bundle install fails with SSL certificate verification error

C

29

265

When I run bundle install for my Rails 3 project on Centos 5.5 it fails with an error:

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 
read server certificate B: certificate verify failed 
(https://bb-m.rubygems.org/gems/multi_json-1.3.2.gem)
An error occured while installing multi_json (1.3.2), and Bundler cannot continue.
Make sure that `gem install multi_json -v '1.3.2'` succeeds before bundling.

When I try to install the gem manually (by gem install multi_json -v '1.3.2') it works. The same problem occurs with several other gems. I use RVM (1.12.3), ruby 1.9.2, bundler 1.1.3.

How to fix it?

Carton answered 20/4, 2012 at 12:13 Comment(3)

Facing the same problem. But with another gem: Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (bb-m.rubygems.org/gems/activeresource-3.2.3.gem) – Bartie 20/4, 2012 at 16:31

I am having the same error with the same circumstances. I suspect, given these other responses, that it's a server-side issue. – Leisure 20/4, 2012 at 16:47

I had a similar problem in Rails 5. Fixed it by adding source "https://rubygems.org'' in the Gemfile and running 'gem update --system'. You can find more info here. – Reyesreykjavik 9/3, 2018 at 15:25

L

314

Update

Now that I've karma wh..err mined enough from this answer everyone should know that this should have been fixed.

re: via Ownatik again bundle install fails with SSL certificate verification error

gem update --system

My answer is still correct and left below for reference if that ends up not working for you.

Honestly the best temporary solution is to

[...] use the non-ssl version of rubygems in your gemfile as a temporary workaround.

via user Ownatik

what they mean is at the top of the Gemfile in your rails application directory change

source 'https://rubygems.org'

to

source 'http://rubygems.org'

note that the second version is http instead of https

Laurasia answered 22/4, 2012 at 1:28 Comment(17)

I'm accepting this answer, because that was the thing that I did at first. Later I changed my deploy strategy. Now I run bundle the application on another server and then I copy it (with gems in vendor directory) to the server I wrote about in the question. – Carton 2/5, 2012 at 6:48

This didn't work for me. The link provided by @fbernier below fixed it for me. – Royce 1/10, 2013 at 20:10

I also had to follow that link by @fbernier, particularly in that page's "alternative" section – Yukikoyukio 8/10, 2013 at 16:32

This doesn't work. Running this just provides output of Latest version currently installed. Aborting. Any other ideas? – Votary 3/11, 2013 at 22:49

Read this answer TL;DR: apt-get install openssl ca-certificates – Decembrist 26/11, 2013 at 12:53

In terms of changing the source, for newer people like me. I would specify that this file is located in your application directory. I was looking for it in the railsinstaller directory. Anyways, I changed the source and it finally worked. I am getting certificate errors when I try to run the update :( – Glogau 14/1, 2014 at 21:16

This did not work for me. Using Debian Jessie within Docker. Ruby 2.1.5p273, Gem 2.4.5, Bundler 1.7.8 – Avesta 9/12, 2014 at 3:10

With certificate issues: changing the source to insecure: gem sources -a http:// rubygems.org/ (don't forget to put secure back) – Para 14/12, 2014 at 20:39

gem update --system fails with the exact same certificate error :\ – Gui 16/12, 2014 at 16:23

This is an application-specific solution. Flextra provided a true solution. – Mewl 16/12, 2014 at 21:54

@Paul. I said in my answer this is a temporary solution. Thanks for pointing to Flextra's answer. Hopefully that works for others. I will still leave mine here because sometimes those other solutions dont work for everyone. This works regardless of external factors. and for someone who is just learning rails and just wants things to work that is fine – Laurasia 17/12, 2014 at 2:40

perfect answer, i had spent a lot of time searching for this answer – Orel 4/1, 2015 at 8:47

Hey can anyone please tell me where can we find the Gemfile in Ruby,it would be thanks if u specify the path – Supine 26/2, 2015 at 20:18

just incase if you are using RVM and the above solution doesnt work (which happened to me). just run rvm osx-ssl-certs update all. This wil update all certificates. more info here -> railsapps.github.io/openssl-certificate-verify-failed.html – Freedwoman 14/10, 2016 at 20:5

@Freedwoman that doesn't seem to help. I get the same error as Danny. – Manon 4/1, 2017 at 0:59

This sent me into a whole world of needing new RVM and bundler and ruby... – Symmetry 10/1, 2017 at 19:56

