com/a/18344044/4830231

@flushentitypacket
Copy link

@csaden that worked for me, thank you!

@janice-andrews
Copy link

@csaden Worked for me as well! big thanks !

@samuels410
Copy link

@jjb Worked for me! 👍

@wpromoteseo
Copy link

Worked for me! Thanks

@nathanbirrell
Copy link

@csaden Thank you!

@dragon788
Copy link

This would be much better if it created a new file in DEFAULT_CERT_DIR instead of clobbering whatever is already in DEFAULT_CERT_FILE.

@kirylrb
Copy link

kirylrb commented Feb 6, 2019
edited

@mislav Many thanks! Still relevant with rbenv 1.1.1 and Ruby 2.5.1
Saved me from OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) error in rails test environment.

@jepunband
Copy link

help please ..

msf5 auxiliary(gather/shodan_search) > run

[-] Auxiliary failed: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed
[-] Call stack:
[-] /opt/metasploit-framework/embedded/lib/ruby/2.4.0/net/protocol.rb:44:in connect_nonblock' [-] /opt/metasploit-framework/embedded/lib/ruby/2.4.0/net/protocol.rb:44:in ssl_socket_connect'
[-] /opt/metasploit-framework/embedded/lib/ruby/2.4.0/net/http.rb:948:in connect' [-] /opt/metasploit-framework/embedded/lib/ruby/2.4.0/net/http.rb:887:in do_start'
[-] /opt/metasploit-framework/embedded/lib/ruby/2.4.0/net/http.rb:876:in start' [-] /opt/metasploit-framework/embedded/lib/ruby/2.4.0/net/http.rb:1407:in request'
[-] /opt/metasploit-framework/embedded/framework/modules/auxiliary/gather/shodan_search.rb:59:in shodan_query' [-] /opt/metasploit-framework/embedded/framework/modules/auxiliary/gather/shodan_search.rb:109:in run'
[*] Auxiliary module execution completed
msf5 auxiliary(gather/shodan_search) > Interrupt: use the 'exit' command to quit
msf5 auxiliary(gather/shodan_search) >

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment