SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed


The dev log shows

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
app/controllers/users_controller.rb:37:in update'


-
Here is a the best solution I was able to find so far //allinonescript.com/a/16983443/11792 – Pavel Nikolov

Ruby can't find any root certificates to trust.

Take a look at this blog post for a solution: "Ruby 1.9 and the SSL error".

The solution is to install the curl-ca-bundle port which contains the same root certificates used by Firefox:

sudo port install curl-ca-bundle


and tell your https object to use it:

https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'


Note that if you want your code to run on Ubuntu, you need to set the ca_path attribute instead, with the default certificates location /etc/ssl/certs.

-
This seems to happen on Windows as well, in which case the solution recommended there won't work. – Bob Aman
this works well with Net::HTTP. – yang

Then, as this blog post suggests,

you might want to install the always_verify_ssl_certificates gem that allow you to set a default value for ca_file.

-

I ran into a similar problem when trying to use the JQuery generator for Rails 3

I solved it like this:

1. Get the CURL Certificate Authority (CA) bundle. You can do this with:

• sudo port install curl-ca-bundle [if you are using MacPorts]
• or just pull it down directly wget http://curl.haxx.se/ca/cacert.pem
2. Execute the ruby code that is trying to verify the SSL certification: SSL_CERT_FILE=/opt/local/etc/certs/cacert.pem rails generate jquery:install. In your case, you want to either set this as an environment variable somewhere the server picks it up or add something like ENV['SSL_CERT_FILE'] = /path/to/your/new/cacert.pem in your environment.rb file.

You can also just install the CA files (I haven't tried this) to the OS -- there are lengthy instructions here -- this should work in a similar fashion, but I have not tried this personally.

Basically, the issue you are hitting is that some web service is responding with a certificate signed against a CA that OpenSSL cannot verify.

-
This worked for me too while trying to connect to my gmail account using Ruby Net::IMAP from a ruby script.Thanks. – Jiggneshh Gohel
Yes, this works fine on ruby-1.9.3. I added it to my bash config. export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cert.pem – andersjanmyr
Thanks, this works great! – Matt Schwartz
I didn't have /usr/local/etc/openssl, so I ran sudo curl http://curl.haxx.se/ca/cacert.pem >> /usr/local/etc/cacert.pem followed by export SSL_CERT_FILE=/usr/local/etc/cacert.pem – Nathanael Jones
I was able to fix this on OS X without setting any environment variables. I'm not sure if I had the same exact problem, but I was getting the same error. For me it was just a matter of putting the cert.pem file in the right place. More details here: //allinonescript.com/a/16741712/62 – Liron Yahdav
Developing on my Mac I just added SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem to my app's .env file and voila - all happy. – Dave Sag
I appreciate the irony of using wget to download curl certificates. – Trey
curl-ca-bundle was removed – aceofspades
This works on Windows as well: //allinonescript.com/questions/27435841/… – Jeff
I was able to fix this just by upgrading openssl. brew update, brew upgrade openssl. – jwadsack
Having a rails app this is what worked for me: do step 1, then place the downloaded cert file into config folder, add in your development.rb the line ENV['SSL_CERT_FILE'] = 'config/cacert.pem' – Denis

Here's another option for debugging purposes.

Be sure never to use this in any production environment, as it will negate benefits of using SSL in the first place. It is only ever valid to do this in your local development environment.

require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

-
Downvoted: Yes, this works, but the barrier to installing a valid CA bundle and actually solving the problem is so low that a solution like this – which near-completely invalidates the security of SSL – is not a solution that should be implemented unless you're in an environment where the Certificate Authority is completely inaccessible (and even then, you should create a local CA that is accessible to both endpoints). – yaauie
It didn't near completely remove SSL protection, it completely removes it. Never do this. – drbrain
For debugging it is sufficient – rickyduck
This produces a warning now in 1.9 – Ivan
Don't use this solution with the excuse that it is sufficient for debugging. Take a look at this one //allinonescript.com/a/16983443/11792 – Pavel Nikolov
never ever do that, it's only stupid workaround and very often leads to problems – lisowski.r
You might as well just not use SSL at all. – alberge
This is a bad solution for production work over the actual Internet, but it is emphatically not true that "you might as well not use SSL at all". Traffic encrypted over the wire is better than traffic in the clear. Yes, you have the possibility of man-in-the-middle attacks, but those are at least one notch harder to stand up than simply eavesdropping on the plaintext traffic as it glides by. – Mark Reed

Here's what I did that helped if you are specifically having a problem on Leopard.

