I am using Authlogic-Connect for third party logins. After running appropriate migrations, Twitter/Google/yahoo logins seem to work fine but the facebook login throws exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The dev log shows
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
app/controllers/users_controller.rb:37:in `update'
Please suggest..
I ran into a similar problem when trying to use the JQuery generator for Rails 3
I solved it like this:
Get the CURL Certificate Authority (CA) bundle. You can do this with:
sudo port install curl-ca-bundle [if you are using MacPorts]
or just pull it down directly wget http://curl.haxx.se/ca/cacert.pem
Execute the ruby code that is trying to verify the SSL certification: SSL_CERT_FILE=/opt/local/etc/certs/cacert.pem rails generate jquery:install. In your case, you want to either set this as an environment variable somewhere the server picks it up or add something like ENV['SSL_CERT_FILE'] = /path/to/your/new/cacert.pem in your environment.rb file.
You can also just install the CA files (I haven't tried this) to the OS -- there are lengthy instructions here -- this should work in a similar fashion, but I have not tried this personally.
Basically, the issue you are hitting is that some web service is responding with a certificate signed against a CA that OpenSSL cannot verify.
If you're using RVM on OS X, you probably need to run this:
rvm osx-ssl-certs update all
More information here: http://rvm.io/support/fixing-broken-ssl-certificates
And here is the full explanation: https://github.com/wayneeseguin/rvm/blob/master/help/osx-ssl-certs.md
Update
On Ruby 2.2, you may have to reinstall Ruby from source to fix this. Here's how (replace 2.2.3 with your Ruby version):
rvm reinstall 2.2.3 --disable-binary
Credit to https://stackoverflow.com/a/32363597/4353 and Ian Connor.
Here's how you can fix it on Windows: https://gist.github.com/867550 (created by Fletcher Nichol)
Excerpt:
The Manual Way (Boring)
Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.
Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:
set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem
To make this a permanent setting, add this in your control panel.
Ruby can't find any root certificates to trust.
Take a look at this blog post for a solution: "Ruby 1.9 and the SSL error".
The solution is to install the curl-ca-bundle port which contains the same root certificates used by Firefox:
sudo port install curl-ca-bundle
and tell your https object to use it:
https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
Note that if you want your code to run on Ubuntu, you need to set the ca_path attribute instead, with the default certificates location /etc/ssl/certs.
The reason that you get this error on OSX is the rvm-installed ruby.
If you run into this issue on OSX you can find a really broad explanation of it in this blog post:
http://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
The short version is that, for some versions of Ruby, RVM downloads pre-compiled binaries, which look for certificates in the wrong location. By forcing RVM to download the source and compile on your own machine, you ensure that the configuration for the certificate location is correct.
The command to do this is:
rvm install 2.2.0 --disable-binary
if you already have the version in question, you can re-install it with:
rvm reinstall 2.2.0 --disable-binary
(obviously, substitute your ruby version as needed).
The issue is that ruby can not find a root certificate to trust. As of 1.9 ruby checks this. You will need to make sure that you have the curl certificate on your system in the form of a pem file. You will also need to make sure that the certificate is in the location that ruby expects it to be. You can get this certificate at...
http://curl.haxx.se/ca/cacert.pem
If your a RVM and OSX user then your certificate file location will vary based on what version of ruby your using. Setting the path explicitly with :ca_path is a BAD idea as your code will not be portable when it gets to production. There for you want to provide ruby with a certificate in the default location(and assume your dev ops guys know what they are doing). You can use dtruss to work out where the system is looking for the certificate file.
In my case the system was looking for the cert file in
/Users/stewart.matheson/.rvm/usr/ssl/cert.pem
however MACOSX system would expect a certificate in
/System/Library/OpenSSL/cert.pem
I copied the downloaded cert to this path and it worked. HTH
The new certified gem is designed to fix this:
https://github.com/stevegraham/certified
Just add gem 'certified' in your gemfile and run bundle install.
gem 'certified'
bundle install
On Mac OS X Lion with the latest macport:
sudo port install curl-ca-bundle
export SSL_CERT_FILE=/opt/local/share/curl/curl-ca-bundle.crt
Then, rerun the failed job.
Note, the cert file location seems to have changed since Eric G answered on May 12.
Here's another option for debugging purposes.
Be sure never to use this in any production environment, as it will negate benefits of using SSL in the first place. It is only ever valid to do this in your local development environment.
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
A one liner fixes it for Windows in an Admin prompt
choco install wget (first see chocolatey.org)
wget http://curl.haxx.se/ca/cacert.pem -O C:\cacert.pem && setx /M SSL_CERT_FILE "C:\cacert.pem"
Or just do this:
gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/
Milanio's method:
gem sources -r https://rubygems.org
gem sources -a http://rubygems.org
gem update --system
gem sources -r http://rubygems.org
gem sources -a https://rubygems.org
gem install [NAME_OF_GEM]
Well this worked for me
rvm pkg install openssl
rvm reinstall 1.9.2 --with-openssl-dir=$rvm_path/usr
Something is wrong with openssl implementation of my ubuntu 12.04
While knowing it's rather a lame solution, I'm still sharing this because it seems like very few people answering here use Windows, and I think some of Windows users (me included) would appreciate a simple and intuitive approach.
require 'openssl'
puts OpenSSL::X509::DEFAULT_CERT_FILE
That tells where your openssl is looking for the cert file. My name is not Luis, but mine was C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0l/ssl/cert.pem. The path may be different depending on each own environments (e.g. openknapsack instead of luislavena).
The path didn't change even after set SSL_CERT_FILE=C:\foo\bar\baz\cert.pem via the console, so... I created the directory C:\Users\Luis\Code\luislavena\knap-build\var\knapsack\software\x86-windows\openssl\1.0.0l\ssl in my local disk and put a cert file into it.
Lame as it is, this will surely work.
I've try install curl-ca-bundle with brew, but the package is no available more:
$ brew install curl-ca-bundle
Error: No available formula for curl-ca-bundle
Searching formulae...
Searching taps...
The solution that worked to me on Mac was:
$ cd /usr/local/etc/openssl/certs/
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
Add this line in your ~/.bash_profile (or ~/.zshrc for zsh):
export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cacert.pem
Then update your terminal:
$ source ~/.bash_profile
I had this same issue while working on a Ruby project. I am using Windows 7 64bit.
I resolved this by:
Downloading the cacert.pem file from http://curl.haxx.se/ca/cacert.pem.
Saved that file to C:/RubyCertificates/cacert.pem
Then set my environmental variable "SSL_CERT_FILE" to "C:\RubyCertificates\cacert.pem"
source: https://gist.github.com/fnichol/867550
The most straightforward answer which worked for me was this
sudo apt-get install openssl ca-certificates
And voila!!!
OS X 10.8.x with Homebrew:
brew install curl-ca-bundle
brew list curl-ca-bundle
cp /usr/local/Cellar/curl-ca-bundle/1.87/share/ca-bundle.crt /usr/local/etc/openssl/cert.pem
Then, as this blog post suggests,
"How to Cure Net::HTTP’s Risky Default HTTPS Behavior"
you might want to install the always_verify_ssl_certificates gem that allow you to set a default value for ca_file.
This worked for me. If you using rvm and brew:
rvm remove 1.9.3
brew install openssl
rvm install 1.9.3 --with-openssl-dir=`brew --prefix openssl`
I ran into this issue and the suggested fix of rvm osx-ssl-certs update all did not work despite that I am an RVM user on OSX.
The fix that worked for me was re-installing the latest version of openssl:
brew update
brew remove openssl
brew install openssl
I fixed this problem by running this in terminal. Full writeup is available over here
rvm install 2.2.0 --disable-binary
OSX solution:
install latest rvm stable version
rvm get stable
use rvm command to solve the certificates automatically
rvm osx-ssl-certs update all
If you are running your rails app locally then just add this line at the bottom of application.rb.
