-
Notifications
You must be signed in to change notification settings - Fork 3
openssl certificate verify failed
Last updated 28 April 2012
Are you getting an error “OpenSSL certificate verify failed” with Ruby?
Or an error “Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0”?
Here are suggestions.
This is a note for developers using the starter apps from the Rails Apps repository. Many others have found it helpful as well.
You may have received an error message if you’ve tried to create a new Rails application.
For example, you may have entered:
$ rails new myapp
or created a new Rails application using an application template:
$ rails new myapp -m https://github.com/RailsApps/rails3-application-templates/raw/master/rails3-mongoid-devise-template.rb -T -O
and seen the following error message:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
or
Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B
The error is not likely to occur when simply using gem install. (Does it? Leave a comment below.)
Here is an explanation and suggested solutions.
When creating a new Rails application, the Ruby language interpreter uses OpenSSL to connect to https://rubygems.org/. The Gemfile installed by the rails new command specifies https://rubygems.org/ as the source for gems and requires an SSL connection.
In the case of a new application generated from an application template hosted on GitHub, the Ruby language interpreter uses OpenSSL to connect to GitHub. GitHub requires all connections to be made using SSL.
The error message indicates the connection failed because OpenSSL was unable to verify the server certificate.
Prior to 20 April 2012, the error likely resulted when the certificate file on your computer was out of date, missing, or couldn’t be found.
On 20 April 2012, Ruby 1.9.3-p194 was released incorporating RubyGems 1.8.23 which included two security fixes:
- verification of server SSL certs is required when RubyGems connects to an https server
- RubyGems no longer allows redirects from https to http servers
This is the commit to RubyGems that implemented the security fixes: Insecure connection to SSL repository. Following the release, an issue was reported for an SSL_connect failure when running ‘rails new’.
Following the release of RubyGems 1.8.23, the RubyGems team identified a problem with misconfiguration of SSL certificates on the https://rubygems.org/ server. The RubyGems team fixed the SSL certificates on 24 April 2012.
RubyGems 1.8.23 was supposed to install a .pem file containing current SSL certificates but didn’t do so, according to this isse: 1.8.23 actually does not install pem file. This commit Install the .pem files properly fixed the problem and was released on 27 April 2012 with RubyGems 1.8.24 (RubyGems changelog). The 1.8.24 release also eliminated a problematic dependency on OpenSSL for http connections.
If you are seeing an error when you create a new Rails application, it is likely that you need to update OpenSSL or certificate files on your computer (see recommendations below). At this point, RubyGems should be using OpenSSL properly to connect to the https://rubygems.org/ server. However, some users (particularly on Ubuntu) continue to report errors. Check RubyGems issues on GitHub for current conditions.
You may find more information on Stack Overflow, especially this discussion: Bundle install fails with SSL certificate verification error. And please read the comments below.
What’s your operating system version?
$ uname -srv
Be sure you are using Ruby 1.9.3-p194 or newer:
$ ruby -v ruby 1.9.3p194
Be sure you are using RubyGems 1.8.24 or newer:
$ gem -v 1.8.24
Update RubyGems if necessary:
$ gem update --system
Check your OpenSSL version:
$ openssl version
You should see OpenSSL 1.0.1 or newer. If not, try updating OpenSSL (see below).
A curl -I command should show that the rubygems.org file host is available and responding:
$ curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem HTTP/1.0 200 OK ...
Try executing remote_fetcher directly to download a gem from the rubygems.org file host:
$ ruby -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'
Fetching: rake-0.9.2.2.gem (100%)
If you see an error, add your report to the issue SSL_connect failure when running ‘rails new’. Please supply details: OS version, Ruby version, RubyGems version, OpenSSL version, error message.
You can try several workarounds to isolate the error conditions. Please don’t rely on a workaround for anything other than a temporary solution. Attempt the suggested resolutions (below) and file an issue report if they don’t work.
Try changing your Gemfile to use an http connection for your gem source. Instead of source 'https://rubygems.org' use:
source 'http://rubygems.org'
This workaround is not an option if you are running rails new because the Gemfile is produced automatically from a template in the Rails library.
Use the --skip-bundle when you generate a new Rails application:
rails new myapp --skip-bundle
This workaround is not an option if you are using an application template to generate a new Rails application as most application templates will run commands that require a successful bundle install.
Try toggling off the requirement to verify the SSL security certificate.
Create or modify the file called .gemrc in your home path and add the line:
:ssl_verify_mode: 0
For Mac OS and Linux, “home path” means ~/.gemrc. You can also create /etc/gemrc if you prefer. For Windows XP, “home path” means C:\Documents and Settings\All Users\Application Data\gemrc. For Windows 7, C:\ProgramData\gemrc. (Suggested by Andrew Fallows in a Stack Overflow discussion).
This is only a workaround. It opens a possible security vulerability (discussed here).
Be sure to try possible solutions suggested below. Please leave a comment if they work (or don’t).
If you are using Wayne Seguin’s rvm, the Ruby Version Manager, there is an option to install Ruby with an OpenSSL package. Try:
$ rvm remove 1.9.x (or whatever version of ruby you are using) $ rvm pkg install openssl $ rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr
You may have to link your certs directory with /etc/ssl/certs:
$ rmdir $rvm_path/usr/ssl/certs $ ln -s /etc/ssl/certs $rvm_path/usr/ssl
Doesn’t work for you? Please add to the comments below.
Mac OS 10.7 (Lion) has a current version of OpenSSL and certificate files and you are not likely to see an error (please leave a comment if you do).
Mac OS 10.6.8 and earlier versions are likely to have outdated versions of OpenSSL or certificate files.
Try updating your OpenSSL library using MacPorts. You’ll need to install MacPorts first.
$ sudo port sync; sudo port selfupdate; sudo port install openssl ... $ openssl version OpenSSL 1.0.1a 19 Apr 2012
Alternatively, some developers have suggested to download an updated certificate file. This assumes you are using MacPorts and have a directory /opt/local/etc/openssl:
$ cd /opt/local/etc/openssl $ sudo curl -O http://curl.haxx.se/ca/cacert.pem $ sudo mv cacert.pem cert.pem
Since RubyGems 1.8.24 should be using self-installed certificates (installing its own .pem file), it’s not expected that you should have to install an updated OpenSSL library. If you find that the problem is resolved by updating OpenSSL even though you have installed RubyGems 1.8.24, please leave a comment below.
Doesn’t work for you? Please add to the comments below.
Fletcher Nichol shows how to download a cacert.pem file and set an environment variable to install the certificate authorities needed by the OpenSSL library.
You can also try hacking the open-uri source: How to Use an Application Template from Github when You’re Developing in Rails on Windows
Any advice to offer? Please add to the comments below.
Any advice to offer? Please add to the comments below.