My cert was old and needed to be updated. I downloaded this:

http://curl.haxx.se/ca/cacert.pem

Then replaced my cert which was found here on Leopard:

/usr/share/curl/curl-ca-bundle.crt


Reload whatever you have that's accessing it and you should be good to go!

-

Here's how you can fix it on Windows: https://gist.github.com/867550 (created by Fletcher Nichol)

Excerpt:

The Manual Way (Boring)

Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem


To make this a permanent setting, add this in your control panel.

-
Thank you. This is exceptionally useful and also very simple. – John
The above solution didn't help me. This is a better guide for Windows: //allinonescript.com/questions/5720484/… – Sprachprofi
@Sprachprofi The solution you've linked to will only work for 1 rails project at a time (as you're pointing directly to that cert). The gist I've linked to (created by Fletcher Nichol) will allow it to cover every project/gem that's looking for a certificate. – ryanjones
Wow, thanks that was easy! =D – G4bri3l
Thanks a lot, worked for me. :) – santosh kore
you made my day, thank you :) – Iglesk

On Mac OS X Lion with the latest macport:

sudo port install curl-ca-bundle
export SSL_CERT_FILE=/opt/local/share/curl/curl-ca-bundle.crt


Then, rerun the failed job.

Note, the cert file location seems to have changed since Eric G answered on May 12.

-
After all of the searching and a multitude of attempts, this was the only thing that solved the problem. Thanks! – shawnwall
Same here. Thanks dude! – marcamillion
cool, that fixed it. But as long as openssl is installed with homebrew, you have to add a export SSL_CERT_FILE=/usr/local/etc/openssl/cacert.pem to your .profile or .bashrc file – 23tux
This worked for me as well. – Steph Rose

Just because instructions were a slight bit different for what worked for me, I thought I add my 2 cents:

I'm on OS X Lion and using macports and rvm

I installed curl-ca-bundle:

sudo port install curl-ca-bundle


Then I adjusted my omniauth config to be this:

Rails.application.config.middleware.use OmniAuth::Builder do
:ssl => {:ca_path => "/share/curl/curl-ca-bundle.crt"}
end

-
You could (and probably should) forgo the entire CA Zoo (ca-bundle.crt) and use Google Internet Authority G2 in :ssl => {:ca_path => "/share/curl/curl-ca-bundle.crt"}. That's the only one needed to certify connections to Google. – jww

Well this worked for me

rvm pkg install openssl
rvm reinstall 1.9.2 --with-openssl-dir=$rvm_path/usr  Something is wrong with openssl implementation of my ubuntu 12.04 - I have this same issue – aren55555 This works, but I had to finish with this : curl -O http://curl.haxx.se/ca/cacert.pem, mv cacert.pem cert.pem, mv cert.pem$rvm_path/usr/ssl – Raf
Worked for me, Mac OS X Yosemite. Thanks! – user2038085

The issue is that ruby can not find a root certificate to trust. As of 1.9 ruby checks this. You will need to make sure that you have the curl certificate on your system in the form of a pem file. You will also need to make sure that the certificate is in the location that ruby expects it to be. You can get this certificate at...

http://curl.haxx.se/ca/cacert.pem


If your a RVM and OSX user then your certificate file location will vary based on what version of ruby your using. Setting the path explicitly with :ca_path is a BAD idea as your code will not be portable when it gets to production. There for you want to provide ruby with a certificate in the default location(and assume your dev ops guys know what they are doing). You can use dtruss to work out where the system is looking for the certificate file.

