Develop Reference

SSL verification error when running `gem install bundler` on fresh MacBookPRO M1

Successfully installed asdf install ruby 2.6.6 following this post on my fresh MacBook Pro M1 2021, and trying to run gem install bundler, but getting this:
MacBook-Pro ~ % gem install bundler
ERROR: SSL verification error at depth 1: unable to get local issuer certificate (20)
ERROR: You must add /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign to your local trusted store
ERROR: SSL verification error at depth 1: unable to get local issuer certificate (20)
ERROR: You must add /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign to your local trusted store
ERROR: SSL verification error at depth 1: unable to get local issuer certificate (20)
ERROR: You must add /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign to your local trusted store
ERROR: Could not find a valid gem 'bundler' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (https://rubygems.org/specs.4.8.gz)
ERROR: SSL verification error at depth 1: unable to get local issuer certificate (20)
ERROR: You must add /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign to your local trusted store
ERROR: SSL verification error at depth 1: unable to get local issuer certificate (20)
ERROR: You must add /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign to your local trusted store
I tried to open Mac's Keychain Access window and specify Always Trust option for every GlobalSign certificate, but no luck.
OS: MacOS Monterey 12.0.1
ruby -v: 2.6.6
gem -v: 3.0.3
Homebrew: 3.3.4

I also followed that guide, and ran into this issue. Try this:
check directory /opt/homebrew/etc
see if you have openssl#1.1
if not, you probably need to reinstall using brew reinstall openssl#1.1. openssl1.1 is what i use for ruby 2.6.5, you might need to check that for your ruby version.
Also, i am not entirely sure about this, but I also added a couple more env variables to the ~/zshrc file following this guide. Be sure you are changing the "openssl#1.0" to "openssl#1.1" or whatever your ruby version uses.

Container root certification update problem

I am facing an issue that I want to ask here.
I have a container that must reach an URL. But, because of root certificate problem, I cannot reach that URL.
When I am trying to curl from inside of container, I am getting below error.
***curl: (60) SSL certificate problem: certificate has expired
More details here .
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.***
I am trying to add this certificate and update them in Dockerfile with lines below.
ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
but, getting this error.
What I have tried;
tried to delete entire certificates and install new ones.
tried to use "update ca-certificates -f"
But did not work.
So, any suggestions?

SSL certificates and Rapns

I'm trying to set up a Rails application using the Rapns library to send push notifications. The project already has this gem configured, I am working toward upgrading it to Rpush. However, I'm having a lot of trouble setting up my certificates.
I've generated all the key pairs and certificates I need with much help from the following articles:
Apple Push Notifications, how do I properly export my cert?
http://quickblox.com/developers/How_to_create_APNS_certificates
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
Running the following command
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert /path/to/my/sandbox.pem -debug -showcerts
returns the following
Verify return code: 20 (unable to get local issuer certificate)
So with help from Apple's docs I downloaded a CA certificate and ran the following
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert /path/to/my/sandbox.pem -debug -showcerts -CAfile /path/to/my/entrust_2048_ca.cer
and got
Verify return code: 0 (ok)
Success! However, my call to run the notifying application
bundle exec rapns development
Outputs 2 lines initially
[2014-08-04 14:29:42] [my app ID] Started, 1 handler.
[2014-08-04 14:29:43] [my app ID] Connected to feedback.sandbox.push.apple.com:2196
but then does nothing as I attempt to trigger notifications. Additionally it will re-prompt me for my PEM pass phrase periodically, making me think it's not really authenticating (which may be a symptom of the return code 20 from before).
I didn't actually fix the certificate itself (I don't think) by downloading the CA certificate. How do I incorporate that into the PEM so this works, or otherwise configure Rapns such that I don't need the CA cert?

