OpenSSL Errors and Rails – Certificate Verify Failed

by Daniel Kehoe

Last updated 28 December 2013

Are you getting an error “OpenSSL certificate verify failed” with Ruby? You may be seeing Ruby errors with OpenSSL because of outdated SSL certificate files. These problems are most common with Ruby 2.1 on Mac OS X. For problems with Windows or Ubuntu, see the end of the article.

This is a note for developers using the example applications and tutorials from the RailsApps project. If you’re getting started with Rails, or want an easier way to get started building your applications, see the RailsApps example applications and tutorials.

If You Are New to Rails

If you’re new to Rails, see What is Ruby on Rails?, the book Learn Ruby on Rails, and recommendations for a Rails tutorial.

Join RailsApps

What is the RailsApps Project?

This is an article from the RailsApps project. The RailsApps project provides example applications that developers use as starter apps. Hundreds of developers use the apps, report problems as they arise, and propose solutions. Rails changes frequently; each application is known to work and serves as your personal “reference implementation.” Each application is accompanied by a tutorial so there is no mystery code. Support for the project comes from subscribers. Please accept our invitation to join the RailsApps project.

Errors

Have you seen one of these error messages?

openssl::ssl::sslerror: ssl_connect returned=1 errno=0 state=sslv3 read server certificate b: certificate verify failed
could not load openssl. you must recompile ruby with openssl support or change the sources in your gemfile from 'https' to 'http'. instructions for compiling with openssl using rvm are available at rvm.io/packages/openssl.

Use RVM to Fix SSL Certificates

Recent versions of RVM, the Ruby Version Manager, include a utility to diagnose and resolve errors caused by outdated certificate files. See the article Installing Rails for instructions and advice. The RVM website explains how to install RVM.

If you’ve installed RVM, try this:

$ rvm -v
# rvm 1.19.1 (stable)
$ rvm osx-ssl-certs status all
# Certificates for...
$ rvm osx-ssl-certs update all
# Updating certificates...

That’s all that is needed to resolve the issue if you are using RVM (you must be using RVM version 1.19.1 or newer).

For more on the issue, see a discussion at add rvm osx-ssl-certs on GitHub.

Let me know if this resolves the issue. Please add to the comments below.

Staying Healthy

In a year or two, the error may reappear, when the certificate files again become outdated. To keep the certificate files current, RVM offers an option to run a cron job that updates the certificate files daily.

$ sudo rvm osx-ssl-certs cron install

Getting Help

Before you ask for help, please carefully read all the output from RVM commands, including any log files mentioned in the output messages. RVM provides very good diagnostic and help messages.

You can get help directly from the RVM team using the IRC (Internet Relay Chat) channel #rvm on irc.freenode.net:

If you’ve never used IRC, it’s worthwhile to figure out how to use IRC because the RVM team is helpful and friendly. IRC on freenode requires registration (see how to register).

Other Possibilities

Almost all problems with Ruby and OpenSSL can be resolved by installing RVM and running rvm osx-ssl-certs update. Before the RVM osx-ssl-certs utility was available, there were other, more complicated ways to resolve the issue. This article details some of the older solutions.

Errors with Ruby 2.1

If you get OpenSSL errors with Ruby 2.1, make sure you are using RubyGems 2.0.3 or newer:

$ gem -v

Use gem update --system to upgrade the RubyGems system gem if necessary.

Update SSL Certificates

The SSL certificates that comes with Mac OS X 10.8 may be outdated. If you are using RVM, the newest version of RVM will install OpenSSL and updated certificates automatically. You can also install Homebrew and try this:

$ brew update
$ brew install openssl
$ brew link openssl --force
$ brew install curl-ca-bundle

Alternative

James Tucker (raggi) has released a simple script (openssl-osx-ca) that uses Homebrew to update the OpenSSL security certificates found in the Mac OS X Keychain. The script replaces the outdated OpenSSL security certificates on your Mac with new certificates from Mozilla.org

$ brew tap raggi/ale
$ brew install openssl-osx-ca

Doesn’t work for you? Please add to the comments below.

Errors with Ruby 1.9.3

You may have received an error message if you’ve tried to create a new Rails application with Ruby 1.9.3.

For example, you may have entered:

$ rails new myapp

or created a new Rails application using an application template:

$ rails new myapp -m https://raw.github.com/RailsApps/rails-composer/master/composer.rb

and seen the following error message:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

or

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B

Here is an explanation and suggested solutions.

What is Happening

When creating a new Rails application, the Ruby language interpreter uses OpenSSL to connect to https://rubygems.org/. The Gemfile installed by the rails new command specifies https://rubygems.org/ as the source for gems and requires an SSL connection.

In the case of a new application generated from an application template hosted on GitHub, the Ruby language interpreter uses OpenSSL to connect to GitHub. GitHub requires all connections to be made using SSL.

The error message indicates the connection failed because OpenSSL was unable to verify the server certificate.

If you are seeing an error when you create a new Rails application, it is likely that you need to update OpenSSL certificate files on your computer. Users of older versions of Mac OS X and Ubuntu operating systems are likely to see these errors.

Check RubyGems issues on GitHub and look for recent updates to the issue SSL_connect failure when running ‘rails new’. You may find more information on Stack Overflow, especially this discussion: Bundle install fails with SSL certificate verification error. And please read the comments below.

Diagnosis

What’s your operating system version?

$ uname -srv

It is advisable to upgrade your operating system if older than Mac OS X 10.8 (Mountain Lion) or Ubuntu 12.04 (Precise Pangolin).