In my case the system was looking for the cert file in

/Users/stewart.matheson/.rvm/usr/ssl/cert.pem


however MACOSX system would expect a certificate in

/System/Library/OpenSSL/cert.pem


I copied the downloaded cert to this path and it worked. HTH

-
For me on Ubuntu 12.04, the cert path which works is ~/.rvm/usr/ssl/cert.pem – Nazar Hussain
How do you use dtruss to work out where the system is looking for the certificate? – pingu
@pingu can't remember the exact command basically you run druss and you tell it to run what ever ruby process you want it to "inspect". It's output is very verbose but basically you will be able to see each system call ruby is making. One of the calls will be a read file call which will be pointing to a file that does not exist. Move the cert here or create a link and you should be good to go. – Stewart
Ruby should not be looking for a cacert.pem on OS X. OS X does not use cacert.pem. System and user certificates are stored in the KeyChain. Ruby should be integrating with the KeyChain on OS X. – jww
What is the best way to do this? Can you post an example? – Stewart

The new certified gem is designed to fix this:

https://github.com/stevegraham/certified

-
worked for me. osx mountain lion/rvm/1.9 – thekindofme
does not work for ruby 2.0 – Rubytastic
Works with ruby 2.0.0p481 (2014-05-08) [i386-mingw32] – Evmorov
Not working for me with Rails 4.1.9, ruby-2.1.5. I added it to the Gemfile, bundle, explicitly added require "certified" just to be sure, and nothing changes. What am I missing? – Isaac Betesh
Ruby should not be looking for a cacert.pem on OS X. OS X does not use cacert.pem. System and user certificates are stored in the KeyChain. Ruby should be integrating with the KeyChain on OS X. OpenSSL has never distributed a cacert.pem. Its not clear to me why any software would defer to OpenSSL for it. – jww
I couldn't get that to work. – djangofan

This worked for me. If you using rvm and brew:

rvm remove 1.9.3
brew install openssl
rvm install 1.9.3 --with-openssl-dir=brew --prefix openssl

-

OSX solution:

install latest rvm stable version

rvm get stable


use rvm command to solve the certificates automatically

rvm osx-ssl-certs update all

-
I tried this and it didn't work for me. Here's my solution: //allinonescript.com/a/16741712/62 – Liron Yahdav
Worked for me after installing Ruby 2.0.0 via RVM. – Chris Peters

If you're using RVM on OS X, you probably need to run this:

rvm osx-ssl-certs update all


And here is the full explanation: https://github.com/wayneeseguin/rvm/blob/master/help/osx-ssl-certs.md

Update

On Ruby 2.2, you may have to reinstall Ruby from source to fix this. Here's how (replace 2.2.3 with your Ruby version):

rvm reinstall 2.2.3 --disable-binary


Credit to //allinonescript.com/a/32363597/4353 and Ian Connor.

-
Here is a much more comprehensive writeup with alternatives: railsapps.github.io/openssl-certificate-verify-failed.html – Peter P.
ERROR: rvm update has been removed. See 'rvm get' and rvm 'rubygems' CLI API instead – yang
@user432506 How did you get that error? I'm using latest stable RVM and it still works. – htanata
Worked perfectly, thanks! – Robin
Found this magic line of code after hours of pain. Thank you! – Per
I am using pod install,and this method work perfectly,thanks a lot. – inix
This would work for a while, then fail for me. What worked for me was running rvm reinstall 2.2.0 --disable-binary but then you have to bundle install and start fresh. – Ian Connor
@IanConnor Yes, I've just encountered this issue yesterday and planned to update my answer. Thank you! – htanata
@IanConnor you saved me. This worked under 10.11.3 / rvm ruby 2.2.3 very much appreciated, sir. – fmquaglia
This was a huge lifesaver and should be the accepted answer. – Siraris

sudo apt-get install openssl ca-certificates


And voila!!!