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
After this you can use the app without any issues. You may call it a hack but it is not recommended. Use only when you need to run locally
Here's what I did that helped if you are specifically having a problem on Leopard.
My cert was old and needed to be updated. I downloaded this:
http://curl.haxx.se/ca/cacert.pem
Then replaced my cert which was found here on Leopard:
/usr/share/curl/curl-ca-bundle.crt
Reload whatever you have that's accessing it and you should be good to go!
Just because instructions were a slight bit different for what worked for me, I thought I add my 2 cents:
I'm on OS X Lion and using macports and rvm
I installed curl-ca-bundle:
sudo port install curl-ca-bundle
Then I adjusted my omniauth config to be this:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, APP_CONFIG['CONSUMER_KEY'], APP_CONFIG['CONSUMER_SECRET'],
:scope => 'https://www.google.com/m8/feeds https://www.googleapis.com/auth/userinfo.profile',
:ssl => {:ca_path => "/share/curl/curl-ca-bundle.crt"}
end
If you have a symbolic link in the /usr/local/etc/openssl pointing to cert.pem try to do this:
ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE" (should be /usr/local/etc/openssl)
cd /usr/local/etc/openssl
wget http://curl.haxx.se/ca/cacert.pem
ln -s cacert.pem 77ee3751.0 (77ee3751.0 is my symbolic link, should depend on the openssl version)
What worked for me is a combination of answers, namely:
# Reinstall OpenSSL
brew update
brew remove openssl
brew install openssl
# Download CURL CA bundle
cd /usr/local/etc/openssl/certs
wget http://curl.haxx.se/ca/cacert.pem
/usr/local/opt/openssl/bin/c_rehash
# Reinstall Ruby from source
rvm reinstall 2.2.3 --disable-binary
I had trouble for a number of days and was hacking around. This link proved out to be extremely helpful for me. It helped me to do a successful upgrade of the SSL on MAC OS X 9.
Sometime it's not always rvm's problem
in MAC OSX,if you remove .rvm,the problem still(espcially while you backup data from timemachine) ,you can try this way.
1.brew update
2.brew install openssl
Adding gem 'certified', '~> 1.0' to my Gemfile and running bundle solved this issue for me.
Related
I am using Authlogic-Connect for third party logins. After running appropriate migrations, Twitter/Google/yahoo logins seem to work fine but the facebook login throws exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The dev log shows
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
app/controllers/users_controller.rb:37:in `update'
Please suggest..
I ran into a similar problem when trying to use the JQuery generator for Rails 3
I solved it like this:
Get the CURL Certificate Authority (CA) bundle. You can do this with:
sudo port install curl-ca-bundle [if you are using MacPorts]
or just pull it down directly wget http://curl.haxx.se/ca/cacert.pem
Execute the ruby code that is trying to verify the SSL certification: SSL_CERT_FILE=/opt/local/etc/certs/cacert.pem rails generate jquery:install. In your case, you want to either set this as an environment variable somewhere the server picks it up or add something like ENV['SSL_CERT_FILE'] = /path/to/your/new/cacert.pem in your environment.rb file.
You can also just install the CA files (I haven't tried this) to the OS -- there are lengthy instructions here -- this should work in a similar fashion, but I have not tried this personally.
Basically, the issue you are hitting is that some web service is responding with a certificate signed against a CA that OpenSSL cannot verify.
If you're using RVM on OS X, you probably need to run this:
rvm osx-ssl-certs update all
More information here: http://rvm.io/support/fixing-broken-ssl-certificates
And here is the full explanation: https://github.com/wayneeseguin/rvm/blob/master/help/osx-ssl-certs.md
Update
On Ruby 2.2, you may have to reinstall Ruby from source to fix this. Here's how (replace 2.2.3 with your Ruby version):
rvm reinstall 2.2.3 --disable-binary
Credit to https://stackoverflow.com/a/32363597/4353 and Ian Connor.
Here's how you can fix it on Windows: https://gist.github.com/867550 (created by Fletcher Nichol)
Excerpt:
The Manual Way (Boring)
Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.
Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:
set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem
To make this a permanent setting, add this in your control panel.
Ruby can't find any root certificates to trust.
Take a look at this blog post for a solution: "Ruby 1.9 and the SSL error".
The solution is to install the curl-ca-bundle port which contains the same root certificates used by Firefox:
sudo port install curl-ca-bundle
and tell your https object to use it:
https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
Note that if you want your code to run on Ubuntu, you need to set the ca_path attribute instead, with the default certificates location /etc/ssl/certs.
The reason that you get this error on OSX is the rvm-installed ruby.
If you run into this issue on OSX you can find a really broad explanation of it in this blog post:
http://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
The short version is that, for some versions of Ruby, RVM downloads pre-compiled binaries, which look for certificates in the wrong location. By forcing RVM to download the source and compile on your own machine, you ensure that the configuration for the certificate location is correct.
The command to do this is:
rvm install 2.2.0 --disable-binary
if you already have the version in question, you can re-install it with:
rvm reinstall 2.2.0 --disable-binary
(obviously, substitute your ruby version as needed).
The issue is that ruby can not find a root certificate to trust. As of 1.9 ruby checks this. You will need to make sure that you have the curl certificate on your system in the form of a pem file. You will also need to make sure that the certificate is in the location that ruby expects it to be. You can get this certificate at...
http://curl.haxx.se/ca/cacert.pem
If your a RVM and OSX user then your certificate file location will vary based on what version of ruby your using. Setting the path explicitly with :ca_path is a BAD idea as your code will not be portable when it gets to production. There for you want to provide ruby with a certificate in the default location(and assume your dev ops guys know what they are doing). You can use dtruss to work out where the system is looking for the certificate file.
In my case the system was looking for the cert file in
/Users/stewart.matheson/.rvm/usr/ssl/cert.pem
however MACOSX system would expect a certificate in
/System/Library/OpenSSL/cert.pem
I copied the downloaded cert to this path and it worked. HTH
The new certified gem is designed to fix this:
https://github.com/stevegraham/certified
Just add gem 'certified' in your gemfile and run bundle install.
gem 'certified'
bundle install
On Mac OS X Lion with the latest macport:
sudo port install curl-ca-bundle
export SSL_CERT_FILE=/opt/local/share/curl/curl-ca-bundle.crt
Then, rerun the failed job.
Note, the cert file location seems to have changed since Eric G answered on May 12.
Here's another option for debugging purposes.
Be sure never to use this in any production environment, as it will negate benefits of using SSL in the first place. It is only ever valid to do this in your local development environment.
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
A one liner fixes it for Windows in an Admin prompt
choco install wget (first see chocolatey.org)
wget http://curl.haxx.se/ca/cacert.pem -O C:\cacert.pem && setx /M SSL_CERT_FILE "C:\cacert.pem"
Or just do this:
gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/
Milanio's method:
gem sources -r https://rubygems.org
gem sources -a http://rubygems.org
gem update --system
gem sources -r http://rubygems.org
gem sources -a https://rubygems.org
gem install [NAME_OF_GEM]
Well this worked for me
rvm pkg install openssl
rvm reinstall 1.9.2 --with-openssl-dir=$rvm_path/usr
Something is wrong with openssl implementation of my ubuntu 12.04
While knowing it's rather a lame solution, I'm still sharing this because it seems like very few people answering here use Windows, and I think some of Windows users (me included) would appreciate a simple and intuitive approach.
require 'openssl'
puts OpenSSL::X509::DEFAULT_CERT_FILE
That tells where your openssl is looking for the cert file. My name is not Luis, but mine was C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0l/ssl/cert.pem. The path may be different depending on each own environments (e.g. openknapsack instead of luislavena).
The path didn't change even after set SSL_CERT_FILE=C:\foo\bar\baz\cert.pem via the console, so... I created the directory C:\Users\Luis\Code\luislavena\knap-build\var\knapsack\software\x86-windows\openssl\1.0.0l\ssl in my local disk and put a cert file into it.
