Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I ran into a similar problem when trying to use the JQuery generator for Rails 3

I solved it like this:

  1. Get the CURL Certificate Authority (CA) bundle. You can do this with:

    • sudo port install curl-ca-bundle [if you are using MacPorts]
    • or just pull it down directly wget http://curl.haxx.se/ca/cacert.pem
  2. Execute the ruby code that is trying to verify the SSL certification: SSL_CERT_FILE=/opt/local/etc/certs/cacert.pem rails generate jquery:install. In your case, you want to either set this as an environment variable somewhere the server picks it up or add something like ENV['SSL_CERT_FILE'] = /path/to/your/new/cacert.pem in your environment.rb file.

You can also just install the CA files (I haven't tried this) to the OS -- there are lengthy instructions here -- this should work in a similar fashion, but I have not tried this personally.

Basically, the issue you are hitting is that some web service is responding with a certificate signed against a CA that OpenSSL cannot verify.


If you're using RVM on OS X, you probably need to run this:

rvm osx-ssl-certs update all

More information here: http://rvm.io/support/fixing-broken-ssl-certificates

And here is the full explanation: https://github.com/wayneeseguin/rvm/blob/master/help/osx-ssl-certs.md


Update

On Ruby 2.2, you may have to reinstall Ruby from source to fix this. Here's how (replace 2.2.3 with your Ruby version):

rvm reinstall 2.2.3 --disable-binary

Credit to https://stackoverflow.com/a/32363597/4353 and Ian Connor.


Here's how you can fix it on Windows: https://gist.github.com/867550 (created by Fletcher Nichol)

Excerpt:

The Manual Way (Boring)

Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

To make this a permanent setting, add this in your control panel.


Ruby can't find any root certificates to trust.

Take a look at this blog post for a solution: "Ruby 1.9 and the SSL error".

The solution is to install the curl-ca-bundle port which contains the same root certificates used by Firefox:

sudo port install curl-ca-bundle

and tell your https object to use it:

https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'

Note that if you want your code to run on Ubuntu, you need to set the ca_path attribute instead, with the default certificates location /etc/ssl/certs.


The reason that you get this error on OSX is the rvm-installed ruby.

If you run into this issue on OSX you can find a really broad explanation of it in this blog post:

http://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html

The short version is that, for some versions of Ruby, RVM downloads pre-compiled binaries, which look for certificates in the wrong location. By forcing RVM to download the source and compile on your own machine, you ensure that the configuration for the certificate location is correct.

The command to do this is:

rvm install 2.2.0 --disable-binary

if you already have the version in question, you can re-install it with:

rvm reinstall 2.2.0 --disable-binary

(obviously, substitute your ruby version as needed).


The issue is that ruby can not find a root certificate to trust. As of 1.9 ruby checks this. You will need to make sure that you have the curl certificate on your system in the form of a pem file. You will also need to make sure that the certificate is in the location that ruby expects it to be. You can get this certificate at...

http://curl.haxx.se/ca/cacert.pem

If your a RVM and OSX user then your certificate file location will vary based on what version of ruby your using. Setting the path explicitly with :ca_path is a BAD idea as your code will not be portable when it gets to production. There for you want to provide ruby with a certificate in the default location(and assume your dev ops guys know what they are doing). You can use dtruss to work out where the system is looking for the certificate file.

In my case the system was looking for the cert file in

/Users/stewart.matheson/.rvm/usr/ssl/cert.pem

however MACOSX system would expect a certificate in

/System/Library/OpenSSL/cert.pem

I copied the downloaded cert to this path and it worked. HTH