-
Wish I could up vote more than once cause you just saved me so much time! – Stephen
@Stephen - I wish you could too :-). It saved me a lot of time, so I thought I'd post it here, and it might help someone else too. – Pratik Bothra

OS X 10.8.x with Homebrew:

brew install curl-ca-bundle
brew list curl-ca-bundle
cp /usr/local/Cellar/curl-ca-bundle/1.87/share/ca-bundle.crt /usr/local/etc/openssl/cert.pem

-
Works for me on 10.9 as well. – Sami Samhuri
Ok for me, OS X 10.9.1. Awesome! – rogeriopradoj
Something is severely broken when you have to hunt down random solutions to fix these dumb problems. All of these answer do something entirely different and all of them seemed to help people at some point. WTF? – sergserg
curl-ca-bundle was revmoved from brew – Fa11enAngel

I had trouble for a number of days and was hacking around. This link proved out to be extremely helpful for me. It helped me to do a successful upgrade of the SSL on MAC OS X 9.

-

While knowing it's rather a lame solution, I'm still sharing this because it seems like very few people answering here use Windows, and I think some of Windows users (me included) would appreciate a simple and intuitive approach.

require 'openssl'
puts OpenSSL::X509::DEFAULT_CERT_FILE


That tells where your openssl is looking for the cert file. My name is not Luis, but mine was C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0l/ssl/cert.pem. The path may be different depending on each own environments (e.g. openknapsack instead of luislavena).

The path didn't change even after set SSL_CERT_FILE=C:\foo\bar\baz\cert.pem via the console, so... I created the directory C:\Users\Luis\Code\luislavena\knap-build\var\knapsack\software\x86-windows\openssl\1.0.0l\ssl in my local disk and put a cert file into it.

Lame as it is, this will surely work.

-
Brilliant. Hacky, but this was the only thing that solved my problem. – Daniel Magliola
On Windows I solved with: github.com/stevegraham/certified – Sebtm
Nice way of debugging... For me the user was "Justin". Googling shows this seems to be a known issue with RubyInstaller. Unfortunately, creating that directory (+ pem file) myself, didn't solve the issue for me – Wouter

This can be the issue of the broken/invalid SSL certificates. On mac you can use this command to update the SSL certificates:

rvm osx-ssl-certs update all

-

A one liner fixes it for Windows in an Admin prompt

choco install wget (first see chocolatey.org)

wget http://curl.haxx.se/ca/cacert.pem -O C:\cacert.pem && setx /M SSL_CERT_FILE "C:\cacert.pem"


Or just do this:

gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/


Milanio's method:

gem sources -r https://rubygems.org
gem sources -a http://rubygems.org
gem update --system
gem sources -r http://rubygems.org
gem sources -a https://rubygems.org

gem install [NAME_OF_GEM]

-
great answer solved my issue – krystan honour
Small improvement - you just need to update ruby and then you can add https source back - this just worked for me like a charm: gem sources -r rubygems.org => gem sources -a rubygems.org => gem update --system => gem sources -r rubygems.org => gem sources -a rubygems.org => gem install [NAME_OF_GEM] – milanio

I ran into this issue and the suggested fix of rvm osx-ssl-certs update all did not work despite that I am an RVM user on OSX.

The fix that worked for me was re-installing the latest version of openssl:

brew update
brew remove openssl
brew install openssl

-
saved my day. thanks! – Sagiv Ofek

If you have a symbolic link in the /usr/local/etc/openssl pointing to cert.pem try to do this:

ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE" (should be /usr/local/etc/openssl)
cd /usr/local/etc/openssl
wget http://curl.haxx.se/ca/cacert.pem
ln -s cacert.pem 77ee3751.0 (77ee3751.0 is my symbolic link, should depend on the openssl version)

-

I've try install curl-ca-bundle with brew, but the package is no available more:

$brew install curl-ca-bundle Error: No available formula for curl-ca-bundle Searching formulae... Searching taps...  The solution that worked to me on Mac was: $ cd /usr/local/etc/openssl/certs/
$sudo curl -O http://curl.haxx.se/ca/cacert.pem  Add this line in your ~/.bash_profile (or ~/.zshrc for zsh): export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cacert.pem  Then update your terminal: $ source ~/.bash_profile

