Skip to content

openssl certificate verify failed

Jump to bottom Edit New page
Daniel Kehoe edited this page Apr 23, 2012 · 32 revisions

Ruby OpenSSL Certificate Verify Failed

by Daniel Kehoe

Last updated 23 April 2012

Are you getting an error “OpenSSL certificate verify failed” with Ruby?

Or an error “Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0”?

Here are suggestions.

This is a note for developers using the starter apps from the Rails Apps repository. Others may find it helpful as well.

Error

You may have received an error message if you’ve tried to create a new Rails application.

For example, you may have entered:

$ rails new myapp

or created a new Rails application using an application template:

$ rails new myapp -m https://github.com/RailsApps/rails3-application-templates/raw/master/rails3-mongoid-devise-template.rb -T -O

and seen the following error message:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

or

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B

When creating a new Rails application, the Ruby language interpreter uses OpenSSL to connect to https://rubygems.org/. The Gemfile installed by the rails new command specifies https://rubygems.org/ as the source for gems and requires an SSL connection.

When creating a new application from an application template hosted on GitHub, the Ruby language interpreter uses OpenSSL to connect to GitHub. GitHub requires all connections to be made using SSL.

The error message indicates the connection failed because OpenSSL was unable to verify the server certificate.

This can happen when the certificate file on your computer is out of date, missing, or can’t be found.

Workaround

The simplest workaround is to toggle off the requirement to verify the SSL security certificate.

Create or modify the file called .gemrc in your home path and add the line:

:ssl_verify_mode: 0

For Mac OS and Linux, “home path” means ~/.gemrc. You can also create /etc/gemrc if you prefer. For Windows XP, “home path” means C:\Documents and Settings\All Users\Application Data\gemrc. For Windows 7, C:\ProgramData\gemrc. (Suggested by Andrew Fallows in a Stack Overflow discussion).

This is only a workaround. It opens a possible security vulerability (discussed here).

See RubyGems Issue #319 for more information.

You can try possible solutions suggested below. Please leave a comment if they work (or don’t).

Solution for Mac OS 10.6.8

Download a certificate file:

$ cd /opt/local/etc/openssl
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
$ sudo mv cacert.pem cert.pem

Doesn’t work for you? Please add to the comments below.

Solution for Windows

Fletcher Nichol shows how to download a cacert.pem file and set an environment variable to install the certificate authorities needed by the OpenSSL library.

You can also try hacking the open-uri source: How to Use an Application Template from Github when You’re Developing in Rails on Windows

Any advice to offer? Please add to the comments below.

Solution for Ubuntu

RVM users :

If you have compiled your ruby version with the openssl package version

$ rvm pkg install openssl
$rvm install 1.9.2 --with-openssl-dir=$rvm_path/usr

You have to link certs directory with /etc/ssl/certs

$ rmdir $rvm_path/usr/ssl/certs
$ ln -s /etc/ssl/certs $rvm_path/usr/ssl

Any advice to offer? Please add to the comments below.

Add a custom footer
Add a custom sidebar

Clone this wiki locally