I experience Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rubygems.org/ because we have enterprise Sophos firewall and I must somehow install Sophos certificate into gem system so that bundler will use it. How to do this? – Mewl 5/9, 2017 at 9:16

S

229

Replace the ssl gem source with non-ssl as a temp solution:

gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/

Stemson answered 8/8, 2013 at 15:28 Comment(10)

OMG worked like a charm! I'm on Windows 7 x64 behind a corporate proxy. Thanks a lot! – Fucoid 27/9, 2013 at 9:39

I'm surprised this was not ranked higher, this was the easiest quick fix. – Utter 1/10, 2013 at 19:41

good temp solution...be aware of the following :: RubyGems has been configured to serve gems via the following URLs through its history: * gems.rubyforge.org (RubyGems 1.3.6 and earlier) * rubygems.org (RubyGems 1.3.7 through 1.8.25) * rubygems.org (RubyGems 2.0.1 and newer) – Zebrass 9/10, 2013 at 18:46

fastest solution for me on Windows 8 – Attest 14/12, 2014 at 1:5

Problem is that it still attempts to get gem metadata from the https source. Any way to override this? – Surfing 30/12, 2014 at 20:6

@RaySuelzer the path should match exactly that string that in your options. type gem sources and watch actial value. then remove it. then add non https. anyway read my comment to be sure of desired behaviour. – Wolff 15/4, 2015 at 7:41

Also, make sure you're not MITMing yourself. I forgot I was running Charles Proxy. /facepalm – Ullyot 18/7, 2016 at 21:56

Imho this should not even be considered a valid answer, because it opens up your system to attacks from outside. – Skirl 31/1, 2017 at 22:3

Works on Windows 10 ! It's not the safest solution but really works. – Northeaster 10/2, 2017 at 9:53

This one won't work anymore. Guys at rubygems put stricter settings in place and non-http version is now redirected to https automatically since couple days ago. – Interact 10/12, 2020 at 18:51

W

163

The reason is old rubygems. You need to update system part using non ssl source first:

gem update --system --source http://rubygems.org/ (temporarily updating system part using non-ssl connection).

Now you're ready to use gem update.

Wolff answered 12/12, 2014 at 15:42 Comment(9)

Really simple solution that's cross-platform and allows RubyGems to take care of the details. Nice. – Cichocki 19/12, 2014 at 2:53

this was the one that should be accepted, the answers above don't explain that you need to remove the ssl sources first – Mease 11/2, 2015 at 20:54

Thanks - this is the ticket. If you get a "not in cache" message when adding or removing sources, try it with or without a trailing slash. It has to match exactly. – Roomette 25/3, 2015 at 23:17

I have searched trough many solutions. This is the one worked like a charm. Thank you! This should be choosen as the true solution. – Aeroballistics 10/9, 2015 at 13:49

Thank you!! I agree with others that this should be the accepted answer, as it doesn't result in you fetching gems through plain HTTP. – Lorislorita 24/10, 2015 at 16:19

if it is temporary fix why not to add --source http://rubygems.org/at the end of your install command? – Vesture 4/1, 2016 at 21:5

@user3705055 thanks, please, review changes for correctness. – Wolff 13/9, 2016 at 7:55

November 2016, and yet, this is still the only answer that works. Thanks! – Smegma 16/11, 2016 at 6:10

This doesn't seem to work for me (somehow still get an SSL error). EDIT: This worked in conjunction with asfallows' answer https://mcmap.net/q/49588/-bundle-install-fails-with-ssl-certificate-verification-error) – Manon 4/1, 2017 at 1:0

P

118

If you're on a mac and use a recent version of RVM (~1.20), the following command worked for me.

rvm osx-ssl-certs update

Pelagic answered 2/10, 2013 at 18:3 Comment(2)

Thanks, worked for me too. I was trying to install CocoaPods. rvm 1.22.15, OS X 10.8.5 – Tremaine 3/10, 2013 at 19:37

This is also pointed to in the error message "...see bit.ly/ruby-ssl". – Romaineromains 4/10, 2013 at 18:10

M

55

This issue should now be fixed. Update rubygems (gem update --system), make sure openssl is at the latest version on your OS, or try these tips of it's still not working: http://railsapps.github.com/openssl-certificate-verify-failed.html

Merlon answered 3/5, 2012 at 11:22 Comment(3)

Needed to update bundler as well to make it work (rubygems 2.0.3 + bundler 1.3.2 + cygwin openssl 1.0.1e works for me on winxp). – Evelyne 12/3, 2013 at 14:48

I had to update from 1.3.0, now I am on 1.3.4 and the https is no longer throwing the error: bundler-1.3.0/lib/bundler/vendor/net/http/persistent/ssl_reuse.rb:70:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server key exchange B: bad ecpoint (OpenSSL::SSL::SSLError) – Willman 3/4, 2013 at 2:50

It is not possible to update rubygems if the SSL certificate is not accepted! Running in circles here ;) – Lugworm 15/1, 2015 at 21:28

L

53

Temporary solution (as alluded to by Ownatik):

Create or modify a file called .gemrc in your home path, including the line :ssl_verify_mode: 0

This will prevent bundler from checking the SSL certificates of gems when it attempts to install them.

