Login/Register
How to solve "certificate verify failed" on Windows?
Asked Answered
Solved ruby-on-railsssl
D

15

75

I am trying to use signet for OAuth to Google services. And get this error:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Following these questions:

Seems the solution is either to fix ca_path or to set VERIFY_NONE for SSL.

The ca_path fix posted only works on Linux (port install) and the fix for VERIFY_NONE seems to be for faraday.

Is there a solution for Windows/signet gem?

Deirdra answered 19/4, 2011 at 17:49 Comment(4)
I'm having the same issue, only with the paypal_adaptive gem. Anyone find an answer?Sparky
The problem seems to persist, and I've never seen a real explanation of what is happening, despise the many hacks and patches that exist. A simple lay-person's explanation would go a long way to helping everyone.Perichondrium
I solved it by stopping to use signet and using just the ruby OAuth gem directlyDeirdra
Just an FYI, we were connecting to a 3rd party server temporarily that had certificate issues so we had to use IO.copy_stream( open( url, { ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE } ), download_path ) to just disable the SSL verification. In our case, security wasn't an issue, the server was out of our control and it was a temporary solution.Arhat
R
192

Actually the best way I found to solve this in windows for Ruby itself, not just one gem, is to do the following:

  1. Download https://curl.haxx.se/ca/cacert.pem into c:\railsinstaller\cacert.pem. Make sure you save it as a .pem file, rather than a text file.
  2. Go to your Computer -> Advanced Settings -> Environment Variables

  3. Create a new System Variable:

    Variable: SSL_CERT_FILE Value: C:\RailsInstaller\cacert.pem

  4. Close all your command prompts, including your Rails server command prompt, etc.

  5. Start a new ruby irb prompt, and try the following:

    $irb>require 'open-uri'
$irb>open('https://www.gmail.com')

It should all work now just fine.

Rang answered 21/4, 2013 at 18:18 Comment(11)
why are we poening gmail.com?Sherri
When you go into irb, it's usually within the context of an app. Does it matter which one you do it in? Do you have to do it for each app every time? Anyhow, it worked for the app that I typed this into.Sherri
FYI when I was working with librarian-chef which downloads chef cookbooks, I needed this cert that comes with Chef instead: C:/opscode/chefdk/embedded/ssl/certs/cacert.pemDewittdewlap
For windows users ensure file saved as "cacert.pem" and not "cacert.pem.txt". Also followed the Workaround RubyGems' SSL errors on Ruby for Windows (RubyInstaller)Jube
Being that I only installed ruby/gems to install sass, this option worked well for me. thanks.Ethiopian
Don't do this. Installing a randomly certificate, downloaded over HTTP (not HTTPS), as a fully trusted root certificate is just asking for trouble. Never mind that the library suggested later in the answer is also known for being insecure.Volauvent
@MatthewSchinckel What is a better solution?Anthracoid
I don't have a better solution. I'm just saying this is a bad solution.Volauvent
@DevDude This solution was working a few months ago. After a recent Windows update for me both my Desktop and Laptop this doesn't work anymore =/ Any ideas?Fiat
Best solution as it let the code free of any Windows specificity.Bicolor
Or you can add set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem to your PATH using regedit.Groff
E
28

Solution for Windows, which I cobbled together from a few different answers:

  1. Download https://curl.haxx.se/ca/cacert.pem and put it in YOUR_APP/lib/assets (or wherever)

  2. In config/initializers/omniauth.rb:

     #config/initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, CUSTOMER_KEY, CUSTOMER_SECRET, {client_options: {ssl: {ca_file: Rails.root.join('lib/assets/cacert.pem').to_s}}}
end

  3. Obviously, restart your server.

Footnotes: You might be able to cut out a lot of the unnecessary certificates in the cacert.pem file to reduce the size. If you only need this solution for development, you could save the file outside of your project and do a if Rails.env.development? _provider line with the client_options hash_ else _provider line without client_options hash_ end

Epineurium answered 12/11, 2011 at 2:5 Comment(1)
Downloading a certificate over HTTP is a terrible idea.Macula
G
21

After too much searching and wasted time, I found a very simple solution to fix this issue in Ruby with Windows.

Two simple steps:

  1. In command prompt write: C:\gem install certified

  2. In your rb file add: require 'certified'

That's it.

Generality answered 22/5, 2016 at 19:26 Comment(3)
You sir, are a champ! Note, you should use the certified-update.bat file once in a while to keep the certificate up to date.Beery
Ruby noob here - when you say "In your rb file", what exact file are you referring to? Would this be the boot.rb file?Slaty
I mean with your ruby file or your script with extension rb, it should including the following line : require 'certified'Generality
G
9

yes, I've set the omniouth.rb file in the initializers folder to this:

provider :facebook, FACEBOOK_KEY, FACEBOOK_SECRET, {:client_options => {:ssl => {:verify => false}}}

and this seems to work fine now. But don't use this for production.

