I am using Authlogic-Connect for third party logins. After running appropriate migrations, Twitter/Google/yahoo logins seem to work fine but the facebook login throws exception:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

The dev log shows

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
  app/controllers/users_controller.rb:37:in `update'

Please suggest..

2 upvote
  flag
upvote
  flag
Here is a the best solution I was able to find so far //allinonescript.com/a/16983443/11792 – Pavel Nikolov

36 Answers 11

Ruby can't find any root certificates to trust.

Take a look at this blog post for a solution: "Ruby 1.9 and the SSL error".

The solution is to install the curl-ca-bundle port which contains the same root certificates used by Firefox:

sudo port install curl-ca-bundle

and tell your https object to use it:

https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'

Note that if you want your code to run on Ubuntu, you need to set the ca_path attribute instead, with the default certificates location /etc/ssl/certs.

8 upvote
  flag
This seems to happen on Windows as well, in which case the solution recommended there won't work. – Bob Aman
upvote
  flag
this works well with Net::HTTP. – yang

Then, as this blog post suggests,

"How to Cure Net::HTTP’s Risky Default HTTPS Behavior"

you might want to install the always_verify_ssl_certificates gem that allow you to set a default value for ca_file.

I ran into a similar problem when trying to use the JQuery generator for Rails 3

I solved it like this:

  1. Get the CURL Certificate Authority (CA) bundle. You can do this with:

    • sudo port install curl-ca-bundle [if you are using MacPorts]
    • or just pull it down directly wget http://curl.haxx.se/ca/cacert.pem
  2. Execute the ruby code that is trying to verify the SSL certification: SSL_CERT_FILE=/opt/local/etc/certs/cacert.pem rails generate jquery:install. In your case, you want to either set this as an environment variable somewhere the server picks it up or add something like ENV['SSL_CERT_FILE'] = /path/to/your/new/cacert.pem in your environment.rb file.

You can also just install the CA files (I haven't tried this) to the OS -- there are lengthy instructions here -- this should work in a similar fashion, but I have not tried this personally.

Basically, the issue you are hitting is that some web service is responding with a certificate signed against a CA that OpenSSL cannot verify.

1 upvote
  flag
This worked for me too while trying to connect to my gmail account using Ruby Net::IMAP from a ruby script.Thanks. – Jiggneshh Gohel
4 upvote
  flag
Yes, this works fine on ruby-1.9.3. I added it to my bash config. export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cert.pem – andersjanmyr
upvote
  flag
Thanks, this works great! – Matt Schwartz
5 upvote
  flag
I didn't have /usr/local/etc/openssl, so I ran sudo curl http://curl.haxx.se/ca/cacert.pem >> /usr/local/etc/cacert.pem followed by export SSL_CERT_FILE=/usr/local/etc/cacert.pem – Nathanael Jones
upvote
  flag
I was able to fix this on OS X without setting any environment variables. I'm not sure if I had the same exact problem, but I was getting the same error. For me it was just a matter of putting the cert.pem file in the right place. More details here: //allinonescript.com/a/16741712/62 – Liron Yahdav
4 upvote
  flag
Developing on my Mac I just added SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem to my app's .env file and voila - all happy. – Dave Sag
6 upvote
  flag
I appreciate the irony of using wget to download curl certificates. – Trey
13 upvote
  flag
curl-ca-bundle was removed – aceofspades
upvote
  flag
This works on Windows as well: //allinonescript.com/questions/27435841/… – Jeff
upvote
  flag
I was able to fix this just by upgrading openssl. brew update, brew upgrade openssl. – jwadsack
upvote
  flag
Having a rails app this is what worked for me: do step 1, then place the downloaded cert file into config folder, add in your development.rb the line ENV['SSL_CERT_FILE'] = 'config/cacert.pem' – Denis

Here's another option for debugging purposes.

Be sure never to use this in any production environment, as it will negate benefits of using SSL in the first place. It is only ever valid to do this in your local development environment.

