Ruby OpenSSL Errors - Missing CA Certs (Who is Justin?)

Question

I'm writing a little utility script that deals with some RESTful API's over HTTPS using Ruby's Net::HTTP module on Windows. I consistently get this error:

C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
    from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:74:in `timeout'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:852:in `start'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:1375:in `request'

According to this post I'm missing the default CA Certs. I ran his "ssl doctor" script and it gave me this diagnostic:

C:\Users\Megaflux\Documents\GitHub\Github_Backup> ruby doctor.rb
C:/Ruby22-x64/bin/ruby (2.2.2-p95)
OpenSSL 1.0.1l 15 Jan 2015: C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""

HEAD https://status.github.com:443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

The server presented a certificate that could not be verified:
  subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
  issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
  error code 20: unable to get local issuer certificate

Possible causes:
  `C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/cert.pem' does not exist
  `C:/Users/Justin/Projects/knap-build/var/knapsack/software/x64-windows/openssl/1.0.1l/ssl/certs/' is empty

I'm fine downloading some root CA certificates and installing them at that directory, which isn't hard. But who is Justin? I don't have that user on my machine, and I'd rather not create those folders if I don't have to. Does anyone know how to change the default ssl certificate directory?

Many thanks.

Edit: For completeness, I'll throw the script that was generating the error down here

require 'open-uri'
open("https://www.google.com/") {|f|
   f.each_line {|line| p line}
}

Answer 1

RubyInstaller issue #153

OpenSSL::X509::DEFAULT_CERT_FILE with personal hardcoded path

The problem is OpenSSL that has hardcoded values. Search to closed issues and also RubyInstaller group and will see this happens from time to time.

OpenSSL needs to be fixed, but no patch to solve this issue has proposed to OpenSSL itself. See oneclick/rubyinstaller#47

cert.pem is already provided by RubyGems and is included, please take a look here:

https://github.com/ruby/ruby/tree/ruby_2_0_0/lib/rubygems/ssl_certs

That is part of Ruby and thus, RubyInstaller release.

RubyGems is capable of installing gems from rubygems.org, however, like you pointed in the Bundler issue, you need a list of other CAs so connect to the private/custom RubyGems server works.

For that you need to set SSL_CERT_FILE environment variable pointing to the CA certs file.

See oneclick/rubyinstaller#86 and oneclick/rubyinstaller#148

tl;dr: Justin is the person who compiled your OpenSSL binary.