Installing ruby on rvm error

I'm following the guide on rvm to install on OSX Leopard:
http://beginrescueend.com/rvm/install/
I have everything working up until I have to go
rvm install 1.9.2
however I start getting errors when I run that command:
summer$ rvm install 1.9.2-p290
Installing Ruby from source to: /Users/summer/.rvm/rubies/ruby-1.9.2-p290, this may take a while depending on your cpu(s)...
ruby-1.9.2-p290 - #fetching
ruby-1.9.2-p290 - #downloading ruby-1.9.2-p290, this may take a while depending on your connection...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /Users/summer/.rvm/log/ruby-1.9.2-p290/*.log. Next we'll try to fetch via http.
Trying http:// URL instead.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /Users/summer/.rvm/log/ruby-1.9.2-p290/*.log
ERROR: There has been an error while trying to fetch the source.
Halting the installation.
ERROR: There has been an error fetching the ruby interpreter. Halting the installation.
UPDATE: in regard to Deryls response:
error after the modifications:
rvm install 1.9.2
Installing Ruby from source to: /Users/summer/.rvm/rubies/ruby-1.9.2-p290, this may take a while depending on your cpu(s)...
ruby-1.9.2-p290 - #fetching
ruby-1.9.2-p290 - #downloading ruby-1.9.2-p290, this may take a while depending on your connection...
curl: option -: is unknown
curl: try 'curl --help' or 'curl --manual' for more information
ERROR: There was an error, please check /Users/summer/.rvm/log/ruby-1.9.2-p290/*.log. Next we'll try to fetch via http.
Trying http:// URL instead.
curl: option -: is unknown
curl: try 'curl --help' or 'curl --manual' for more information
ERROR: There was an error, please check /Users/summer/.rvm/log/ruby-1.9.2-p290/*.log
ERROR: There has been an error while trying to fetch the source.
Halting the installation.
ERROR: There has been an error fetching the ruby interpreter. Halting the installation.
UPDATE:
I removed the - at the end and got:
rvm install 1.9.2
Installing Ruby from source to: /Users/summer/.rvm/rubies/ruby-1.9.2-p290, this may take a while depending on your cpu(s)...
ruby-1.9.2-p290 - #fetching
ruby-1.9.2-p290 - #downloading ruby-1.9.2-p290, this may take a while depending on your connection...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /Users/summer/.rvm/log/ruby-1.9.2-p290/*.log. Next we'll try to fetch via http.
Trying http:// URL instead.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /Users/summer/.rvm/log/ruby-1.9.2-p290/*.log
ERROR: There has been an error while trying to fetch the source.
Halting the installation.
ERROR: There has been an error fetching the ruby interpreter. Halting the installation.
I also tried both variation of using the - (or not) at the end with --insecure instead of k, I get similar errors.

Instead of modifying the rvm script, you can fix the root-cause of the issue by updating your ca-bundle.crt file. On certain Linux distros, the ca-bundle.crt file is way too old and thus doesn't know how to handle Github's SSL certificate.
What you can do is to locate the ca-bundle.crt on your system and then download and rename the cacert.pem from curl.haxx.se as ca-bundle.crt. Now the RVM installer script should work correctly.
This is what I did:
cp /etc/pki/tls/certs/ca-bundle.crt ~/ca-bundle.crt.old
sudo curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-b
undle.crt
This machine is an EC2 instance, running CentOS 5 and managed with Rightscale. The location of your ca-bundle.crt on your system will probably be different, but there is only a few things Googling won't solve.

The version of curl on Leopard is outdated. Follow beijingyoung's steps listed here: https://github.com/mxcl/homebrew/issues/6103#issuecomment-1694558

You can also hand modify $rvm_path/scripts/fetch on line 61
fetch_command="curl -f -L --create-dirs -C - " # -s for silent
and change it to read
fetch_command="curl -f -L --create-dirs -C -k - " # -s for silent
What this does is tell curl not to care about any invalid certificates (you're not using one you had signed by a registered CA are you?) You can also add -s (as the # remark shows) in order to keep it quiet. Bear in mind that you will probably have to make this change again the next time you
rvm get head
to update your machine's RVM install. I will tale to Wayne about adding that as a permanent option if the detected platform is Leopard, however I do not believe this will go into the application as it creates a security concern for many users. (They prefer to see the errors and know there is a issue with certificates.)