What version of Ruby are you using?

$ ruby -v

If it’s older than Ruby 2.0.0-p195 or Ruby 1.9.3-p392 you should upgrade. See the article Installing Rails.

Be sure you are using RubyGems 2.0.3 or newer:

$ gem -v

Update RubyGems if necessary:

$ gem update --system

Check your OpenSSL version:

$ openssl version

You should see OpenSSL 1.0.1 or newer. If not, try updating OpenSSL.

A curl -I command should show that the rubygems.org file host is available and responding:

$ curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem
HTTP/1.0 200 OK
...

Try executing remote_fetcher directly to download a gem from the rubygems.org file host:

$ ruby -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'
Fetching: rake-0.9.2.2.gem (100%)

If you’ve updated OpenSSL or upgraded your OS, and you’re still getting the error “SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure”, run the diagnostic below and add your report to the issue SSL_connect failure when running ‘rails new’. Please supply details: OS version, Ruby version, RubyGems version, OpenSSL version, error message.

% ruby -d -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'
% ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))'
% ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")'

You can try several workarounds to isolate the error conditions. Please don’t rely on a workaround for anything other than a temporary solution. Attempt the suggested resolutions (below) and file an issue report if they don’t work.

Workaround #1

Try changing your Gemfile to use an http connection for your gem source. Instead of source 'https://rubygems.org' use:

source 'http://rubygems.org'

This workaround is not an option if you are running rails new because the Gemfile is produced automatically from a template in the Rails library.

Workaround #2

Use the --skip-bundle when you generate a new Rails application:

rails new myapp --skip-bundle

This workaround is not an option if you are using an application template to generate a new Rails application as most application templates will run commands that require a successful bundle install.

Workaround #3

Try toggling off the requirement to verify the SSL security certificate.

Create or modify the file called .gemrc in your home path and add the line:

:ssl_verify_mode: 0

For Mac OS and Linux, “home path” means ~/.gemrc. You can also create /etc/gemrc if you prefer. For Windows XP, “home path” means C:\Documents and Settings\All Users\Application Data\gemrc. For Windows 7, C:\ProgramData\gemrc. (Suggested by Andrew Fallows in a Stack Overflow discussion).

This is only a workaround. It opens a possible security vulnerability (discussed here).

Be sure to try possible solutions suggested below. Please leave a comment if they work (or don’t).

Updating SSL Certificates with Homebrew

$ openssl version
.
$ brew update
.
.
.
$ brew install openssl
==> Downloading http://openssl.org/source/openssl-1.0.1e.tar.gz
==> perl ./Configure --prefix=/usr/local/Cellar/openssl/1.0.1e --openssldir=/usr
==> make
==> make test
==> make install MANDIR=/usr/local/Cellar/openssl/1.0.1e/share/man MANSUFFIX=ssl
==> Caveats
To install updated CA certs from Mozilla.org:

    brew install curl-ca-bundle

This formula is keg-only: so it was not symlinked into /usr/local.

Mac OS X already provides this software and installing another version in
parallel can cause all kinds of trouble.

The OpenSSL provided by OS X is too old for some software.

Generally there are no consequences of this for you. If you build your
own software and it requires this formula, you'll need to add to your
build variables:

    LDFLAGS:  -L/usr/local/opt/openssl/lib
    CPPFLAGS: -I/usr/local/opt/openssl/include

==> Summary
/usr/local/Cellar/openssl/1.0.1e: 429 files, 15M, built in 3.9 minutes
$ brew link openssl --force
Linking /usr/local/Cellar/openssl/1.0.1e... 1139 symlinks created
$ brew install curl-ca-bundle
==> Downloading https://downloads.sourceforge.net/project/machomebrew/...
/usr/local/Cellar/curl-ca-bundle/1.87: 2 files, 252K, built in 5 seconds

Close and reopen your terminal (or reload your shell).

$ openssl version
OpenSSL 1.0.1e 11 Feb 2013

Doesn’t work for you? Please add to the comments below.

Updating SSL Certificates with MacPorts

If you don’t want to use Homebrew, you can try updating your OpenSSL certificates using MacPorts. You’ll need to install MacPorts first.

$ openssl version
$ sudo port sync; sudo port selfupdate; sudo port install openssl
...
$ openssl version
OpenSSL 1.0.1a 19 Apr 2012

You should download an updated certificate file. This assumes you are using MacPorts and have a directory /opt/local/etc/openssl:

$ cd /opt/local/etc/openssl
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
$ sudo mv cacert.pem cert.pem

Doesn’t work for you? Please add to the comments below.

Solution for Windows

Fletcher Nichol shows how to download a cacert.pem file and set an environment variable to install the certificate authorities needed by the OpenSSL library.

You can also try hacking the open-uri source: How to Use an Application Template from Github when You’re Developing in Rails on Windows

Any advice to offer? Please add to the comments below.

Solution for Ubuntu

Ubuntu’s custom build of OpenSSL failed with the SSL server configuration used for the Cloudfront service (Amazon Web Services) used for RubyGems file hosting.

For Ubuntu 12.04, the openssl 1.0.1-4ubuntu5 package fixes the problem. The problem should be resolved when you install the update.

Newer versions of Ubuntu should not have the problem.

Any advice to offer? Please add to the comments below.

Credits

Daniel Kehoe wrote the article.

Learn Ruby on Rails

Comments

Is this helpful? Your encouragement fuels the project. Please tweet or add a comment. Couldn't get something to work? For the example apps and tutorials, it's best to open an issue on GitHub so we can help you.

comments powered by Disqus