require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
upvote
  flag
thanks a lot this helped me it uploading my video to youtube with the youtube_it gem – Uchenna
25 upvote
  flag
Downvoted: Yes, this works, but the barrier to installing a valid CA bundle and actually solving the problem is so low that a solution like this – which near-completely invalidates the security of SSL – is not a solution that should be implemented unless you're in an environment where the Certificate Authority is completely inaccessible (and even then, you should create a local CA that is accessible to both endpoints). – yaauie
9 upvote
  flag
It didn't near completely remove SSL protection, it completely removes it. Never do this. – drbrain
14 upvote
  flag
For debugging it is sufficient – rickyduck
1 upvote
  flag
This produces a warning now in 1.9 – Ivan
upvote
  flag
Don't use this solution with the excuse that it is sufficient for debugging. Take a look at this one //allinonescript.com/a/16983443/11792 – Pavel Nikolov
upvote
  flag
never ever do that, it's only stupid workaround and very often leads to problems – lisowski.r
upvote
  flag
You might as well just not use SSL at all. – alberge
2 upvote
  flag
This is a bad solution for production work over the actual Internet, but it is emphatically not true that "you might as well not use SSL at all". Traffic encrypted over the wire is better than traffic in the clear. Yes, you have the possibility of man-in-the-middle attacks, but those are at least one notch harder to stand up than simply eavesdropping on the plaintext traffic as it glides by. – Mark Reed

Here's what I did that helped if you are specifically having a problem on Leopard.

My cert was old and needed to be updated. I downloaded this:

http://curl.haxx.se/ca/cacert.pem

Then replaced my cert which was found here on Leopard:

/usr/share/curl/curl-ca-bundle.crt

Reload whatever you have that's accessing it and you should be good to go!

Here's how you can fix it on Windows: https://gist.github.com/867550 (created by Fletcher Nichol)

Excerpt:

The Manual Way (Boring)

Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

To make this a permanent setting, add this in your control panel.

6 upvote
  flag
Thank you. This is exceptionally useful and also very simple. – John
upvote
  flag
The above solution didn't help me. This is a better guide for Windows: //allinonescript.com/questions/5720484/… – Sprachprofi
upvote
  flag
@Sprachprofi The solution you've linked to will only work for 1 rails project at a time (as you're pointing directly to that cert). The gist I've linked to (created by Fletcher Nichol) will allow it to cover every project/gem that's looking for a certificate. – ryanjones
upvote
  flag
Wow, thanks that was easy! =D – G4bri3l
upvote
  flag
Thanks a lot, worked for me. :) – santosh kore
upvote
  flag
you made my day, thank you :) – Iglesk

On Mac OS X Lion with the latest macport:

sudo port install curl-ca-bundle  
export SSL_CERT_FILE=/opt/local/share/curl/curl-ca-bundle.crt  

Then, rerun the failed job.

Note, the cert file location seems to have changed since Eric G answered on May 12.

upvote
  flag
After all of the searching and a multitude of attempts, this was the only thing that solved the problem. Thanks! – shawnwall
upvote
  flag
Same here. Thanks dude! – marcamillion
1 upvote
  flag
cool, that fixed it. But as long as openssl is installed with homebrew, you have to add a export SSL_CERT_FILE=/usr/local/etc/openssl/cacert.pem to your .profile or .bashrc file – 23tux
upvote
  flag
This worked for me as well. – Steph Rose

Just because instructions were a slight bit different for what worked for me, I thought I add my 2 cents:

I'm on OS X Lion and using macports and rvm

I installed curl-ca-bundle:

sudo port install curl-ca-bundle

Then I adjusted my omniauth config to be this:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :google_oauth2, APP_CONFIG['CONSUMER_KEY'], APP_CONFIG['CONSUMER_SECRET'],
           :scope => 'https://www.google.com/m8/feeds https://www.googleapis.com/auth/userinfo.profile',
           :ssl => {:ca_path => "/share/curl/curl-ca-bundle.crt"}
end
upvote
  flag
You could (and probably should) forgo the entire CA Zoo (ca-bundle.crt) and use Google Internet Authority G2 in :ssl => {:ca_path => "/share/curl/curl-ca-bundle.crt"}. That's the only one needed to certify connections to Google. – jww

Well this worked for me

rvm pkg install openssl
rvm reinstall 1.9.2 --with-openssl-dir=$rvm_path/usr

Something is wrong with openssl implementation of my ubuntu 12.04

1 upvote
  flag
I have this same issue – aren55555
3 upvote
  flag
This works, but I had to finish with this : curl -O http://curl.haxx.se/ca/cacert.pem, mv cacert.pem cert.pem, mv cert.pem $rvm_path/usr/ssl – Raf
upvote
  flag
Worked for me, Mac OS X Yosemite. Thanks! – user2038085

The issue is that ruby can not find a root certificate to trust. As of 1.9 ruby checks this. You will need to make sure that you have the curl certificate on your system in the form of a pem file. You will also need to make sure that the certificate is in the location that ruby expects it to be. You can get this certificate at...

http://curl.haxx.se/ca/cacert.pem

If your a RVM and OSX user then your certificate file location will vary based on what version of ruby your using. Setting the path explicitly with :ca_path is a BAD idea as your code will not be portable when it gets to production. There for you want to provide ruby with a certificate in the default location(and assume your dev ops guys know what they are doing). You can use dtruss to work out where the system is looking for the certificate file.