Lame as it is, this will surely work.
I've try install curl-ca-bundle with brew, but the package is no available more:
$ brew install curl-ca-bundle
Error: No available formula for curl-ca-bundle
Searching formulae...
Searching taps...
The solution that worked to me on Mac was:
$ cd /usr/local/etc/openssl/certs/
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
Add this line in your ~/.bash_profile (or ~/.zshrc for zsh):
export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cacert.pem
Then update your terminal:
$ source ~/.bash_profile
I had this same issue while working on a Ruby project. I am using Windows 7 64bit.
I resolved this by:
Downloading the cacert.pem file from http://curl.haxx.se/ca/cacert.pem.
Saved that file to C:/RubyCertificates/cacert.pem
Then set my environmental variable "SSL_CERT_FILE" to "C:\RubyCertificates\cacert.pem"
source: https://gist.github.com/fnichol/867550
The most straightforward answer which worked for me was this
sudo apt-get install openssl ca-certificates
And voila!!!
OS X 10.8.x with Homebrew:
brew install curl-ca-bundle
brew list curl-ca-bundle
cp /usr/local/Cellar/curl-ca-bundle/1.87/share/ca-bundle.crt /usr/local/etc/openssl/cert.pem
Then, as this blog post suggests,
"How to Cure Net::HTTP’s Risky Default HTTPS Behavior"
you might want to install the always_verify_ssl_certificates gem that allow you to set a default value for ca_file.
This worked for me. If you using rvm and brew:
rvm remove 1.9.3
brew install openssl
rvm install 1.9.3 --with-openssl-dir=`brew --prefix openssl`
I ran into this issue and the suggested fix of rvm osx-ssl-certs update all did not work despite that I am an RVM user on OSX.
The fix that worked for me was re-installing the latest version of openssl:
brew update
brew remove openssl
brew install openssl
I fixed this problem by running this in terminal. Full writeup is available over here
rvm install 2.2.0 --disable-binary
OSX solution:
install latest rvm stable version
rvm get stable
use rvm command to solve the certificates automatically
rvm osx-ssl-certs update all
If you are running your rails app locally then just add this line at the bottom of application.rb.
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
After this you can use the app without any issues. You may call it a hack but it is not recommended. Use only when you need to run locally
Here's what I did that helped if you are specifically having a problem on Leopard.
My cert was old and needed to be updated. I downloaded this:
http://curl.haxx.se/ca/cacert.pem
Then replaced my cert which was found here on Leopard:
/usr/share/curl/curl-ca-bundle.crt
Reload whatever you have that's accessing it and you should be good to go!
Just because instructions were a slight bit different for what worked for me, I thought I add my 2 cents:
I'm on OS X Lion and using macports and rvm
I installed curl-ca-bundle:
sudo port install curl-ca-bundle
Then I adjusted my omniauth config to be this:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, APP_CONFIG['CONSUMER_KEY'], APP_CONFIG['CONSUMER_SECRET'],
:scope => 'https://www.google.com/m8/feeds https://www.googleapis.com/auth/userinfo.profile',
:ssl => {:ca_path => "/share/curl/curl-ca-bundle.crt"}
end
If you have a symbolic link in the /usr/local/etc/openssl pointing to cert.pem try to do this:
ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE" (should be /usr/local/etc/openssl)
cd /usr/local/etc/openssl
wget http://curl.haxx.se/ca/cacert.pem
ln -s cacert.pem 77ee3751.0 (77ee3751.0 is my symbolic link, should depend on the openssl version)
What worked for me is a combination of answers, namely:
# Reinstall OpenSSL
brew update
brew remove openssl
brew install openssl
# Download CURL CA bundle
cd /usr/local/etc/openssl/certs
wget http://curl.haxx.se/ca/cacert.pem
/usr/local/opt/openssl/bin/c_rehash
# Reinstall Ruby from source
rvm reinstall 2.2.3 --disable-binary
I had trouble for a number of days and was hacking around. This link proved out to be extremely helpful for me. It helped me to do a successful upgrade of the SSL on MAC OS X 9.
Sometime it's not always rvm's problem
in MAC OSX,if you remove .rvm,the problem still(espcially while you backup data from timemachine) ,you can try this way.
1.brew update
2.brew install openssl
Adding gem 'certified', '~> 1.0' to my Gemfile and running bundle solved this issue for me.
I am trying to do the Michael Hartl tutorial. When I attempt to install rails 3.2.14 in my gemset, I get the following issue:
$ gem install rails -v 3.2.14
ERROR: Could not find a valid gem 'rails' (= 3.2.14), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/specs.4.8.gz)
After Googling around, I found that I could use a non-SSL source for rubygems so I ran:
sudo gem sources -a http://rubygems.org
Then, when I tried to install rails again, it was successful. However, I still got the issue above but as a warning:
WARNING: Unable to pull data from 'https://rubygems.org/': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/specs.4.8.gz)
How can I remove this warning/error entirely?
I am using the following:
rvm 1.22.15
ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-darwin12.3.0]
OSX 10.8.5
For RVM & OSX users
Make sure you use latest rvm:
rvm get stable
Then you can do two things:
Update certificates:
rvm osx-ssl-certs update all
Update rubygems:
rvm rubygems latest
For non RVM users
Find path for certificate:
cert_file=$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')
Generate certificate:
security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"
The whole code: https://github.com/wayneeseguin/rvm/blob/master/scripts/functions/osx-ssl-certs
For non OSX users
Make sure to update package ca-certificates. (on old systems it might not be available - do not use an old system which does not receive security updates any more)
Windows note
The Ruby Installer builds for windows are prepared by Luis Lavena and the path to certificates will be showing something like C:/Users/Luis/... check https://github.com/oneclick/rubyinstaller/issues/249 for more details and this answer https://stackoverflow.com/a/27298259/497756 for fix.
Latest findings...
https://gist.github.com/luislavena/f064211759ee0f806c88
Most importantly...download
https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/rubygems.org/AddTrustExternalCARoot-2048.pem
Figure out where to stick it
C:\>gem which rubygems
C:/Ruby21/lib/ruby/2.1.0/rubygems.rb
Then just copy the .pem file in ../2.1.0/rubygems/ssl_certs/ and go on about your business.
For windows users
Goto link http://rubygems.org/pages/download
Download the latest zip file (In my case 2.4.5)
Unzip it
run "ruby setup.rb" in unzipped folder
now run gem install command
If you want to use the non-SSL source, try removing the HTTPS source first, and then adding the HTTP one:
sudo gem sources -r https://rubygems.org
sudo gem sources -a http://rubygems.org
UPDATE:
As mpapis states, this should be used only as a temporary workaround. There could be some security concerns if you're accessing RubyGems through the non-SSL source.
Once the workaround is not needed anymore, you should restore the SSL-source:
sudo gem sources -r http://rubygems.org
sudo gem sources -a https://rubygems.org
On Windows you'll have to use HTTP source to update gem then change back to using HTTPS.
gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/
gem update --system
gem sources -r http://rubygems.org/
gem sources -a https://rubygems.org/
Edit: Warning I'm not sure if this is safe. Does anyone know if ruby packages are signed? The accepted answer looks like a better solution.
For Windows Users (and maybe others)
Rubygems.org has a guide that not only explains how to fix this problem, but also why so many people are having it: SSL Certificate Update
The reason for the problem is rubygems.org switched to a more secure SSL certificate (SHA-2 which use 256bit encryption). The rubygems command line tool bundles the reference to the correct certificate. Therefore rubygems itself can’t be updated using an older version of rubygems. Rubygems must first be updated manually.
First find out what rubygems you have:
rubygems –v
Depending on whether you have a 1.8.x, 2.0.x or 2.2.x, you will need to download an update gem, named “rubygems-update-X.Y.Z.gem”, where X.Y.Z is the version you need.
