-
Notifications
You must be signed in to change notification settings - Fork 3
openssl certificate verify failed
Last updated 6 March 2013
Are you getting an error “OpenSSL certificate verify failed” with Ruby?
Or an error “Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0”?
You may be seeing Ruby problems with OpenSSL because of conflicts with older versions of OpenSSL or outdated certificate files.
Here are suggestions.
This is a note for developers using the example applications and tutorials from the Rails Apps project. If you’re getting started with Rails, or want an easier way to get started building your applications, see the Rails Apps example applications and tutorials.
If you get OpenSSL errors with Ruby 2.0, make sure you are using RubyGems 2.0.3 or newer:
$ gem -v
Use gem update --system to upgrade the RubyGems system gem if necessary.
For more help, see the article Installing Rails.
The version of OpenSSL that comes with Mac OS X 10.8 is too old for Ruby 2.0. You need to install a newer one with RVM or Homebrew.
You should have OpenSSL 1.0.1e or newer installed in your environment:
$ openssl version
If you are using RVM, the newest version of RVM will install OpenSSL automatically. See the article Installing Rails. This may be the easiest solution.
You can also install Homebrew and try this:
$ brew update $ brew install openssl $ brew link openssl --force $ brew install curl-ca-bundle
If OpenSSL is up to date, you may be having problems with outdated certificate files.
James Tucker (raggi) has released a simple script (openssl-osx-ca) that uses Homebrew to update the OpenSSL security certificates found in the Mac OS X Keychain. The script replaces the outdated OpenSSL security certificates on your Mac with new certificates from Mozilla.org
$ brew tap raggi/ale $ brew install openssl-osx-ca
Doesn’t work for you? Please add to the comments below.
You may have received an error message if you’ve tried to create a new Rails application.
For example, you may have entered:
$ rails new myapp
or created a new Rails application using an application template:
$ rails new myapp -m https://raw.github.com/RailsApps/rails-composer/master/composer.rb
and seen the following error message:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
or
Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B
Here is an explanation and suggested solutions.
When creating a new Rails application, the Ruby language interpreter uses OpenSSL to connect to https://rubygems.org/. The Gemfile installed by the rails new command specifies https://rubygems.org/ as the source for gems and requires an SSL connection.
In the case of a new application generated from an application template hosted on GitHub, the Ruby language interpreter uses OpenSSL to connect to GitHub. GitHub requires all connections to be made using SSL.
The error message indicates the connection failed because OpenSSL was unable to verify the server certificate.
Prior to 20 April 2012, the error likely resulted when the certificate file on your computer was out of date, missing, or couldn’t be found.
On 20 April 2012, Ruby 1.9.3-p194 was released incorporating RubyGems 1.8.23 which included two security fixes:
- verification of server SSL certs is required when RubyGems connects to an https server
- RubyGems no longer allows redirects from https to http servers
This is the commit to RubyGems that implemented the security fixes: Insecure connection to SSL repository. Following the release, an issue was reported for an SSL_connect failure when running ‘rails new’.
Following the release of RubyGems 1.8.23, the RubyGems team identified a problem with misconfiguration of SSL certificates on the https://rubygems.org/ server. The RubyGems team fixed the SSL certificates on 24 April 2012.
RubyGems 1.8.23 was supposed to install a .pem file containing current SSL certificates but didn’t do so, according to this isse: 1.8.23 actually does not install pem file. This commit Install the .pem files properly fixed the problem and was released on 27 April 2012 with RubyGems 1.8.24 (RubyGems changelog). The 1.8.24 release also eliminated a problematic dependency on OpenSSL for http connections.
At the current time (after 1 May 2012), if you are seeing an error when you create a new Rails application, it is likely that you need to update OpenSSL or certificate files on your computer. Users of older versions of Mac OS X and Ubuntu operating systems are likely to see these errors. Upgrading your OS will resolve the issues. Alternatively, you can update OpenSSL as described below.
Check RubyGems issues on GitHub and look for recent updates to the issue SSL_connect failure when running ‘rails new’. You may find more information on Stack Overflow, especially this discussion: Bundle install fails with SSL certificate verification error. And please read the comments below.
What’s your operating system version?
$ uname -srv
It is advisable to upgrade your operating system if older than Mac OS X 10.8 (Mountain Lion) or Ubuntu 12.04 (Precise Pangolin).
What version of Ruby are you using?
$ ruby -v
If it’s older than Ruby 2.0.0-p0 or Ruby 1.9.3-p392 you should upgrade. See the article Installing Rails.
Be sure you are using RubyGems 2.0.0 or newer:
$ gem -v
Update RubyGems if necessary:
$ gem update --system
Check your OpenSSL version:
$ openssl version
You should see OpenSSL 1.0.1 or newer. If not, try updating OpenSSL (see below).
A curl -I command should show that the rubygems.org file host is available and responding:
$ curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem HTTP/1.0 200 OK ...
Try executing remote_fetcher directly to download a gem from the rubygems.org file host:
$ ruby -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'
Fetching: rake-0.9.2.2.gem (100%)
If you’ve updated OpenSSL or upgraded your OS, and you’re still getting the error “SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure”, run the diagnostic below and add your report to the issue SSL_connect failure when running ‘rails new’. Please supply details: OS version, Ruby version, RubyGems version, OpenSSL version, error message.