In my case the system was looking for the cert file in

/Users/stewart.matheson/.rvm/usr/ssl/cert.pem

however MACOSX system would expect a certificate in

/System/Library/OpenSSL/cert.pem

I copied the downloaded cert to this path and it worked. HTH

2 upvote
  flag
For me on Ubuntu 12.04, the cert path which works is ~/.rvm/usr/ssl/cert.pem – Nazar Hussain
upvote
  flag
How do you use dtruss to work out where the system is looking for the certificate? – pingu
upvote
  flag
@pingu can't remember the exact command basically you run druss and you tell it to run what ever ruby process you want it to "inspect". It's output is very verbose but basically you will be able to see each system call ruby is making. One of the calls will be a read file call which will be pointing to a file that does not exist. Move the cert here or create a link and you should be good to go. – Stewart
upvote
  flag
Ruby should not be looking for a cacert.pem on OS X. OS X does not use cacert.pem. System and user certificates are stored in the KeyChain. Ruby should be integrating with the KeyChain on OS X. – jww
upvote
  flag
What is the best way to do this? Can you post an example? – Stewart

The new certified gem is designed to fix this:

https://github.com/stevegraham/certified

upvote
  flag
worked for me. osx mountain lion/rvm/1.9 – thekindofme
10 upvote
  flag
does not work for ruby 2.0 – Rubytastic
upvote
  flag
Works with ruby 2.0.0p481 (2014-05-08) [i386-mingw32] – Evmorov
1 upvote
  flag
Not working for me with Rails 4.1.9, ruby-2.1.5. I added it to the Gemfile, bundle, explicitly added require "certified" just to be sure, and nothing changes. What am I missing? – Isaac Betesh
upvote
  flag
Ruby should not be looking for a cacert.pem on OS X. OS X does not use cacert.pem. System and user certificates are stored in the KeyChain. Ruby should be integrating with the KeyChain on OS X. OpenSSL has never distributed a cacert.pem. Its not clear to me why any software would defer to OpenSSL for it. – jww
upvote
  flag
I couldn't get that to work. – djangofan

This worked for me. If you using rvm and brew:

rvm remove 1.9.3
brew install openssl
rvm install 1.9.3 --with-openssl-dir=`brew --prefix openssl`

OSX solution:

install latest rvm stable version

rvm get stable

use rvm command to solve the certificates automatically

rvm osx-ssl-certs update all
1 upvote
  flag
I tried this and it didn't work for me. Here's my solution: //allinonescript.com/a/16741712/62 – Liron Yahdav
upvote
  flag
Worked for me after installing Ruby 2.0.0 via RVM. – Chris Peters

If you're using RVM on OS X, you probably need to run this:

rvm osx-ssl-certs update all

More information here: http://rvm.io/support/fixing-broken-ssl-certificates

And here is the full explanation: https://github.com/wayneeseguin/rvm/blob/master/help/osx-ssl-certs.md


Update

On Ruby 2.2, you may have to reinstall Ruby from source to fix this. Here's how (replace 2.2.3 with your Ruby version):

rvm reinstall 2.2.3 --disable-binary

Credit to //allinonescript.com/a/32363597/4353 and Ian Connor.

2 upvote
  flag
Here is a much more comprehensive writeup with alternatives: railsapps.github.io/openssl-certificate-verify-failed.html – Peter P.
upvote
  flag
ERROR: rvm update has been removed. See 'rvm get' and rvm 'rubygems' CLI API instead – yang
upvote
  flag
@user432506 How did you get that error? I'm using latest stable RVM and it still works. – htanata
upvote
  flag
Worked perfectly, thanks! – Robin
upvote
  flag
Found this magic line of code after hours of pain. Thank you! – Per
upvote
  flag
I am using pod install,and this method work perfectly,thanks a lot. – inix
3 upvote
  flag
This would work for a while, then fail for me. What worked for me was running rvm reinstall 2.2.0 --disable-binary but then you have to bundle install and start fresh. – Ian Connor
upvote
  flag
@IanConnor Yes, I've just encountered this issue yesterday and planned to update my answer. Thank you! – htanata
upvote
  flag
@IanConnor you saved me. This worked under 10.11.3 / rvm ruby 2.2.3 very much appreciated, sir. – fmquaglia
1 upvote
  flag
This was a huge lifesaver and should be the accepted answer. – Siraris

The most straightforward answer which worked for me was this

sudo apt-get install openssl ca-certificates

And voila!!!