-
This worked for me - but the path is wrong. Should be: export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cacert.pem – dnlmzw
This is a nice solution, because of its simplicity. Also, by referencing the added certificate in ~/.bash_profile, it leaves a reminder of what was added (and, crucially where) when further updates are required. – auxbuss
This worked for me. @dnlmzw the path was fine for me but of course this depends on your setup. Thanks! – theartofbeing
didn't work for me when trying to add a private gem server URL that uses a self-signed certificate to my gem sources. OSX 10.11.6 + rbenv – sixty4bit

The reason that you get this error on OSX is the rvm-installed ruby.

If you run into this issue on OSX you can find a really broad explanation of it in this blog post:

The short version is that, for some versions of Ruby, RVM downloads pre-compiled binaries, which look for certificates in the wrong location. By forcing RVM to download the source and compile on your own machine, you ensure that the configuration for the certificate location is correct.

The command to do this is:

rvm install 2.2.0 --disable-binary


if you already have the version in question, you can re-install it with:

rvm reinstall 2.2.0 --disable-binary


(obviously, substitute your ruby version as needed).

-
This worked for me. The blog post you're pointing to is also useful, thanks! – Cristian
This worked for me on El Capitan. I imploded rvm (rvm implode). Installed again with \curl -sSL https://get.rvm.io | bash -s stable --autolibs=homebrew and then rvm install <ruby-version> --disable-binary At one point I also did rvm get head as these are some bleeding edge issues. – rylanb

I fixed this problem by running this in terminal. Full writeup is available over here

rvm install 2.2.0 --disable-binary

-

If you are running your rails app locally then just add this line at the bottom of application.rb.

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE


After this you can use the app without any issues. You may call it a hack but it is not recommended. Use only when you need to run locally

-

I had this same issue while working on a Ruby project. I am using Windows 7 64bit.

I resolved this by:

2. Saved that file to C:/RubyCertificates/cacert.pem
3. Then set my environmental variable "SSL_CERT_FILE" to "C:\RubyCertificates\cacert.pem"
-
Since it is Windows, backslahes should be used in the value of the environment variable. – Chriss Baumann
this is the only solution that worked to fix "bundle" for me, after fixing the rubygems ssl error – DonBecker

Sometime it's not always rvm's problem in MAC OSX,if you remove .rvm,the problem still(espcially while you backup data from timemachine) ,you can try this way.

1.brew update
2.brew install openssl

-

Adding gem 'certified', '~> 1.0' to my Gemfile and running bundle solved this issue for me.

-

Installing the following package on Ubuntu fixed the issue for me

sudo apt-get install libssl-dev

-

1. gem 'certified'
2. bundle install
-
Confirming that this helped on El Capitan. Thanks! – mcmlxxxiii
very accurate solution, thank you – espaciomore
work perfectly! – Nguyen Thanh
This worked on Sierra for me, thanks! – Pandy
It works perfectly with Rails and Debian :) big big thanks! – Szymon Rut

gem 'cliver', :git => 'git://github.com/yaauie/cliver', :ref => '5617ce' 

-

Just run the certified-update executable and this command will make sure that all your certificates are up-to-date.

This worked for my Ruby on Rails application in Windows.

-

I had to reinstall Ruby. This should solve it if you are using Ubuntu & rbenv:

rbenv uninstall your_version

# install dependencies
sudo apt-get install autoconf bison build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev libgdbm3 libgdbm-dev

# install ruby with patch
curl -fsSL https://gist.github.com/mislav/055441129184a1512bb5.txt | \
rbenv install --patch your_version


-

The latest rubygem-update-2.6.7 has resolved this issue. http://guides.rubygems.org/ssl-certificate-update/

-

What worked for me is a combination of answers, namely:

# Reinstall OpenSSL
brew update
brew remove openssl
brew install openssl
`