Granulose answered 21/5, 2011 at 11:17 Comment(1)
I appreciate the "don't use this in production" but I feel like it should be in all caps, highlighted, repeated, emphasized, and reiterated. Given the answer below, I feel like this answer should be deleted.Renegado
S
9

Updating the rubygems package management framework solved this issue for me on Windows 7.

https://rubygems.org/pages/download

gem update --system          # may need to be administrator or root
Steenbok answered 2/1, 2015 at 2:42 Comment(1)
This solved it for me on Windows 8.1. Had gem version 1.8.28 and upgraded to 2.4.5 (ruby 1.9.2).Frae
D
5

Using the http:// URL instead of https:// make this easier to you

Change the gem source to http://rubygems.org/ by using the following line of command on your ruby command line 

gem sources -a http://rubygems.org/
Dorcia answered 28/10, 2016 at 7:12 Comment(0)
D
2

Adding onto DevDude's solution, but using Windows Powershell:

Download http://curl.haxx.se/ca/cacert.pem into c:\railsinstaller\cacert.pem

At the powershell prompt:

$env:SSL_CERT_FILE = 'c:\RailsInstaller\cacert.pem'

I was then able to run gem update successfully

Note: you can simply define that environment variable in your profile notepad $profile

Drisko answered 20/12, 2014 at 20:27 Comment(1)
Downloading a certificate not over SSL is opening yourself up for a MITM attack.Volauvent
E
2

Go to the rubygems-update download page: https://rubygems.org/gems/rubygems-update

Click on the Download link, and you'll download a file called rubygems-update-2.6.7.gem. At the command line, navigate to the directory you downloaded the .gem file to and type:

gem install rubygems-update-2.6.7.gem

(or whatever the filename was, if a newer version)

Then type:

update_rubygems

You can verify it's updated with:

gem --version
Elephantine answered 21/10, 2016 at 21:53 Comment(0)
C
1

I had this error whilst trying to setup rails 5 on a windows machine, turns out I had to update the rubygem version to 2.6.7 and then it worked.

step 1 download rubygem from below

https://rubygems.org/downloads/rubygems-update-2.6.7.gem

step 2 - install by pointing to downloaded rubygems

gem install --local C:\rubygems-update-2.6.7.gem

step 3 - check new version is 2.6.7

gem --version

step 4 - now safely un-install rubygems-update gem

gem uninstall rubygems-update -x

step 5 tried to install rails 5 again

gem install rails --version 5.0.0

worked like a charm!

I got info from: http://guides.rubygems.org/ssl-certificate-update/#installing-using-update-packages

Choice answered 4/1, 2017 at 17:30 Comment(0)
G
0

I was able to eliminate the PATH or SYSTEM VARIABLE setting mentioned above by importing the certificate as a Trusted Authority.

  1. Invoke certmgr.msc
  2. Right-click the Trusted Root Certificate Authority folder.
  3. Select "All Tasks"
  4. Select "Import"
  5. Select All Files in file type dropdown and select the cacert.pem file.
  6. You should receive a message "Import Successful"
Goring answered 3/3, 2016 at 18:35 Comment(0)
K
0

I believe the correct answer is to update your gem installer: rubygems-update. The explanation for why this is needed is found at: Ssl Certificate Updates

Kristenkristi answered 16/10, 2016 at 13:44 Comment(0)
J
0

save your cacert.pmp file from https://curl.haxx.se/ca/cacert.pem and then add this file to location yourruby-installation folder\lib\ruby\2.3.0\rubygems\ssl_certs

for example:C:\Ruby23\lib\ruby\2.3.0\rubygems\ssl_certs

Juliettajuliette answered 22/11, 2016 at 8:22 Comment(0)
P
0

This helped me: https://coderwall.com/p/ubl6iw/fix-ssl_connect-returned-1-errno-0-state-sslv3-read-server-certificate-b-certificate-verify-failed-openssl-ssl-sslerror My ruby on rails project is posting data to an api internally, and it cannot verify the internal certificate. These lines helped:

require 'https'

http = Net::HTTP.new('example.com', 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER

http.cert_store = OpenSSL::X509::Store.new
http.cert_store.set_default_paths
http.cert_store.add_file('/path/to/internal.cert.pem')

Hope this can help.

Psf answered 20/1, 2017 at 16:32 Comment(0)
P
0

I was also facing this issue when I installed older ruby versions. When I installed the latest Ruby version this problem went away. So basically the SSL certificate needed to be updated.

Phatic answered 6/3, 2017 at 17:18 Comment(0)
B
-3

For people who are using rails 4.

Add this in devise.rb 

require "omniauth-google-oauth2"
config.omniauth :google_oauth2, "CLIENT_ID", "CLIENT_SECRET", { access_type: "offline", approval_prompt: "", :client_options => {:ssl => {:verify => false}} }
Barbiebarbieri answered 18/11, 2014 at 6:50 Comment(1)
{:ssl => {:verify => false}} is not the solution, it just creates another problem.Renegado

© 2022 - 2024 — McMap. All rights reserved.