Could not find valid gem: certificate verify failed

Question

I'm trying to establish an ssh tunnel to a remote server as described here: SSH from Heroku into remote server with Mysql Db

But I'm hung up just simply trying to download the gems. I added:

# file: Gemfile
...
gem 'net-ssh-gateway', '~> 1.2.0'

but when I do bundle install (or even just gem install net-ssh on the command line), I get:

ERROR:  Could not find a valid gem 'net-ssh' (>= 0), here is why:
        Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/latest_specs.4.8.gz)

As per the README for net-ssh (https://github.com/net-ssh/net-ssh), I checked my OpenSSL bindings for Ruby -- they look okay:

$ ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.1j 15 Oct 2014

I'm not sure if this is related, but when I tried to download the .pem file for a high security download of the gemfile:

$ curl -O https://raw.github.com/net-ssh/net-ssh/master/gem-public_cert.pem

... it didn't download a .pem file, and visiting the URL directly result in 'not found'.

Other info:

$ rake about
About your application's environment
Ruby version              2.1.4-p265 (x86_64-darwin14.0)
RubyGems version          2.2.2
Rack version              1.5
Rails version             4.1.7

So for right now, I'm stuck. Does anyone recognize this problem?

Answer 1

This helped in my case, when I had a problem with certificate:

gem sources -r https://rubygems.org
gem sources -a http://rubygems.org

gem update --system

gem sources -r http://rubygems.org
gem sources -a https://rubygems.org

Answer 2

Despite @the Tin Man's helpful answer, my problem was that I didn't have certificates set up in a place that OpenSSL could find them.

Following suggestions(s) in SSL Error When installing rubygems, Unable to pull data from 'https://rubygems.org/:

An inferior workaround

One can work around this by changing the first line of Gemfile from

source 'https://rubygems.org'

to the non-https form:

source 'http://rubygems.org'

and then do the usual bundle install. Afterwards, you should restore the first line of your Gemfile to use the https form. This is generally considered a security risk.

What's more, you haven't really addressed the real problem that you lack valid certificates and you will run into trouble if your application calls uses OpenSSL (e.g. net-ssh).

A better fix

See SSL Error When installing rubygems, Unable to pull data from 'https://rubygems.org/. For OS X users, we ask Ruby to tell us where it's looking for the certificates file, and then use security find-certificate to populate the certificates file:

$ cert_file=$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')
$ echo $cert_file
$ security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
$ security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"

After I did this, I was able to call bundle install without an error.