Curl Certificate Error when Using RVM to install Ruby 1.9.2

RVM is running into a certificate error when trying to download Ruby 1.9.2. It looks like curl is having a certificate issue but I am not sure how to bypass it. I have included the exact error info below.
$ rvm install 1.9.2
Installing Ruby from source to: /Users/willdennis/.rvm/rubies/ruby-1.9.2-p180, this may take a while depending on your cpu(s)...
ruby-1.9.2-p180 - #fetching
ERROR: Error running 'bunzip2 '/Users/willdennis/.rvm/archives/ruby-1.9.2-p180.tar.bz2'', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/extract.log
ruby-1.9.2-p180 - #extracting ruby-1.9.2-p180 to /Users/willdennis/.rvm/src/ruby-1.9.2-p180
ruby-1.9.2-p180 - #extracted to /Users/willdennis/.rvm/src/ruby-1.9.2-p180
Fetching yaml-0.1.3.tar.gz to /Users/willdennis/.rvm/archives
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /Users/willdennis/.rvm/log/ruby-1.9.2-p180/*.log. Next we'll try to fetch via http.
Trying http:// URL instead.
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /Users/willdennis/.rvm/log/ruby-1.9.2-p180/*.log
Extracting yaml-0.1.3.tar.gz to /Users/willdennis/.rvm/src
ERROR: Error running 'tar zxf /Users/willdennis/.rvm/archives/yaml-0.1.3.tar.gz -C /Users/willdennis/.rvm/src --no-same-owner', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/yaml/extract.log
/Users/willdennis/.rvm/scripts/functions/packages: line 55: cd: /Users/willdennis/.rvm/src/yaml-0.1.3: No such file or directory
Configuring yaml in /Users/willdennis/.rvm/src/yaml-0.1.3.
ERROR: Error running ' ./configure --prefix="/Users/willdennis/.rvm/usr" ', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/yaml/configure.log
Compiling yaml in /Users/willdennis/.rvm/src/yaml-0.1.3.
ERROR: Error running '/usr/bin/make ', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/yaml/make.log
Installing yaml to /Users/willdennis/.rvm/usr
ERROR: Error running '/usr/bin/make install', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/yaml/make.install.log
ruby-1.9.2-p180 - #configuring
ERROR: Error running ' ./configure --prefix=/Users/willdennis/.rvm/rubies/ruby-1.9.2-p180 --enable-shared --disable-install-doc --with-libyaml-dir=/Users/willdennis/.rvm/usr ', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/configure.log
ERROR: There has been an error while running configure. Halting the installation.
How can I resolve or avoid this error?

In case any one else comes across this while trying to update to 1.9.3 (although version probably doesn't matter), check the version of rvm that you have. Wayne seems to have moved from rvm.beginrescueend.com to rvm.io. The old site's security certificate has expired, so curl's response is correct.
Updating rvm from the new site fixed this problem and allowed me to move forward.
$ \curl -L https://get.rvm.io | bash -s stable --rails --autolibs=enabled
Update: As #rodgerdpack mentioned, the command changes and I've updated the above. In general, see https://rvm.io/ for the latest.

If do not want to change the script AND you do not want to add a cert "for ever" to the cert bundle. There is a very nice and quick solution:
#to download the cert
wget http://curl.haxx.se/ca/cacert.pem
#to let curl use it for the next calls
export CURL_CA_BUNDLE=~/cacert.pem
Then run your script.
To reset the environment variable (for subsequent script calls that should not use this cert) re-login to your system or unset the environment variable:
export CURL_CA_BUNDLE=

Curl is invoked in .rvm/scripts/fetch, which by default will be in your home directory.
Edit this using your favourite text editor: for example,
nano ~/.rvm/scripts/fetch
In lines 56 and 58 (may vary with other versions of RVM, of course) you'll see two lines which begin
fetch_command="curl ...
Simply add -k after curl, save and try again.