Running 1.8.x: download: https://github.com/rubygems/rubygems/releases/tag/v1.8.30
Running 2.0.x: download: https://github.com/rubygems/rubygems/releases/tag/v2.0.15
Running 2.2.x: download: https://github.com/rubygems/rubygems/releases/tag/v2.2.3
Install update gem:
gem install –-local full_path_to_the_gem_file
Run update gem:
update_rubygems --no-ri --no-rdoc
Check that rubygems was updated:
rubygems –v
Uninstall update gem:
gem uninstall rubygems-update -x
At this point, you may be OK. But it is possible that you do not have the latest public key file for the new certificate. To do this:
Download the latest certificate, (currently AddTrustExternalCARoot-2048.pem)
from https://rubygems.org/pages/download.
All of the certs are also located at: https://github.com/rubygems/rubygems/tree/master/lib/rubygems/ssl_certs
Find out where to put it:
gem which rubygems
Put this file in the “rubygems\ssl_certs” directory at this location.
As per rubygems commit, the certificates are moved to more specific directories. Thus, currently the certificate(AddTrustExternalCARoot-2048.pem) is expected to be on the following path lib/rubygems/ssl_certs/rubygems.org/AddTrustExternalCARoot-2048.pem
Try to use the source website for the gems, i.e rubygems.org. Use http instead of https. This method does not involve any work such as installing certs and all that.
Example -
gem install typhoeus --source http://rubygems.org
This works, but there is one caveat though.
The gem is installed, but the documentation is not because of cert errors. Here is the error I get
Parsing documentation for typhoeus-0.7.0 WARNING: Unable to pull
data from 'https://rubygems.org/': SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed
(https://rubygems.org/latest_specs.4.8.gz)
Running gem update --system worked for me
Make sure your system clock is correct
This exact error happened to me today on an Ubuntu virtual machine running on VirtualBox. I tried most of the solutions shown above before I noticed that I had resumed from a very old suspended state, and my clock was off by many days.
Updating the clock immediately fixed my issue. Here's the command I used in my case:
sudo service ntp stop && sudo ntpdate pool.ntp.org && sudo service ntp start
Simply uninstalling and reinstalling openssl with homebrew solved this issue for me.
brew uninstall --force openssl
brew install openssl
For Fedora users
Update the cert.pem to newest file that provide by cURL: http://curl.haxx.se/ca/cacert.pem
curl -o `ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE' |tr -d \"` http://curl.haxx.se/ca/cacert.pem
If you are using windows, open https://rubygems.org/ with internet explorer.
Click on security information and import the certificate. The bottom line is your certification chain is outdated and you need to add this new certificate. Remember that this is not a security violation as long as you can validate the certificate as trusted.
Approach/one-liner that can be automated to download gems using HTTP instead of HTTPS:
printf -- '---\n:sources:\n- http://rubygems.org\n' | tee ~/.gemrc
In my case, the Ubuntu CA certificates were out of date. I fixed it by running:
sudo update-ca-certificates
Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.
Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:
set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem
The particular case of RubyGems (the command line tool) is that it requires to bundle inside of its code the trust certificates, which allow RubyGems to establish a connection with the servers even when base operating system is unable to verify the identity of them.
Up until a few months ago, this certificate was provided by one CA, but newer certificate is provided by a different one.
Because of this, existing installations of RubyGems would have to been updated before the switch of the certificate and give enough time for the change to spread (and people to update)
Anyone can find his solution by following the simple steps given in the link below
https://gist.github.com/luislavena/f064211759ee0f806c88
Try
gem update --system
Hope it solves the problem.
For Windows, I followed https://gist.github.com/fnichol/867550.
I had to manually download the "cacert.pem" file. (go to https://curl.se/docs/caextract.html.)
Put it in any folder it won't be deleted from or with.
Make sure you add it to your systems Environment variables!!!
I did this (in Windows 10) via the control panel (select User Accounts) where there is an option to "Change my environment variables". Create a new variable and set the value as the path and filename!
var name SSL_CERT_FILE
var value C:\{your_dir}\cacert.pem
This will ensure it remains visible/useable every time you need it (i.e., every command window you open)!
I had same problem while trying to install cucumber gem. However I noticed that bundler gem already installed with ruby 2.0.
I created a Gemfile.rb in the project folder with required gems and followed this steps
Navigate to project folder
Type bundle install
All the required gems installed.
For Illumos / Solaris using OpenCSW pkgutil:
Install CSWcacertificates prior to 'gem install'
pkgutil -yi CSWcacertificates
If you're using a ruby kit that's not from OpenCSW, your ruby version may expect to find the certificate file in another place. In this case, I simply symlinked OpenCSW's /etc/opt/csw/ssl/cert.pem to the expected place.
Check where ruby expects to find it :
export cf=`ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'` && echo $cf
Then, if there's a discrepancy, link it:
ln -s /etc/opt/csw/ssl/cert.pem $cf && file $cf
Or may be prevented by firewall like me. Try this:
sudo gem install --http-proxy http://localhost:port cocoapods -V
For Windows user:
After installing Ruby 2.2.3 (+ rubygems 2.5.1) successfully on a test machine with access to the internet, I had this SSL error when I installed bundler on a production machine, within the network.
As I had network access limitations, and there was no way to change the settings for SSL access, and based on the error messages, I performed the steps below to be able to finish the installation of the bundler
(this may sound crazy, but it worked...).
Through a machine with unrestricted access to the internet, downloaded the following files:
spec.4.8.gz (http://rubygems.global.ssl.fastly.net/spec.4.8.gz)
latest_specs.4.8.gz (http://rubygems.global.ssl.fastly.net/latest_specs.4.8.gz)
bundler-1.11.2.gemspec.rz (http://rubygems.global.ssl.fastly.net/quick/Marshal.4.8/bundler-1.11.2.gemspec.rz)
bundler-1.11.2.gem (http://rubygems.global.ssl.fastly.net/gems/bundler-1.11.2.gem)
I added these files on an intranet server, keeping the folder structure of the links above:
$INTRANET_HOME
spec.4.8.gz e latest_specs.4.8.gz
$INTRANET_HOME\quick\Marshal.4.8
bundler-1.11.2.gemspec.rz
$INTRANET_HOME\gems
bundler-1.11.2.gem
Then I added my intranet to access gem source:
gem sources -a http://mydomain.com.br
I have run with the success the "gem install bundler" after installation, all it took was remove my intranet of the gem:
gem sources -r http://mydomain.com.br
I hope that is useful in any similar situation....
As a Windows 10 user, I followed Dheerendra's answer, and it worked for me one day. The next day, I experienced the issue again, and his fix didn't work. For me, the fix was to update bundler with:
gem update bundler
I believe my version of bundler was more than a few months old.
Make sure of that you have installed ruby with --disable-binary option,
if not, uninstall it and reinstall it with the option.
more info here
The answer is no longer valid. Since I have encountered the issue with older Windows ruby right now. I'll post the answer:
When I wanted to install an activesupport gem:
gem in activesupport --version 5.1.6
ERROR: Could not find a valid gem 'activesupport' (= 5.1.6), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B
: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
The following steps need to copy only the certificates from newer windows ruby.
Take the latest ruby (or at least ruby 2.4.0) and do the following:
copy certificates from these directories (adjust to your needs):
C:\prg_sdk\rubies\Ruby-2.4\lib\ruby\2.4.0\rubygems\ssl_certs\rubygems.org
C:\prg_sdk\rubies\Ruby-2.4\lib\ruby\2.4.0\rubygems\ssl_certs\index.rubygems.org
to destination (again adjust to what you need):
C:\prg_sdk\rubies\Ruby231-p112-x64\lib\ruby\2.3.0\rubygems\ssl_certs
go to rubygems and download the latest version works for me. I'm using windows.
