Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cannot install any ruby gems on Mac OS - SSL_connect error

My environment is Mac OS 10.10.5, ruby version 2.2.4 (or 2.2.2 or 2.2.0) gem (after upgrade) is 2.6.7, rvm version 1.27.0.

This has several duplicates even in the last few days but this is more information than I can put in a comment.

When installing any gems on any version of ruby I get the following:

$ gem install bundler
ERROR:  Could not find a valid gem 'bundler' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

There is a lot of information about this available, especially for problems on Windows. See http://guides.rubygems.org/ssl-certificate-update/ for the proposed solution. I follow this but I continue to get the same error.

The problem seems to be in getting the file GlobalSignRootCA.pem in the appropriate place which is not entirely clear. The above link explains how to find the appropriate ssl_certs directory, of which there are 2 in my system, but neither work.

I forget where I learned the following:

$ ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_DIR'
/etc/openssl/certs
$ ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'
/etc/openssl/cert.pem

which might have given a hint but appending the .pem file to the latter or copying to the former have no effect.

When I re-install openssl (homebrew), it helpfully tells me:

A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /usr/local/etc/openssl/certs

and run
  /usr/local/opt/openssl/bin/c_rehash

but this also does not solve the problem.

From another SO question:

rvm osx-ssl-certs update all

doesn't work. Nor does:

security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"

Does anyone know how to get a sense of what rubygems expects here? Where does it want this file or is this even the file it wants? Should I import the .pem file into the OSX keychain? How does one do that?

Or is there a way to get the gem file and install it locally? rubygems does this helpfully for rubygems itself but not for the individual gems from what I can tell.

-- workaround

Okay - the answer to the question of where to get the gem: go to https://rubygems.org/gems/[package name] and select a version and go to download - currently under links on the right hand side. Download the file and gem install --local [downloaded gem file]. Plus all the dependencies.

To automate:

# start by adding insecure source for --explain - thanks to @tnum
gem source -a http://rubygems.org/
while read x 
do
wget https://rubygems.org/downloads/$x.gem
gem install --local $x.gem 
rm $x.gem
done < <(gem install --explain [package name] | grep "^  ")
# remove insecure source
gem source -r http://rubygems.org/

Some of the lack of security could be mitigated by a better grep regex but it is still insecure. Note that wget https:// works so the ssl problem is definitely with rubygems.

like image 254
albe Avatar asked Jan 06 '23 05:01

albe


2 Answers

According to https://rvm.io/support/fixing-broken-ssl-certificates, running command above will fix you issue :

rvm osx-ssl-certs update all
like image 193
Vincent Piau Avatar answered Jan 13 '23 12:01

Vincent Piau


I had the same issue and used the following 'work around'- cd into your rails app directory and run the following

gem source -a http://rubygems.org/ 

This will use the insecure http connection rather than the secure https when you run the 'gem install...' command. It's not ideal but it is a short term work around.

You may also need to change the source line in your gemfile from

source 'https://rubygems.org'

to

source 'http://rubygems.org'
like image 44
tnum Avatar answered Jan 13 '23 10:01

tnum