You need to download the ca certificate from http://curl.haxx.se/ca/cacert.pem and add them to your curl-ca-bundle-new.crt file.
To find the location of this file use:
$ curl-config --ca
/usr/share/curl/curl-ca-bundle.crt
Backup your curl-ca-bundle.crt file:
$ cp /usr/share/curl/curl-ca-bundle.crt /usr/share/curl/curl-ca-bundle.crt.old
Then you want to concatenate the two file using:
$ cat cacert.pem /usr/share/curl/curl-ca-bundle.crt >> curl-ca-bundle-new.crt

Perhaps all these complicated solutions were once necessary, but now all you need to do is first upgrade RVM and your problem will be solved:
$ rvm get stable
$ rvm reload
$ rvm install ruby-1.9.3-p194

If you don't mind disabling certificate check in curl (I don't):
echo insecure > ~/.curlrc

On Centos 5.6 (Final)
I had a problem with installing rvm 1.9.2
The error was:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /usr/local/rvm/log/ruby-1.9.2-p290/*.log. Next we'll try to fetch via http.
Trying http:// URL instead.
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /usr/local/rvm/log/ruby-1.9.2-p290/*.log
ERROR: There has been an error while trying to fetch the source.
Halting the installation.
ERROR: There has been an error fetching the ruby interpreter. Halting the installation.
Here is a list of actions which helped me to solve the problem
$ curl-config --ca # show path to the certificate
/usr/local/share/curl/curl-ca-bundle.crt
$ cd /usr/local/share/curl/ # go to that path
$ cp curl-ca-bundle.crt curl-ca-bundle.crt.bak # backup certificate
$ curl http://curl.haxx.se/ca/cacert.pem -o curl-ca-bundle.crt # download new
$ rvm install 1.9.2 # bingo it works
Btw curl version is curl 7.18.0 (to check '$ curl -V')

I was attempting to install ruby-1.9.2-p290 and came across the same problem. After running which curl and realizing that the curl instance was coming from an installation of MAMP on my system (OS X Snow Leopard), I reconfigured my PATH variable to use the system default at /usr/bin/curl. Using this version, curl 7.19.7, I had no problem installing the latest version of Ruby with RVM.

I had trouble installing 1.9.2 using RVM, here is my solution:
Download yaml-0.1.3.tar.gz from http://www.filewatcher.com/m/yaml-0.1.3.tar.gz.466845.0.0.html
Save it to /Users//.rvm/archives/yaml-0.1.3.tar.gz
Run these commands:
chmod 777 yaml-0.1.3.tar.gz
tar zxf /Users//.rvm/archives/yaml-0.1.3.tar.gz -C /Users//.rvm/src
I still got the file not found error but the installation went on to be successful
[2011-07-05 14:24:07] tar zxf /Users//.rvm/archives/yaml-0.1.3.tar.gz -C /Users//.rvm/src --no-same-owner
tar (child): /Users//.rvm/archives/yaml-0.1.3.tar.gz: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error exit delayed from previous errors

Thank you Dorothy - this recipe worked for me with the following minor modifications for a Win7 environment:
For others with this issue -
Appreciate the discussion about updating the CA_Bundle - Good to do
but it didn't help with this issue - the pyyaml website cert will still
cause CURL to throw an error and since CURL is launched within the installer,
no way to add a -k option.
Ruby 1.9.2-p290 is trying to install YAML 0.1.4 so Google for a
mirror and download that version - YAML-0.1.3 will have no effect in
bypassing the issues.
You need to do the windows equivalent of CHMOD 777 - within the rvm/src
folder to the extracted files. Change security so that everyone has
ownership/all privileges and turn off the read-only attribute for all files and
folders.
The installer will still throw errors when it tries to download (CURL error), but will resume by trying to extract. The extraction will throw errors because the tarball is already extracted to the src folder. The next step of configuring YAML should work without errors if permissions in step 3 were set correctly and the installation should complete without further problems. (If installing via cygwin/bash, you will need to add a C compiler like 'gcc' and add 'ncurses' (tput command) and 'make' to the default core cygwin setup options.)

$ sudo apt-get install curl
$ curl -L https://get.rvm.io | bash -s stable --ruby with ruby
$ curl -L https://get.rvm.io | bash -s stable --rails with rails