I am using Authlogic-Connect for third party logins. After running appropriate migrations, Twitter/Google/yahoo logins seem to work fine but the facebook login throws exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The dev log shows
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
app/controllers/users_controller.rb:37:in `update'
Please suggest..
I ran into a similar problem when trying to use the JQuery generator for Rails 3
I solved it like this:
Get the CURL Certificate Authority (CA) bundle. You can do this with:
sudo port install curl-ca-bundle [if you are using MacPorts]
or just pull it down directly wget http://curl.haxx.se/ca/cacert.pem
Execute the ruby code that is trying to verify the SSL certification: SSL_CERT_FILE=/opt/local/etc/certs/cacert.pem rails generate jquery:install. In your case, you want to either set this as an environment variable somewhere the server picks it up or add something like ENV['SSL_CERT_FILE'] = /path/to/your/new/cacert.pem in your environment.rb file.
You can also just install the CA files (I haven't tried this) to the OS -- there are lengthy instructions here -- this should work in a similar fashion, but I have not tried this personally.
Basically, the issue you are hitting is that some web service is responding with a certificate signed against a CA that OpenSSL cannot verify.
If you're using RVM on OS X, you probably need to run this:
rvm osx-ssl-certs update all
More information here: http://rvm.io/support/fixing-broken-ssl-certificates
And here is the full explanation: https://github.com/wayneeseguin/rvm/blob/master/help/osx-ssl-certs.md
Update
On Ruby 2.2, you may have to reinstall Ruby from source to fix this. Here's how (replace 2.2.3 with your Ruby version):
rvm reinstall 2.2.3 --disable-binary
Credit to https://stackoverflow.com/a/32363597/4353 and Ian Connor.
Here's how you can fix it on Windows: https://gist.github.com/867550 (created by Fletcher Nichol)
Excerpt:
The Manual Way (Boring)
Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.
Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:
set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem
To make this a permanent setting, add this in your control panel.
Ruby can't find any root certificates to trust.
Take a look at this blog post for a solution: "Ruby 1.9 and the SSL error".
The solution is to install the curl-ca-bundle port which contains the same root certificates used by Firefox:
sudo port install curl-ca-bundle
and tell your https object to use it:
https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
Note that if you want your code to run on Ubuntu, you need to set the ca_path attribute instead, with the default certificates location /etc/ssl/certs.
The reason that you get this error on OSX is the rvm-installed ruby.
If you run into this issue on OSX you can find a really broad explanation of it in this blog post:
http://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
The short version is that, for some versions of Ruby, RVM downloads pre-compiled binaries, which look for certificates in the wrong location. By forcing RVM to download the source and compile on your own machine, you ensure that the configuration for the certificate location is correct.
The command to do this is:
rvm install 2.2.0 --disable-binary
if you already have the version in question, you can re-install it with:
rvm reinstall 2.2.0 --disable-binary
(obviously, substitute your ruby version as needed).
The issue is that ruby can not find a root certificate to trust. As of 1.9 ruby checks this. You will need to make sure that you have the curl certificate on your system in the form of a pem file. You will also need to make sure that the certificate is in the location that ruby expects it to be. You can get this certificate at...
http://curl.haxx.se/ca/cacert.pem
If your a RVM and OSX user then your certificate file location will vary based on what version of ruby your using. Setting the path explicitly with :ca_path is a BAD idea as your code will not be portable when it gets to production. There for you want to provide ruby with a certificate in the default location(and assume your dev ops guys know what they are doing). You can use dtruss to work out where the system is looking for the certificate file.
In my case the system was looking for the cert file in
/Users/stewart.matheson/.rvm/usr/ssl/cert.pem
however MACOSX system would expect a certificate in
/System/Library/OpenSSL/cert.pem
I copied the downloaded cert to this path and it worked. HTH
The new certified gem is designed to fix this:
https://github.com/stevegraham/certified
Just add gem 'certified' in your gemfile and run bundle install.
gem 'certified'
bundle install
On Mac OS X Lion with the latest macport:
sudo port install curl-ca-bundle
export SSL_CERT_FILE=/opt/local/share/curl/curl-ca-bundle.crt
Then, rerun the failed job.
Note, the cert file location seems to have changed since Eric G answered on May 12.
Here's another option for debugging purposes.
Be sure never to use this in any production environment, as it will negate benefits of using SSL in the first place. It is only ever valid to do this in your local development environment.
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
A one liner fixes it for Windows in an Admin prompt
choco install wget (first see chocolatey.org)
wget http://curl.haxx.se/ca/cacert.pem -O C:\cacert.pem && setx /M SSL_CERT_FILE "C:\cacert.pem"
Or just do this:
gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/
Milanio's method:
gem sources -r https://rubygems.org
gem sources -a http://rubygems.org
gem update --system
gem sources -r http://rubygems.org
gem sources -a https://rubygems.org
gem install [NAME_OF_GEM]
Well this worked for me
rvm pkg install openssl
rvm reinstall 1.9.2 --with-openssl-dir=$rvm_path/usr
Something is wrong with openssl implementation of my ubuntu 12.04
While knowing it's rather a lame solution, I'm still sharing this because it seems like very few people answering here use Windows, and I think some of Windows users (me included) would appreciate a simple and intuitive approach.
require 'openssl'
puts OpenSSL::X509::DEFAULT_CERT_FILE
That tells where your openssl is looking for the cert file. My name is not Luis, but mine was C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0l/ssl/cert.pem. The path may be different depending on each own environments (e.g. openknapsack instead of luislavena).
The path didn't change even after set SSL_CERT_FILE=C:\foo\bar\baz\cert.pem via the console, so... I created the directory C:\Users\Luis\Code\luislavena\knap-build\var\knapsack\software\x86-windows\openssl\1.0.0l\ssl in my local disk and put a cert file into it.
Lame as it is, this will surely work.
I've try install curl-ca-bundle with brew, but the package is no available more:
$ brew install curl-ca-bundle
Error: No available formula for curl-ca-bundle
Searching formulae...
Searching taps...
The solution that worked to me on Mac was:
$ cd /usr/local/etc/openssl/certs/
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
Add this line in your ~/.bash_profile (or ~/.zshrc for zsh):
export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cacert.pem
Then update your terminal:
$ source ~/.bash_profile
I had this same issue while working on a Ruby project. I am using Windows 7 64bit.
I resolved this by:
Downloading the cacert.pem file from http://curl.haxx.se/ca/cacert.pem.
Saved that file to C:/RubyCertificates/cacert.pem
Then set my environmental variable "SSL_CERT_FILE" to "C:\RubyCertificates\cacert.pem"
source: https://gist.github.com/fnichol/867550
The most straightforward answer which worked for me was this
sudo apt-get install openssl ca-certificates
And voila!!!
OS X 10.8.x with Homebrew:
brew install curl-ca-bundle
brew list curl-ca-bundle
cp /usr/local/Cellar/curl-ca-bundle/1.87/share/ca-bundle.crt /usr/local/etc/openssl/cert.pem
Then, as this blog post suggests,
"How to Cure Net::HTTP’s Risky Default HTTPS Behavior"
you might want to install the always_verify_ssl_certificates gem that allow you to set a default value for ca_file.
This worked for me. If you using rvm and brew:
rvm remove 1.9.3
brew install openssl
rvm install 1.9.3 --with-openssl-dir=`brew --prefix openssl`
I ran into this issue and the suggested fix of rvm osx-ssl-certs update all did not work despite that I am an RVM user on OSX.
The fix that worked for me was re-installing the latest version of openssl:
brew update
brew remove openssl
brew install openssl
I fixed this problem by running this in terminal. Full writeup is available over here
rvm install 2.2.0 --disable-binary
OSX solution:
install latest rvm stable version
rvm get stable
use rvm command to solve the certificates automatically
rvm osx-ssl-certs update all
If you are running your rails app locally then just add this line at the bottom of application.rb.