1 upvote
  flag
Wish I could up vote more than once cause you just saved me so much time! – Stephen
1 upvote
  flag
@Stephen - I wish you could too :-). It saved me a lot of time, so I thought I'd post it here, and it might help someone else too. – Pratik Bothra

OS X 10.8.x with Homebrew:

brew install curl-ca-bundle
brew list curl-ca-bundle
cp /usr/local/Cellar/curl-ca-bundle/1.87/share/ca-bundle.crt /usr/local/etc/openssl/cert.pem
1 upvote
  flag
Works for me on 10.9 as well. – Sami Samhuri
1 upvote
  flag
Ok for me, OS X 10.9.1. Awesome! – rogeriopradoj
upvote
  flag
Something is severely broken when you have to hunt down random solutions to fix these dumb problems. All of these answer do something entirely different and all of them seemed to help people at some point. WTF? – sergserg
13 upvote
  flag
curl-ca-bundle was revmoved from brew – Fa11enAngel

I had trouble for a number of days and was hacking around. This link proved out to be extremely helpful for me. It helped me to do a successful upgrade of the SSL on MAC OS X 9.

While knowing it's rather a lame solution, I'm still sharing this because it seems like very few people answering here use Windows, and I think some of Windows users (me included) would appreciate a simple and intuitive approach.

require 'openssl'
puts OpenSSL::X509::DEFAULT_CERT_FILE

That tells where your openssl is looking for the cert file. My name is not Luis, but mine was C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0l/ssl/cert.pem. The path may be different depending on each own environments (e.g. openknapsack instead of luislavena).

The path didn't change even after set SSL_CERT_FILE=C:\foo\bar\baz\cert.pem via the console, so... I created the directory C:\Users\Luis\Code\luislavena\knap-build\var\knapsack\software\x86-windows\openssl\1.0.0l\ssl in my local disk and put a cert file into it.

Lame as it is, this will surely work.

2 upvote
  flag
Brilliant. Hacky, but this was the only thing that solved my problem. – Daniel Magliola
upvote
  flag
On Windows I solved with: github.com/stevegraham/certified – Sebtm
upvote
  flag
Nice way of debugging... For me the user was "Justin". Googling shows this seems to be a known issue with RubyInstaller. Unfortunately, creating that directory (+ pem file) myself, didn't solve the issue for me – Wouter

This can be the issue of the broken/invalid SSL certificates. On mac you can use this command to update the SSL certificates:

rvm osx-ssl-certs update all

A one liner fixes it for Windows in an Admin prompt

choco install wget (first see chocolatey.org)

wget http://curl.haxx.se/ca/cacert.pem -O C:\cacert.pem && setx /M SSL_CERT_FILE "C:\cacert.pem"

Or just do this:

gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/

Milanio's method:

gem sources -r https://rubygems.org
gem sources -a http://rubygems.org 
gem update --system
gem sources -r http://rubygems.org
gem sources -a https://rubygems.org

gem install [NAME_OF_GEM]
upvote
  flag
great answer solved my issue – krystan honour
1 upvote
  flag
Small improvement - you just need to update ruby and then you can add https source back - this just worked for me like a charm: gem sources -r rubygems.org => gem sources -a rubygems.org => gem update --system => gem sources -r rubygems.org => gem sources -a rubygems.org => gem install [NAME_OF_GEM] – milanio

I ran into this issue and the suggested fix of rvm osx-ssl-certs update all did not work despite that I am an RVM user on OSX.

The fix that worked for me was re-installing the latest version of openssl:

brew update
brew remove openssl
brew install openssl
1 upvote
  flag
saved my day. thanks! – Sagiv Ofek

If you have a symbolic link in the /usr/local/etc/openssl pointing to cert.pem try to do this:

ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE" (should be /usr/local/etc/openssl)
cd /usr/local/etc/openssl
wget http://curl.haxx.se/ca/cacert.pem
ln -s cacert.pem 77ee3751.0 (77ee3751.0 is my symbolic link, should depend on the openssl version)

I've try install curl-ca-bundle with brew, but the package is no available more:

$ brew install curl-ca-bundle
Error: No available formula for curl-ca-bundle 
Searching formulae...
Searching taps...

