"Certificate verify failed" OpenSSL error when using Ruby 1.9.3

Asked 12/11, 2011 at 0:4 Answered 16/2, 2016 at 10:26

Solved ruby-on-rails ruby ruby-on-rails-3.1 openssl rvm

I'm using Ruby 1.9.3p0 on Mac OS 10.6.8 (installed using rvm). When I attempt to create a new Rails application using an application template hosted on GitHub, with this (for example):

$ rails new myapp -m https://github.com/RailsApps/rails3-application-templates/raw/master/rails3-mongoid-devise-template.rb -T -O

I get this error message:

/Users/me/.rvm/rubies/ruby-1.9.3-p0/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed 
(OpenSSL::SSL::SSLError)

I understand the Ruby language interpreter is using OpenSSL to connect to GitHub to request the application template file. GitHub requires all connections to be made using SSL. The connection failed because OpenSSL was unable to verify the server certificate.

I was able to resolve the issue by downloading a certificates file:

$ cd /opt/local/etc/openssl
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
$ sudo mv cacert.pem cert.pem

I had no problem using Ruby 1.9.2. Why did I get the "certificate verify failed" problem for Ruby 1.9.3? Is this a Ruby 1.9.3 bug? Is it specific to Mac OS 10.6.8? Is my solution the right way to resolve this?

Overplay answered 12/11, 2011 at 0:4 Comment(4)

Had this issue a few month ago with another gem which is using net/http. Solved it this way: Koala.http_service.ca_path = "/etc/ssl/certs/" So you may have to add your CA-Path in your case too. – Blues 12/11, 2011 at 0:26

Daniel - getting the exact same error doing the same thing! How did you resolve it? tried the 3 lines above - no joy. – Adeliaadelice 29/1, 2012 at 0:11

Hi Bob - Sorry to see that bug is still biting. I don't have a resolution to offer as it's all working fine for me after updating my certificates as described above. It's system specific, so rather difficult to diagnose. It might be an rvm issue. – Overplay 29/1, 2012 at 0:46

Take a look at my answer here https://mcmap.net/q/102208/-openssl-ssl-sslerror-on-heroku-duplicate – Barbbarba 7/6, 2013 at 12:1

There are lots of moving parts involved in the correct answer. Depends on your OS, Ruby version, OpenSSL version, Rubygems version. I ended up writing an article after researching it. My article explains the reasons for the error, offers steps for further diagnosis, shows several workarounds, and suggests possible solutions. This will be helpful:

OpenSSL Errors and Rails – Certificate Verify Failed

There are also links to the relevant commits and issues on GitHub.

Overplay answered 12/11, 2011 at 0:4 Comment(1)

If you are on windows, click through to the solution for Windows and don't forget to set the SSL_CERT environment variable and close and reopen the terminal. So good to finally get a resolution! – Guelders 24/10, 2013 at 6:55

For me this occurred on OS X with homebrew after updating to the latest RVM (rvm 1.20.12) and then installing ruby-1.9.3-p429. I could reproduce the issue simply by running:

$ rvm use ruby-1.9.3-p429
$ irb
1.9.3p429 :001 > require 'open-uri'; open 'https://google.com'
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/net/http.rb:800:in `connect'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/net/http.rb:800:in `block in connect'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/timeout.rb:55:in `timeout'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/timeout.rb:100:in `timeout'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/net/http.rb:800:in `connect'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/net/http.rb:756:in `do_start'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/net/http.rb:745:in `start'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:306:in `open_http'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:775:in `buffer_open'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:203:in `block in open_loop'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:201:in `catch'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:201:in `open_loop'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:146:in `open_uri'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:677:in `open'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:33:in `open'
    from (irb):1
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/bin/irb:16:in `<main>'1.9.3p429 :002 >

The solution was similar to that in the question, but the path was wrong. Running this fixed it:

curl https://curl.haxx.se/ca/cacert.pem -o /usr/local/etc/openssl/cert.pem

The clue as to the correct path was that when I was installing ruby-1.9.3-p429 via RVM this showed in the output:

Certificates in '/usr/local/etc/openssl/cert.pem' already are up to date.