% ruby -d -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'
% ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))'
% ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")'
You can try several workarounds to isolate the error conditions. Please don’t rely on a workaround for anything other than a temporary solution. Attempt the suggested resolutions (below) and file an issue report if they don’t work.
Try changing your Gemfile to use an http connection for your gem source. Instead of source 'https://rubygems.org' use:
source 'http://rubygems.org'
This workaround is not an option if you are running rails new because the Gemfile is produced automatically from a template in the Rails library.
Use the --skip-bundle when you generate a new Rails application:
rails new myapp --skip-bundle
This workaround is not an option if you are using an application template to generate a new Rails application as most application templates will run commands that require a successful bundle install.
Try toggling off the requirement to verify the SSL security certificate.
Create or modify the file called .gemrc in your home path and add the line:
:ssl_verify_mode: 0
For Mac OS and Linux, “home path” means ~/.gemrc. You can also create /etc/gemrc if you prefer. For Windows XP, “home path” means C:\Documents and Settings\All Users\Application Data\gemrc. For Windows 7, C:\ProgramData\gemrc. (Suggested by Andrew Fallows in a Stack Overflow discussion).
This is only a workaround. It opens a possible security vulnerability (discussed here).
Be sure to try possible solutions suggested below. Please leave a comment if they work (or don’t).
If you are using RVM, the newest version will install OpenSSL automatically. See the article Installing Rails. This may be the easiest solution.
Your Mac may have outdated versions of OpenSSL or certificate files.
$ openssl version
.
$ brew update
.
.
.
$ brew install openssl
==> Downloading http://openssl.org/source/openssl-1.0.1e.tar.gz
==> perl ./Configure --prefix=/usr/local/Cellar/openssl/1.0.1e --openssldir=/usr
==> make
==> make test
==> make install MANDIR=/usr/local/Cellar/openssl/1.0.1e/share/man MANSUFFIX=ssl
==> Caveats
To install updated CA certs from Mozilla.org:
brew install curl-ca-bundle
This formula is keg-only: so it was not symlinked into /usr/local.
Mac OS X already provides this software and installing another version in
parallel can cause all kinds of trouble.
The OpenSSL provided by OS X is too old for some software.
Generally there are no consequences of this for you. If you build your
own software and it requires this formula, you'll need to add to your
build variables:
LDFLAGS: -L/usr/local/opt/openssl/lib
CPPFLAGS: -I/usr/local/opt/openssl/include
==> Summary
/usr/local/Cellar/openssl/1.0.1e: 429 files, 15M, built in 3.9 minutes
$ brew link openssl --force
Linking /usr/local/Cellar/openssl/1.0.1e... 1139 symlinks created
$ brew install curl-ca-bundle
==> Downloading https://downloads.sourceforge.net/project/machomebrew/...
/usr/local/Cellar/curl-ca-bundle/1.87: 2 files, 252K, built in 5 seconds
Close and reopen your terminal (or reload your shell).
$ openssl version OpenSSL 1.0.1e 11 Feb 2013
Doesn’t work for you? Please add to the comments below.
You can also try updating your OpenSSL library using MacPorts. You’ll need to install MacPorts first.
$ openssl version $ sudo port sync; sudo port selfupdate; sudo port install openssl ... $ openssl version OpenSSL 1.0.1a 19 Apr 2012
Alternatively, some developers have suggested to download an updated certificate file. This assumes you are using MacPorts and have a directory /opt/local/etc/openssl:
$ cd /opt/local/etc/openssl $ sudo curl -O http://curl.haxx.se/ca/cacert.pem $ sudo mv cacert.pem cert.pem
Doesn’t work for you? Please add to the comments below.
If you don’t want to use Homebrew or install MacPorts, you can compile OpenSSL from source:
curl -L -O http://www.openssl.org/source/openssl-1.0.1b.tar.gz.asc curl -L -O http://www.openssl.org/source/openssl-1.0.1b.tar.gz gpg --verify openssl-1.0.1b.tar.gz.asc tar xvzf openssl-1.0.1b.tar.gz cd openssl-1.0.1b perl ./Configure shared zlib --prefix=/opt/local darwin64-x86_64-cc make make test sudo make install
If you find that the problem is not resolved by updating OpenSSL, please leave a comment below.
Doesn’t work for you? Please add to the comments below.
Fletcher Nichol shows how to download a cacert.pem file and set an environment variable to install the certificate authorities needed by the OpenSSL library.
You can also try hacking the open-uri source: How to Use an Application Template from Github when You’re Developing in Rails on Windows
Any advice to offer? Please add to the comments below.
Ubuntu’s custom build of OpenSSL failed with the SSL server configuration used for the Cloudfront service (Amazon Web Services) used for RubyGems file hosting.
For Ubuntu 12.04, the openssl 1.0.1-4ubuntu5 package fixes the problem. The problem should be resolved when you install the update.
Newer versions of Ubuntu should not have the problem.
Any advice to offer? Please add to the comments below.