The solution that worked to me on Mac was:

 $ cd /usr/local/etc/openssl/certs/
 $ sudo curl -O http://curl.haxx.se/ca/cacert.pem

Add this line in your ~/.bash_profile (or ~/.zshrc for zsh):

export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cacert.pem

Then update your terminal:

$ source ~/.bash_profile
1 upvote
  flag
This worked for me - but the path is wrong. Should be: export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cacert.pem – dnlmzw
2 upvote
  flag
This is a nice solution, because of its simplicity. Also, by referencing the added certificate in ~/.bash_profile, it leaves a reminder of what was added (and, crucially where) when further updates are required. – auxbuss
upvote
  flag
This worked for me. @dnlmzw the path was fine for me but of course this depends on your setup. Thanks! – theartofbeing
upvote
  flag
didn't work for me when trying to add a private gem server URL that uses a self-signed certificate to my gem sources. OSX 10.11.6 + rbenv – sixty4bit

The reason that you get this error on OSX is the rvm-installed ruby.

If you run into this issue on OSX you can find a really broad explanation of it in this blog post:

http://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html

The short version is that, for some versions of Ruby, RVM downloads pre-compiled binaries, which look for certificates in the wrong location. By forcing RVM to download the source and compile on your own machine, you ensure that the configuration for the certificate location is correct.

The command to do this is:

rvm install 2.2.0 --disable-binary

if you already have the version in question, you can re-install it with:

rvm reinstall 2.2.0 --disable-binary

(obviously, substitute your ruby version as needed).

upvote
  flag
This worked for me. The blog post you're pointing to is also useful, thanks! – Cristian
2 upvote
  flag
This worked for me on El Capitan. I imploded rvm (rvm implode). Installed again with \curl -sSL https://get.rvm.io | bash -s stable --autolibs=homebrew and then rvm install <ruby-version> --disable-binary At one point I also did rvm get head as these are some bleeding edge issues. – rylanb

I fixed this problem by running this in terminal. Full writeup is available over here

rvm install 2.2.0 --disable-binary

If you are running your rails app locally then just add this line at the bottom of application.rb.

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

After this you can use the app without any issues. You may call it a hack but it is not recommended. Use only when you need to run locally

I had this same issue while working on a Ruby project. I am using Windows 7 64bit.

I resolved this by:

  1. Downloading the cacert.pem file from http://curl.haxx.se/ca/cacert.pem.
  2. Saved that file to C:/RubyCertificates/cacert.pem
  3. Then set my environmental variable "SSL_CERT_FILE" to "C:\RubyCertificates\cacert.pem"

source: https://gist.github.com/fnichol/867550

upvote
  flag
Since it is Windows, backslahes should be used in the value of the environment variable. – Chriss Baumann
upvote
  flag
this is the only solution that worked to fix "bundle" for me, after fixing the rubygems ssl error – DonBecker

Sometime it's not always rvm's problem in MAC OSX,if you remove .rvm,the problem still(espcially while you backup data from timemachine) ,you can try this way.

1.brew update
2.brew install openssl

Adding gem 'certified', '~> 1.0' to my Gemfile and running bundle solved this issue for me.

Installing the following package on Ubuntu fixed the issue for me

sudo apt-get install libssl-dev

Just add gem 'certified' in your gemfile and run bundle install.

  1. gem 'certified'
  2. bundle install
upvote
  flag
Confirming that this helped on El Capitan. Thanks! – mcmlxxxiii
upvote
  flag
very accurate solution, thank you – espaciomore
upvote
  flag
work perfectly! – Nguyen Thanh
upvote
  flag
This worked on Sierra for me, thanks! – Pandy
upvote
  flag
It works perfectly with Rails and Debian :) big big thanks! – Szymon Rut

Add this to your gemfile:

gem 'cliver', :git => 'git://github.com/yaauie/cliver', :ref => '5617ce'

Just run the certified-update executable and this command will make sure that all your certificates are up-to-date.

This worked for my Ruby on Rails application in Windows.

I had to reinstall Ruby. This should solve it if you are using Ubuntu & rbenv:

rbenv uninstall your_version

# install dependencies
sudo apt-get install autoconf bison build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev libgdbm3 libgdbm-dev

# install ruby with patch
curl -fsSL https://gist.github.com/mislav/055441129184a1512bb5.txt | \
  rbenv install --patch your_version

For more information, check out the rbenv Wiki on the matter.

The latest rubygem-update-2.6.7 has resolved this issue. http://guides.rubygems.org/ssl-certificate-update/

What worked for me is a combination of answers, namely:

# Reinstall OpenSSL
brew update
brew remove openssl
brew install openssl
# Download CURL CA bundle
cd /usr/local/etc/openssl/certs
wget http://curl.haxx.se/ca/cacert.pem
/usr/local/opt/openssl/bin/c_rehash
# Reinstall Ruby from source
rvm reinstall 2.2.3 --disable-binary

Not the answer you're looking for? Browse other questions tagged or ask your own question.