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
After this you can use the app without any issues. You may call it a hack but it is not recommended. Use only when you need to run locally
Here's what I did that helped if you are specifically having a problem on Leopard.
My cert was old and needed to be updated. I downloaded this:
http://curl.haxx.se/ca/cacert.pem
Then replaced my cert which was found here on Leopard:
/usr/share/curl/curl-ca-bundle.crt
Reload whatever you have that's accessing it and you should be good to go!
Just because instructions were a slight bit different for what worked for me, I thought I add my 2 cents:
I'm on OS X Lion and using macports and rvm
I installed curl-ca-bundle:
sudo port install curl-ca-bundle
Then I adjusted my omniauth config to be this:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, APP_CONFIG['CONSUMER_KEY'], APP_CONFIG['CONSUMER_SECRET'],
:scope => 'https://www.google.com/m8/feeds https://www.googleapis.com/auth/userinfo.profile',
:ssl => {:ca_path => "/share/curl/curl-ca-bundle.crt"}
end
If you have a symbolic link in the /usr/local/etc/openssl pointing to cert.pem try to do this:
ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE" (should be /usr/local/etc/openssl)
cd /usr/local/etc/openssl
wget http://curl.haxx.se/ca/cacert.pem
ln -s cacert.pem 77ee3751.0 (77ee3751.0 is my symbolic link, should depend on the openssl version)
What worked for me is a combination of answers, namely:
# Reinstall OpenSSL
brew update
brew remove openssl
brew install openssl
# Download CURL CA bundle
cd /usr/local/etc/openssl/certs
wget http://curl.haxx.se/ca/cacert.pem
/usr/local/opt/openssl/bin/c_rehash
# Reinstall Ruby from source
rvm reinstall 2.2.3 --disable-binary
I had trouble for a number of days and was hacking around. This link proved out to be extremely helpful for me. It helped me to do a successful upgrade of the SSL on MAC OS X 9.
Sometime it's not always rvm's problem
in MAC OSX,if you remove .rvm,the problem still(espcially while you backup data from timemachine) ,you can try this way.
1.brew update
2.brew install openssl
Adding gem 'certified', '~> 1.0' to my Gemfile and running bundle solved this issue for me.
I am trying to do the Michael Hartl tutorial. When I attempt to install rails 3.2.14 in my gemset, I get the following issue:
$ gem install rails -v 3.2.14
ERROR: Could not find a valid gem 'rails' (= 3.2.14), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/specs.4.8.gz)
After Googling around, I found that I could use a non-SSL source for rubygems so I ran:
sudo gem sources -a http://rubygems.org
Then, when I tried to install rails again, it was successful. However, I still got the issue above but as a warning:
WARNING: Unable to pull data from 'https://rubygems.org/': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/specs.4.8.gz)
How can I remove this warning/error entirely?
I am using the following:
rvm 1.22.15
ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-darwin12.3.0]
OSX 10.8.5
For RVM & OSX users
Make sure you use latest rvm:
rvm get stable
Then you can do two things:
Update certificates:
rvm osx-ssl-certs update all
Update rubygems:
rvm rubygems latest
For non RVM users
Find path for certificate:
cert_file=$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')
Generate certificate:
security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"
The whole code: https://github.com/wayneeseguin/rvm/blob/master/scripts/functions/osx-ssl-certs
For non OSX users
Make sure to update package ca-certificates. (on old systems it might not be available - do not use an old system which does not receive security updates any more)
Windows note
The Ruby Installer builds for windows are prepared by Luis Lavena and the path to certificates will be showing something like C:/Users/Luis/... check https://github.com/oneclick/rubyinstaller/issues/249 for more details and this answer https://stackoverflow.com/a/27298259/497756 for fix.
Latest findings...
https://gist.github.com/luislavena/f064211759ee0f806c88
Most importantly...download
https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/rubygems.org/AddTrustExternalCARoot-2048.pem
Figure out where to stick it
C:\>gem which rubygems
C:/Ruby21/lib/ruby/2.1.0/rubygems.rb
Then just copy the .pem file in ../2.1.0/rubygems/ssl_certs/ and go on about your business.
For windows users
Goto link http://rubygems.org/pages/download
Download the latest zip file (In my case 2.4.5)
Unzip it
run "ruby setup.rb" in unzipped folder
now run gem install command
If you want to use the non-SSL source, try removing the HTTPS source first, and then adding the HTTP one:
sudo gem sources -r https://rubygems.org
sudo gem sources -a http://rubygems.org
UPDATE:
As mpapis states, this should be used only as a temporary workaround. There could be some security concerns if you're accessing RubyGems through the non-SSL source.
Once the workaround is not needed anymore, you should restore the SSL-source:
sudo gem sources -r http://rubygems.org
sudo gem sources -a https://rubygems.org
On Windows you'll have to use HTTP source to update gem then change back to using HTTPS.
gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/
gem update --system
gem sources -r http://rubygems.org/
gem sources -a https://rubygems.org/
Edit: Warning I'm not sure if this is safe. Does anyone know if ruby packages are signed? The accepted answer looks like a better solution.
For Windows Users (and maybe others)
Rubygems.org has a guide that not only explains how to fix this problem, but also why so many people are having it: SSL Certificate Update
The reason for the problem is rubygems.org switched to a more secure SSL certificate (SHA-2 which use 256bit encryption). The rubygems command line tool bundles the reference to the correct certificate. Therefore rubygems itself can’t be updated using an older version of rubygems. Rubygems must first be updated manually.
First find out what rubygems you have:
rubygems –v
Depending on whether you have a 1.8.x, 2.0.x or 2.2.x, you will need to download an update gem, named “rubygems-update-X.Y.Z.gem”, where X.Y.Z is the version you need.
Running 1.8.x: download: https://github.com/rubygems/rubygems/releases/tag/v1.8.30
Running 2.0.x: download: https://github.com/rubygems/rubygems/releases/tag/v2.0.15
Running 2.2.x: download: https://github.com/rubygems/rubygems/releases/tag/v2.2.3
Install update gem:
gem install –-local full_path_to_the_gem_file
Run update gem:
update_rubygems --no-ri --no-rdoc
Check that rubygems was updated:
rubygems –v
Uninstall update gem:
gem uninstall rubygems-update -x
At this point, you may be OK. But it is possible that you do not have the latest public key file for the new certificate. To do this:
Download the latest certificate, (currently AddTrustExternalCARoot-2048.pem)
from https://rubygems.org/pages/download.
All of the certs are also located at: https://github.com/rubygems/rubygems/tree/master/lib/rubygems/ssl_certs
Find out where to put it:
gem which rubygems
Put this file in the “rubygems\ssl_certs” directory at this location.
As per rubygems commit, the certificates are moved to more specific directories. Thus, currently the certificate(AddTrustExternalCARoot-2048.pem) is expected to be on the following path lib/rubygems/ssl_certs/rubygems.org/AddTrustExternalCARoot-2048.pem
Try to use the source website for the gems, i.e rubygems.org. Use http instead of https. This method does not involve any work such as installing certs and all that.
Example -
gem install typhoeus --source http://rubygems.org
This works, but there is one caveat though.
The gem is installed, but the documentation is not because of cert errors. Here is the error I get
Parsing documentation for typhoeus-0.7.0 WARNING: Unable to pull
data from 'https://rubygems.org/': SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed
(https://rubygems.org/latest_specs.4.8.gz)
Running gem update --system worked for me
Make sure your system clock is correct
This exact error happened to me today on an Ubuntu virtual machine running on VirtualBox. I tried most of the solutions shown above before I noticed that I had resumed from a very old suspended state, and my clock was off by many days.