For *nix devices, 'home path' means ~/.gemrc. You can also create /etc/gemrc if you prefer. For Windows XP, 'home path' means c:\Documents and Settings\All Users\Application Data\gemrc. For Windows 7, C:\ProgramData\gemrc

Leisure answered 20/4, 2012 at 17:3 Comment(6)

%USERPROFILE%\.gemrc is also searched by gem on Windows. – Manas 2/12, 2012 at 12:54

Recommended file location for Windows 8? – Duquette 18/2, 2013 at 20:32

Removing ssl verification is temporary workaround that opens a security hole. Read more here: github.com/rubygems/rubygems/commit/… – Thayne 3/3, 2013 at 4:45

This is useful in my case; behind a corporate firewall that restricts all compressed files but allows them via https. – Labanna 10/7, 2013 at 8:7

Didn't try this solution, but in my case also worked when I added this content to the ~/.gemrc : :sources: - http://rubygems.org – Odometer 8/12, 2014 at 13:58

Worked for me. I couldn't use the "gem update --system" fix on our legacy system. – Shafting 19/3, 2015 at 13:41

B

18

On windows7 you can download the cacert.pem file from here and set the environementvariable SSL_CERT_FILE to the path where you store the certificate eg

SET SSL_CERT_FILE="C:\users\<username>\cacert.pem"

or you can set the variable in your script like this ENV['SSL_CERT_FILE']="C:/users/<username>/cacert.pem"

Replace <username> with you own username.

Bordiuk answered 21/3, 2014 at 18:17 Comment(2)

Thank you. Permanent fix is here. guides.rubygems.org/ssl-certificate-update – Conversationalist 15/10, 2015 at 7:44

This is the right permanent fix, and avoiding using unsecured http source. – Directional 19/10, 2016 at 18:39

B

15

The real solution to this problem, if you are using RVM:

Update rubygems: gem update --system
Use RVM to refresh SSL certs: rvm osx-ssl-certs update all

Hat tip to this tip on the RailsApps project!

Bobolink answered 22/10, 2013 at 3:50 Comment(1)

rvm osx-ssl-certs update all worked fine for me. Didnt need to to do step 1. – Correggio 24/7, 2015 at 14:2

E

9

You can download a list of CA certificates from curl's website at http://curl.haxx.se/ca/cacert.pem

Then set the SSL_CERT_FILE environment variable to tell Ruby to use it. For example, in Linux:

$ SSL_CERT_FILE=~/cacert.pem bundle install

(Reference: https://gist.github.com/fnichol/867550)

Exurbanite answered 18/10, 2013 at 5:36 Comment(1)

On Debian Buster I had to do this: SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt gem update --system – Predecessor 8/3, 2021 at 2:44

A

7

For those of you that have ruby installed through RVM and want a quick fix (preferring not to read per Bruno's request) just try this:

rvm remove 1.9.x (or whatever version of ruby you are using)
rvm pkg install openssl
rvm install 1.9.2 --with-openssl-dir=$rvm_path/usr

For a more details, here is the link where I found the solution.

http://railsapps.github.com/openssl-certificate-verify-failed.html

BTW, I didn't have to touch my certificates on Ubuntu.

Best of all, this isn't a workaround. It will download gems through SSL and fail if there if there is a problem like a man in the middle attack which is much better than just turning off security.

