OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Question

I used RVM to install Ruby 1.9.3 on Ubuntu 12.04 by doing

rvm pkg install openssl
rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr

And then when I try to run something along the lines of:

require 'open-uri'
open('https://www.google.com/')

I get the error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

How do I solve this? I have many similar threads where people have this problem in OSX, but how do I resolve it in Ubuntu?

Thanks for your help.

Answer 1

Check your system clock!!

Hit this error on a virtual machine after a long period (1 week) without use. Updating my system clock fixed the issue immediately.

If you're running ntpd then ntpdate -b -u pool.ntp.org will do that for you.

Answer 2

This did now work for me. Things starting working when I ran "brew doctor", which led me to clues like "unset SSL_CERT_DIR"

Answer 3

Add the 'certified' gem to your Gemfile.

More info: https://rubygems.org/gems/certified

Answer 4

See http://jjinux.blogspot.nl/2012/02/ruby-working-around-ssl-errors-on-os-x.html as an alternative answer to your question, it should work for both Ubuntu and Mac OS X users and it doesn't require a change in the environment variables.

The solution from the above link:

# config/initializers/fix_ssl.rb
# 
# Work around errors that look like:
#
#   SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

require 'open-uri'
require 'net/https'

module Net
  class HTTP
    alias_method :original_use_ssl=, :use_ssl=

    def use_ssl=(flag)
      # Ubuntu
      if File.exists?('/etc/ssl/certs')
        self.ca_path = '/etc/ssl/certs'

      # MacPorts on OS X
      # You'll need to run: sudo port install curl-ca-bundle
      elsif File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
        self.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
      end

      self.verify_mode = OpenSSL::SSL::VERIFY_PEER
      self.original_use_ssl = flag
    end
  end
end

Answer 5

The cacert.pem file is missing from rvm installed openssl.

$ cd $rvm_path/usr/ssl
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
$ sudo mv cacert.pem cert.pem

Answer 6

That sometimes happens if the default 'OpenSSL directory' is not set correctly with the native OpenSSL library. open-uri uses OpenSSL::X509::Store#set_default_paths in order to tell OpenSSL to look in the OpenSSL directory for the file that contains the trusted root certificates that OpenSSL trusts by default.

In your case, this lookup fails. You can make it succeed by setting an environment variable that overrides the default setting and tells OpenSSL to look in that directory instead:

export SSL_CERT_FILE=/etc/pki/tls/cert.pem

That's the default location for the root CA bundle on my Fedora 16 64 bit, other popular locations are /etc/ssl/ca-bundle.crt etc. In your case, the OpenSSL library used by RVM is located in $rvm_path/usr, so you should look around there for a suitable candidate for the default root CA file. After the environment variable is set correctly, the call to open-uri will succeed.

To make the environment variable permanent, use the usual ways such as defining the export in .bashrc, /etc/profile or whatever fits best in your situation.