Updating the clock immediately fixed my issue. Here's the command I used in my case:
sudo service ntp stop && sudo ntpdate pool.ntp.org && sudo service ntp start
Simply uninstalling and reinstalling openssl with homebrew solved this issue for me.
brew uninstall --force openssl
brew install openssl
For Fedora users
Update the cert.pem to newest file that provide by cURL: http://curl.haxx.se/ca/cacert.pem
curl -o `ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE' |tr -d \"` http://curl.haxx.se/ca/cacert.pem
If you are using windows, open https://rubygems.org/ with internet explorer.
Click on security information and import the certificate. The bottom line is your certification chain is outdated and you need to add this new certificate. Remember that this is not a security violation as long as you can validate the certificate as trusted.
Approach/one-liner that can be automated to download gems using HTTP instead of HTTPS:
printf -- '---\n:sources:\n- http://rubygems.org\n' | tee ~/.gemrc
In my case, the Ubuntu CA certificates were out of date. I fixed it by running:
sudo update-ca-certificates
Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.
Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:
set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem
The particular case of RubyGems (the command line tool) is that it requires to bundle inside of its code the trust certificates, which allow RubyGems to establish a connection with the servers even when base operating system is unable to verify the identity of them.
Up until a few months ago, this certificate was provided by one CA, but newer certificate is provided by a different one.
Because of this, existing installations of RubyGems would have to been updated before the switch of the certificate and give enough time for the change to spread (and people to update)
Anyone can find his solution by following the simple steps given in the link below
https://gist.github.com/luislavena/f064211759ee0f806c88
Try
gem update --system
Hope it solves the problem.
For Windows, I followed https://gist.github.com/fnichol/867550.
I had to manually download the "cacert.pem" file. (go to https://curl.se/docs/caextract.html.)
Put it in any folder it won't be deleted from or with.
Make sure you add it to your systems Environment variables!!!
I did this (in Windows 10) via the control panel (select User Accounts) where there is an option to "Change my environment variables". Create a new variable and set the value as the path and filename!
var name SSL_CERT_FILE
var value C:\{your_dir}\cacert.pem
This will ensure it remains visible/useable every time you need it (i.e., every command window you open)!
I had same problem while trying to install cucumber gem. However I noticed that bundler gem already installed with ruby 2.0.
I created a Gemfile.rb in the project folder with required gems and followed this steps
Navigate to project folder
Type bundle install
All the required gems installed.
For Illumos / Solaris using OpenCSW pkgutil:
Install CSWcacertificates prior to 'gem install'
pkgutil -yi CSWcacertificates
If you're using a ruby kit that's not from OpenCSW, your ruby version may expect to find the certificate file in another place. In this case, I simply symlinked OpenCSW's /etc/opt/csw/ssl/cert.pem to the expected place.
Check where ruby expects to find it :
export cf=`ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'` && echo $cf
Then, if there's a discrepancy, link it:
ln -s /etc/opt/csw/ssl/cert.pem $cf && file $cf
Or may be prevented by firewall like me. Try this:
sudo gem install --http-proxy http://localhost:port cocoapods -V
For Windows user:
After installing Ruby 2.2.3 (+ rubygems 2.5.1) successfully on a test machine with access to the internet, I had this SSL error when I installed bundler on a production machine, within the network.
As I had network access limitations, and there was no way to change the settings for SSL access, and based on the error messages, I performed the steps below to be able to finish the installation of the bundler
(this may sound crazy, but it worked...).
Through a machine with unrestricted access to the internet, downloaded the following files:
spec.4.8.gz (http://rubygems.global.ssl.fastly.net/spec.4.8.gz)
latest_specs.4.8.gz (http://rubygems.global.ssl.fastly.net/latest_specs.4.8.gz)
bundler-1.11.2.gemspec.rz (http://rubygems.global.ssl.fastly.net/quick/Marshal.4.8/bundler-1.11.2.gemspec.rz)
bundler-1.11.2.gem (http://rubygems.global.ssl.fastly.net/gems/bundler-1.11.2.gem)
I added these files on an intranet server, keeping the folder structure of the links above:
$INTRANET_HOME
spec.4.8.gz e latest_specs.4.8.gz
$INTRANET_HOME\quick\Marshal.4.8
bundler-1.11.2.gemspec.rz
$INTRANET_HOME\gems
bundler-1.11.2.gem
Then I added my intranet to access gem source:
gem sources -a http://mydomain.com.br
I have run with the success the "gem install bundler" after installation, all it took was remove my intranet of the gem:
gem sources -r http://mydomain.com.br
I hope that is useful in any similar situation....
As a Windows 10 user, I followed Dheerendra's answer, and it worked for me one day. The next day, I experienced the issue again, and his fix didn't work. For me, the fix was to update bundler with:
gem update bundler
I believe my version of bundler was more than a few months old.
Make sure of that you have installed ruby with --disable-binary option,
if not, uninstall it and reinstall it with the option.
more info here
The answer is no longer valid. Since I have encountered the issue with older Windows ruby right now. I'll post the answer:
When I wanted to install an activesupport gem:
gem in activesupport --version 5.1.6
ERROR: Could not find a valid gem 'activesupport' (= 5.1.6), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B
: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
The following steps need to copy only the certificates from newer windows ruby.
Take the latest ruby (or at least ruby 2.4.0) and do the following:
copy certificates from these directories (adjust to your needs):
C:\prg_sdk\rubies\Ruby-2.4\lib\ruby\2.4.0\rubygems\ssl_certs\rubygems.org
C:\prg_sdk\rubies\Ruby-2.4\lib\ruby\2.4.0\rubygems\ssl_certs\index.rubygems.org
to destination (again adjust to what you need):
C:\prg_sdk\rubies\Ruby231-p112-x64\lib\ruby\2.3.0\rubygems\ssl_certs
go to rubygems and download the latest version works for me. I'm using windows.
I am using Authlogic-Connect for third party logins. After running appropriate migrations, Twitter/Google/yahoo logins seem to work fine but the facebook login throws exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The dev log shows
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
app/controllers/users_controller.rb:37:in `update'
Please suggest..
I ran into a similar problem when trying to use the JQuery generator for Rails 3
I solved it like this:
Get the CURL Certificate Authority (CA) bundle. You can do this with:
sudo port install curl-ca-bundle [if you are using MacPorts]
or just pull it down directly wget http://curl.haxx.se/ca/cacert.pem
Execute the ruby code that is trying to verify the SSL certification: SSL_CERT_FILE=/opt/local/etc/certs/cacert.pem rails generate jquery:install. In your case, you want to either set this as an environment variable somewhere the server picks it up or add something like ENV['SSL_CERT_FILE'] = /path/to/your/new/cacert.pem in your environment.rb file.
You can also just install the CA files (I haven't tried this) to the OS -- there are lengthy instructions here -- this should work in a similar fashion, but I have not tried this personally.
Basically, the issue you are hitting is that some web service is responding with a certificate signed against a CA that OpenSSL cannot verify.
If you're using RVM on OS X, you probably need to run this:
rvm osx-ssl-certs update all
More information here: http://rvm.io/support/fixing-broken-ssl-certificates
And here is the full explanation: https://github.com/wayneeseguin/rvm/blob/master/help/osx-ssl-certs.md
Update
On Ruby 2.2, you may have to reinstall Ruby from source to fix this. Here's how (replace 2.2.3 with your Ruby version):
rvm reinstall 2.2.3 --disable-binary
Credit to https://stackoverflow.com/a/32363597/4353 and Ian Connor.
Here's how you can fix it on Windows: https://gist.github.com/867550 (created by Fletcher Nichol)
Excerpt:
The Manual Way (Boring)
Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.
Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:
set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem
To make this a permanent setting, add this in your control panel.
Ruby can't find any root certificates to trust.
Take a look at this blog post for a solution: "Ruby 1.9 and the SSL error".
The solution is to install the curl-ca-bundle port which contains the same root certificates used by Firefox:
sudo port install curl-ca-bundle
and tell your https object to use it:
https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
Note that if you want your code to run on Ubuntu, you need to set the ca_path attribute instead, with the default certificates location /etc/ssl/certs.