Archiepiscopate answered 27/4, 2012 at 19:35 Comment(4)

The page you link to has a "workaround" (first) and then proper solutions. It would be better if your answer stated that a bit more clearly. Nevertheless, using CA certificates (via cacert.pem or $rvm_path/usr/ssl) is indeed the right way to go. – Superfuse 27/4, 2012 at 19:43

Bruno, the solution will probably be a bit different depending on what flavor of Unix the person uses. It looks like reading the link will be necessary. – Archiepiscopate 28/4, 2012 at 12:19

I was just talking about the difference between the "workaround" on the page (:ssl_verify_mode: 0, which open problems), as opposed to any of the 3 solutions below it, which are the right way to fix this problem. – Superfuse 28/4, 2012 at 12:30

@Bruno, I've revised my article, please add comments or edit the wiki if you see possibilities for improvements. – Rotation 29/4, 2012 at 1:16

N

6

This has been fixed

http://guides.rubygems.org/ssl-certificate-update/

Now that RubyGems 2.6.x has been released, you can manually update to this version.

Download https://rubygems.org/downloads/rubygems-update-2.6.7.gem

Please download the file in a directory that you can later point to (eg. the root of your harddrive C:)

Now, using your Command Prompt:

C:\>gem install --local C:\rubygems-update-2.6.7.gem
C:\>update_rubygems --no-ri --no-rdoc

After this, gem --version should report the new update version.

You can now safely uninstall rubygems-update gem:

C:\>gem uninstall rubygems-update -x

Niece answered 20/10, 2016 at 12:25 Comment(0)

M

5

Simple copy paste instruction given here about .pem file

https://gist.github.com/luislavena/f064211759ee0f806c88

For certificate verification failed

If you've read the previous sections, you will know what this means (and shame > on you if you have not).

We need to download AddTrustExternalCARoot-2048.pem. Open a Command Prompt and type in:

C:>gem which rubygems C:/Ruby21/lib/ruby/2.1.0/rubygems.rb Now, let's locate that directory. From within the same window, enter the path part up to the file extension, but using backslashes instead:

C:>start C:\Ruby21\lib\ruby\2.1.0\rubygems This will open a Explorer window inside the directory we indicated.

Step 3: Copy new trust certificate

Now, locate ssl_certs directory and copy the .pem file we obtained from previous step inside.

It will be listed with other files like GeoTrustGlobalCA.pem.

Milan answered 27/12, 2014 at 14:9 Comment(0)

V

4

same problem but with different gem here:

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 
read server certificate B: certificate verify failed 
(https://bb-m.rubygems.org/gems/builder-3.0.0.gem)
An error occured while installing builder (3.0.0), and Bundler cannot continue.
Make sure that `gem install builder -v '3.0.0'` succeeds before bundling.

temporarily solution: gem install builder -v '3.0.0' makes it possible to continue bundle install

Velvavelvet answered 20/4, 2012 at 12:36 Comment(3)

You can also use the non-ssl version of rubygems in your gemfile as a temporary workaround. – Merlon 20/4, 2012 at 12:38

I did it and it works. For now, that's a sufficient solution. – Carton 20/4, 2012 at 13:29

I have a same problem over here. So @Ownatik how to use ssl version of rubygems? – Enjoy 20/4, 2012 at 13:47

S

4

The simplest solution:

rvm pkg install openssl
rvm reinstall all --force

Voila!

Scoff answered 16/10, 2013 at 14:20 Comment(3)

What does this actually do to my system? – Sisterhood 10/3, 2015 at 1:12

rvm pkg is deprecated now, anyway. – Adrienadriena 1/12, 2021 at 16:1

@Adrienadriena it gives a warning but still works – Sanative 16/5, 2022 at 20:48

G

4

This is How you fix this problem on Windows:

download .perm file then set the SSL_CERT_FILE in command prompt

https://gist.github.com/fnichol/867550

Grip answered 29/7, 2014 at 20:23 Comment(0)

D

4

My permanent fix for Windows:

Download the CACert , save as C:\ruby\ssl_certs\GlobalSignRootCA.pem from http://guides.rubygems.org/ssl-certificate-update/
Create system variable named "SSL_CERT_FILE", set to C:\ruby\ssl_certs\GlobalSignRootCA.pem.
Try again: gem install bundler:

C:\gem sources
*** CURRENT SOURCES ***
https://rubygems.org/

C:\gem install bundler
Fetching: bundler-1.13.5.gem (100%)
Successfully installed bundler-1.13.5
1 gem installed

Directional answered 19/10, 2016 at 18:47 Comment(0)

S

3

I get a slightly different error, though perhaps related, on Ubuntu 12.04:

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure (https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem)
An error occured while installing activesupport (3.2.3), and Bundler cannot continue.
Make sure that `gem install activesupport -v '3.2.3'` succeeds before bundling.

It happens when I run bundle install with source 'https://rubygems.org' in a Gemfile.

This is an issue with OpenSSL on Ubuntu 12.04. See Rubygems issue #319.

