“Certificate verify failed” OpenSSL error when using Ruby 1.9.3

Question

I\'m using Ruby 1.9.3p0 on Mac OS 10.6.8 (installed using rvm). When I attempt to create a new Rails application using an application template hosted on GitHub, with this (f

Answer 1

It could possibly be because of how you built 1.9.2 and 1.9.3 — maybe whatever tool you used to build each configured things slightly differently. Or maybe they use different versions of OpenSSL.

Here is the only potentially relevant change I could spot to Net:HTTP between 1.9.2 and 1.9.3

 require 'net/protocol'
-autoload :OpenSSL, 'openssl'
 require 'uri'
+autoload :OpenSSL, 'openssl'

(if you want to view the diff...)

git clone https://github.com/ruby/ruby.git
cd ruby
git diff origin/ruby_1_9_2 origin/ruby_1_9_3 -- http.rb

Answer 2

I had the same problem, having compiled my RVM Ruby against an RVM install of OpenSSL. I moved the cacerts.pem file as downloaded by the original poster under ~/.rvm/usr/ssl/cert.pem to make the problem go away.

Answer 3

There are lots of moving parts involved in the correct answer. Depends on your OS, Ruby version, OpenSSL version, Rubygems version. I ended up writing an article after researching it. My article explains the reasons for the error, offers steps for further diagnosis, shows several workarounds, and suggests possible solutions. This will be helpful:

OpenSSL Errors and Rails – Certificate Verify Failed

There are also links to the relevant commits and issues on GitHub.

Answer 4

I had a similar issue but not on Rails, but on just Ruby on Windows. I resolved it by using the cacert.pem certificate and setting the location of the certificate to the environmental variable "SSL_CERT_FILE"

Detailed answer here: https://stackoverflow.com/a/35429863/4747587

Answer 5

Openssl certification directory is /usr/lib/ssl/ in Debian. So, following three lines was enough for me,

$ cd /usr/lib/ssl/
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
$ sudo mv cacert.pem cert.pem

Answer 6

For me this occurred on OS X with homebrew after updating to the latest RVM (rvm 1.20.12) and then installing ruby-1.9.3-p429. I could reproduce the issue simply by running:

$ rvm use ruby-1.9.3-p429
$ irb
1.9.3p429 :001 > require 'open-uri'; open 'https://google.com'
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/net/http.rb:800:in `connect'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/net/http.rb:800:in `block in connect'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/timeout.rb:55:in `timeout'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/timeout.rb:100:in `timeout'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/net/http.rb:800:in `connect'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/net/http.rb:756:in `do_start'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/net/http.rb:745:in `start'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:306:in `open_http'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:775:in `buffer_open'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:203:in `block in open_loop'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:201:in `catch'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:201:in `open_loop'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:146:in `open_uri'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:677:in `open'
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/lib/ruby/1.9.1/open-uri.rb:33:in `open'
    from (irb):1
    from /Users/lyahdav/.rvm/rubies/ruby-1.9.3-p429/bin/irb:16:in `<main>'1.9.3p429 :002 > 

The solution was similar to that in the question, but the path was wrong. Running this fixed it:

curl https://curl.haxx.se/ca/cacert.pem -o /usr/local/etc/openssl/cert.pem

The clue as to the correct path was that when I was installing ruby-1.9.3-p429 via RVM this showed in the output:

Certificates in '/usr/local/etc/openssl/cert.pem' already are up to date.

I had the /usr/local/etc/openssl path, but no cert.pem file in that directory, so I'm not sure why RVM claimed the certificates were up to date. It would be nice to know why I had to do this in first place, but I don't have time to investigate now.