I had the /usr/local/etc/openssl path, but no cert.pem file in that directory, so I'm not sure why RVM claimed the certificates were up to date. It would be nice to know why I had to do this in first place, but I don't have time to investigate now.

Unswear answered 24/5, 2013 at 18:47 Comment(3)

curl http://curl.haxx.se/ca/cacert.pem -o /usr/local/etc/openssl/cert.pem exactly what I needed. thanks – Guadiana 18/6, 2013 at 21:49

Note this was actually a bug with RVM: github.com/wayneeseguin/rvm/issues/1920. It's been fixed since. – Unswear 9/7, 2013 at 0:31

Thank you a lot! I'm using Ruby 1.8.7-p370 and had to run this: curl http://curl.haxx.se/ca/cacert.pem -o /etc/ssl/certs/ca-certificates.crt to solve the problem. Your tip is great! – Xenogamy 22/7, 2013 at 3:1

I had the same problem, having compiled my RVM Ruby against an RVM install of OpenSSL. I moved the cacerts.pem file as downloaded by the original poster under ~/.rvm/usr/ssl/cert.pem to make the problem go away.

Forbidding answered 25/5, 2012 at 6:49 Comment(3)

Thank you man, I tried all the shenanigans, but your tip solved it! – Centriole 22/6, 2012 at 13:39

This almost worked for me, but I had to put cacerts.pem file at /usr/local/etc/openssl/cert.pem. Here's the details of my problem and solution: https://mcmap.net/q/102209/-quot-certificate-verify-failed-quot-openssl-error-when-using-ruby-1-9-3 – Unswear 24/5, 2013 at 19:22

I didn't have a cert.pem, so I created one under ~/.rvm/usr/ssl and copy and cert.pem from curl.haxx.se. Unfortunately, am still getting the same Faraday issue: Certificate Verify Failed. Am using Ruby 1.9.3 and koala version 1.6.0 (not sure if that is relevant though). – Guelders 24/10, 2013 at 6:47

I was having the same problem.

The way I finally fixed it was by upgrading my version of OpenSSL I had installed through MacPorts. I was running a version of OpenSSL from 2009 so I have upgraded my MacPorts installation then upgraded my OpenSSL installtion via the ports command line interface and the error disappeared.

There must be some integration between Ruby/Rails and OpenSSL on Mac based installations that goes without saying. In my case I was having problems getting the Login with Facebook to work properly when Facebook was sending the oAuth/Login token back to my app, Devise & OmniAuth must have needed a valid SSL cert for graph.facebook.com which wasn't in my old version of OpenSSL.

Brandonbrandt answered 18/2, 2012 at 18:9 Comment(1)

Thanks! The best thing may be to use rvm to install a fresh copy of openssl as described here: beginrescueend.com/packages/openssl. – Overplay 18/2, 2012 at 22:50

Openssl certification directory is /usr/lib/ssl/ in Debian. So, following three lines was enough for me,

$ cd /usr/lib/ssl/
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
$ sudo mv cacert.pem cert.pem

Bibliophage answered 25/8, 2013 at 11:40 Comment(0)

It could possibly be because of how you built 1.9.2 and 1.9.3 — maybe whatever tool you used to build each configured things slightly differently. Or maybe they use different versions of OpenSSL.

Here is the only potentially relevant change I could spot to Net:HTTP between 1.9.2 and 1.9.3

 require 'net/protocol'
-autoload :OpenSSL, 'openssl'
 require 'uri'
+autoload :OpenSSL, 'openssl'

(if you want to view the diff...)

git clone https://github.com/ruby/ruby.git
cd ruby
git diff origin/ruby_1_9_2 origin/ruby_1_9_3 -- http.rb

Playboy answered 12/11, 2011 at 2:46 Comment(1)

I used rvm to install both Ruby 1.9.2 and 1.9.3. – Overplay 12/11, 2011 at 3:33

I had a similar issue but not on Rails, but on just Ruby on Windows. I resolved it by using the cacert.pem certificate and setting the location of the certificate to the environmental variable "SSL_CERT_FILE"

Detailed answer here: https://mcmap.net/q/100200/-ssl_connect-returned-1-errno-0-state-sslv3-read-server-certificate-b-certificate-verify-failed

Sulphide answered 16/2, 2016 at 10:26 Comment(0)

Recommended topics

Hot tags