To fix this, run apt-get update && apt-get upgrade on Ubuntu 12.04 to upgrade your OpenSSL.

Simsar answered 28/4, 2012 at 14:40 Comment(0)

A

3

I was able to track this down to the fact that the binaries that rvm downloads do not play nice with OS X's OpenSSL, which is old and is no longer used by the OS.

The solution for me was to force compilation when installing Ruby via rvm:

rvm reinstall --disable-binary 2.2

Anticipant answered 18/10, 2016 at 19:20 Comment(1)

This worked for me. You need to replace "2.2" w/ the ruby version you're using – Corycorybant 20/12, 2016 at 0:37

V

3

Thx to @Alexander.Iljushkin for:

gem update --system --source http://rubygems.org/

After that bundler still failed and the solution to that was:

gem install bundler

Vasileior answered 18/12, 2016 at 19:48 Comment(0)

R

2

I was getting a similar error. Here is how I solved this: In your path directory, check for Gemfile. Edit the source in the gemfile to http instead of https and save it. This might install the bundler without the SSL certificate issue.l

Relucent answered 24/3, 2014 at 17:53 Comment(0)

I

2

For Windows machine, check your gem version with

gem --version

Then update your gem as follow:

Running 1.8.x: download 1.8.30
Running 2.0.x: download 2.0.15
Running 2.2.x: download 2.2.3

Please download the file in a directory that you can later point to (eg. the root of your hard drive C:)

Now, using your Command Prompt:

C:\>gem install --local C:\rubygems-update-1.8.30.gem
C:\>update_rubygems --no-ri --no-rdoc

Now, bundle install will success without SSL certificate verification error.

More detailed instruction is here

Incus answered 17/6, 2016 at 0:11 Comment(0)

R

2

If you're using `rails-assets`

If you were using https://rails-assets.org/ to manage your assets, no answers will help you. Even converting to http won't help.

The simplest fix is using this source instead, http://insecure.rails-assets.org. This has been mentioned in their homepage.

Radloff answered 30/4, 2017 at 10:52 Comment(0)

M

1

This worked for me:

download latest gem at https://rubygems.org/pages/download
install the gem with gem install --local [path to downloaded gem file]
update the gems with update_rubygems
check that you're on the latest gem version with gem --version

Misbecome answered 12/10, 2016 at 20:8 Comment(0)

H

1

I had to reinstall openssl:

brew uninstall --force openssl
brew install openssl

Henslowe answered 4/11, 2016 at 19:37 Comment(0)

F

1

I was just recently faced with this issue and followed the steps outlined here. There might be a chance that you are not pointing to the right OpenSSL certificate. After running:

rvm osx-ssl-certs status all
rvm osx-ssl-certs update all

and

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

the bundle complete ran!

Fruitless answered 5/1, 2017 at 7:30 Comment(0)

C

1

Download rubygems-update-2.6.7.gem .

Now, using your Command Prompt:

C:\>gem install --local C:\rubygems-update-2.6.7.gem
C:\>update_rubygems --no-ri --no-rdoc

After this, gem --version should report the new update version.

You can now safely uninstall rubygems-update gem:

C:\>gem uninstall rubygems-update -x
Removing update_rubygems
Successfully uninstalled rubygems-update-2.6.7

Carrington answered 11/1, 2017 at 7:24 Comment(0)

A

1

To note, if you're grabbing gems from a source which SSL cert is trusted by an internal certificate authority (or you are connecting to an external source through a company web proxy with SSL inspection), point your SSL_CERT_FILE env variable to your certificate chain. This most likely just requires exporting your root certificate from your certificate store (System Keychain on macOS) to an accessible location from your shell i.e.:

export SSL_CERT_FILE=~/RootCert.pem

Archoplasm answered 7/3, 2017 at 13:40 Comment(0)

A

0

The only thing that worked for me on legacy windows system and ruby 1.9 version is downloading cacert file from http://guides.rubygems.org/ssl-certificate-update/

And then running below command before running bundle install

bundle config --global ssl_ca_cert /path/to/file.pem

Arreola answered 18/8, 2017 at 7:39 Comment(0)

M

0

Here is what I came up by looking at Rubygems code, add that line to your .gemrc file:

:ssl_ca_cert: /<path to your own CA cert >/cacert.cer

March answered 20/8, 2023 at 19:12 Comment(0)

If you're using `rails-assets`

Recommended topics

Hot tags

If you're using rails-assets

Recommended topics

Hot tags

If you're using `rails-assets`