The reason that you get this error on OSX is the rvm-installed ruby.
If you run into this issue on OSX you can find a really broad explanation of it in this blog post:
http://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
The short version is that, for some versions of Ruby, RVM downloads pre-compiled binaries, which look for certificates in the wrong location. By forcing RVM to download the source and compile on your own machine, you ensure that the configuration for the certificate location is correct.
The command to do this is:
rvm install 2.2.0 --disable-binary
if you already have the version in question, you can re-install it with:
rvm reinstall 2.2.0 --disable-binary
(obviously, substitute your ruby version as needed).
The issue is that ruby can not find a root certificate to trust. As of 1.9 ruby checks this. You will need to make sure that you have the curl certificate on your system in the form of a pem file. You will also need to make sure that the certificate is in the location that ruby expects it to be. You can get this certificate at...
http://curl.haxx.se/ca/cacert.pem
If your a RVM and OSX user then your certificate file location will vary based on what version of ruby your using. Setting the path explicitly with :ca_path is a BAD idea as your code will not be portable when it gets to production. There for you want to provide ruby with a certificate in the default location(and assume your dev ops guys know what they are doing). You can use dtruss to work out where the system is looking for the certificate file.
In my case the system was looking for the cert file in
/Users/stewart.matheson/.rvm/usr/ssl/cert.pem
however MACOSX system would expect a certificate in
/System/Library/OpenSSL/cert.pem
I copied the downloaded cert to this path and it worked. HTH
The new certified gem is designed to fix this:
https://github.com/stevegraham/certified
Just add gem 'certified' in your gemfile and run bundle install.
gem 'certified'
bundle install
On Mac OS X Lion with the latest macport:
sudo port install curl-ca-bundle
export SSL_CERT_FILE=/opt/local/share/curl/curl-ca-bundle.crt
Then, rerun the failed job.
Note, the cert file location seems to have changed since Eric G answered on May 12.
Here's another option for debugging purposes.
Be sure never to use this in any production environment, as it will negate benefits of using SSL in the first place. It is only ever valid to do this in your local development environment.
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
A one liner fixes it for Windows in an Admin prompt
choco install wget (first see chocolatey.org)
wget http://curl.haxx.se/ca/cacert.pem -O C:\cacert.pem && setx /M SSL_CERT_FILE "C:\cacert.pem"
Or just do this:
gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/
Milanio's method:
gem sources -r https://rubygems.org
gem sources -a http://rubygems.org
gem update --system
gem sources -r http://rubygems.org
gem sources -a https://rubygems.org
gem install [NAME_OF_GEM]
Well this worked for me
rvm pkg install openssl
rvm reinstall 1.9.2 --with-openssl-dir=$rvm_path/usr
Something is wrong with openssl implementation of my ubuntu 12.04
While knowing it's rather a lame solution, I'm still sharing this because it seems like very few people answering here use Windows, and I think some of Windows users (me included) would appreciate a simple and intuitive approach.
require 'openssl'
puts OpenSSL::X509::DEFAULT_CERT_FILE
That tells where your openssl is looking for the cert file. My name is not Luis, but mine was C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0l/ssl/cert.pem. The path may be different depending on each own environments (e.g. openknapsack instead of luislavena).
The path didn't change even after set SSL_CERT_FILE=C:\foo\bar\baz\cert.pem via the console, so... I created the directory C:\Users\Luis\Code\luislavena\knap-build\var\knapsack\software\x86-windows\openssl\1.0.0l\ssl in my local disk and put a cert file into it.
Lame as it is, this will surely work.
I've try install curl-ca-bundle with brew, but the package is no available more:
$ brew install curl-ca-bundle
Error: No available formula for curl-ca-bundle
Searching formulae...
Searching taps...
The solution that worked to me on Mac was:
$ cd /usr/local/etc/openssl/certs/
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
Add this line in your ~/.bash_profile (or ~/.zshrc for zsh):
export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cacert.pem
Then update your terminal:
$ source ~/.bash_profile
I had this same issue while working on a Ruby project. I am using Windows 7 64bit.
I resolved this by:
Downloading the cacert.pem file from http://curl.haxx.se/ca/cacert.pem.
Saved that file to C:/RubyCertificates/cacert.pem
Then set my environmental variable "SSL_CERT_FILE" to "C:\RubyCertificates\cacert.pem"
source: https://gist.github.com/fnichol/867550
The most straightforward answer which worked for me was this
sudo apt-get install openssl ca-certificates
And voila!!!
OS X 10.8.x with Homebrew:
brew install curl-ca-bundle
brew list curl-ca-bundle
cp /usr/local/Cellar/curl-ca-bundle/1.87/share/ca-bundle.crt /usr/local/etc/openssl/cert.pem
Then, as this blog post suggests,
"How to Cure Net::HTTP’s Risky Default HTTPS Behavior"
you might want to install the always_verify_ssl_certificates gem that allow you to set a default value for ca_file.
This worked for me. If you using rvm and brew:
rvm remove 1.9.3
brew install openssl
rvm install 1.9.3 --with-openssl-dir=`brew --prefix openssl`
I ran into this issue and the suggested fix of rvm osx-ssl-certs update all did not work despite that I am an RVM user on OSX.
The fix that worked for me was re-installing the latest version of openssl:
brew update
brew remove openssl
brew install openssl
I fixed this problem by running this in terminal. Full writeup is available over here
rvm install 2.2.0 --disable-binary
OSX solution:
install latest rvm stable version
rvm get stable
use rvm command to solve the certificates automatically
rvm osx-ssl-certs update all
If you are running your rails app locally then just add this line at the bottom of application.rb.
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
After this you can use the app without any issues. You may call it a hack but it is not recommended. Use only when you need to run locally
Here's what I did that helped if you are specifically having a problem on Leopard.
My cert was old and needed to be updated. I downloaded this:
http://curl.haxx.se/ca/cacert.pem
Then replaced my cert which was found here on Leopard:
/usr/share/curl/curl-ca-bundle.crt
Reload whatever you have that's accessing it and you should be good to go!
Just because instructions were a slight bit different for what worked for me, I thought I add my 2 cents:
I'm on OS X Lion and using macports and rvm
I installed curl-ca-bundle:
sudo port install curl-ca-bundle
Then I adjusted my omniauth config to be this:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, APP_CONFIG['CONSUMER_KEY'], APP_CONFIG['CONSUMER_SECRET'],
:scope => 'https://www.google.com/m8/feeds https://www.googleapis.com/auth/userinfo.profile',
:ssl => {:ca_path => "/share/curl/curl-ca-bundle.crt"}
end
If you have a symbolic link in the /usr/local/etc/openssl pointing to cert.pem try to do this:
ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE" (should be /usr/local/etc/openssl)
cd /usr/local/etc/openssl
wget http://curl.haxx.se/ca/cacert.pem
ln -s cacert.pem 77ee3751.0 (77ee3751.0 is my symbolic link, should depend on the openssl version)
What worked for me is a combination of answers, namely:
# Reinstall OpenSSL
brew update
brew remove openssl
brew install openssl
# Download CURL CA bundle
cd /usr/local/etc/openssl/certs
wget http://curl.haxx.se/ca/cacert.pem
/usr/local/opt/openssl/bin/c_rehash
# Reinstall Ruby from source
rvm reinstall 2.2.3 --disable-binary
I had trouble for a number of days and was hacking around. This link proved out to be extremely helpful for me. It helped me to do a successful upgrade of the SSL on MAC OS X 9.
Sometime it's not always rvm's problem
in MAC OSX,if you remove .rvm,the problem still(espcially while you backup data from timemachine) ,you can try this way.
1.brew update
2.brew install openssl
Adding gem 'certified', '~> 1.0' to my Gemfile and running bundle solved this issue for me.