CODEWITHSUNDEEP
ruby-on-railsrubysslauthlogicfacebook-graph-api
Vikash
Vikash

Reputation: 2927

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I am using Authlogic-Connect for third party logins. After running appropriate migrations, Twitter/Google/yahoo logins seem to work fine but the facebook login throws exception:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

The dev log shows 

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
  app/controllers/users_controller.rb:37:in `update'

Please suggest..

Upvotes: 291

Views: 293496

Answers (30)

Martin
Martin

Reputation: 144

In my case, Twilio Ruby was generating the same error, so I solved it by assigning the ssl-ca file in object initialization.

eg.

client = Twilio::REST::Client.new sid, token, :ssl_ca_file => '/path/to/file'

In ubuntu 22.04, the file location is at /etc/ssl/certs/ca-certificates.crt

credit: https://stackoverflow.com/a/8873533/1663718

Upvotes: 0

Uj Corb
Uj Corb

Reputation: 2189

Having this issue with Ruby 2.3.4:

I solved it uninstalling OpenSSL and reinstalling it. I ran:

brew uninstall --ignore-dependencies openssl

then

brew install openssl

It did the job.

Upvotes: 1

ryanjones
ryanjones

Reputation: 5521

Here's how you can fix it on Windows: https://gist.github.com/867550 (created by Fletcher Nichol)

Excerpt:

The Manual Way (Boring)

Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

To make this a permanent setting, add this in your control panel.

Upvotes: 130

Henry
Henry

Reputation: 17851

I had this same issue while working on a Ruby project. I am using Windows 7 64bit.

I resolved this by:

  1. Downloading the cacert.pem file from http://curl.haxx.se/ca/cacert.pem.
  2. Saved that file to C:/RubyCertificates/cacert.pem
  3. Then set my environmental variable "SSL_CERT_FILE" to "C:\RubyCertificates\cacert.pem"

source: https://gist.github.com/fnichol/867550

Upvotes: 10

Jonathan
Jonathan

Reputation: 7128

A one liner fixes it for Windows in an Admin prompt

choco install wget (first see chocolatey.org)

wget http://curl.haxx.se/ca/cacert.pem -O C:\cacert.pem && setx /M SSL_CERT_FILE "C:\cacert.pem"

Or just do this:

gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/

Milanio's method:

gem sources -r https://rubygems.org
gem sources -a http://rubygems.org 
gem update --system
gem sources -r http://rubygems.org
gem sources -a https://rubygems.org

gem install [NAME_OF_GEM]

Upvotes: 14

suda
suda

Reputation: 2644

What worked for me is a combination of answers, namely:

# Reinstall OpenSSL
brew update
brew remove openssl
brew install openssl
# Download CURL CA bundle
cd /usr/local/etc/openssl/certs
wget http://curl.haxx.se/ca/cacert.pem
/usr/local/opt/openssl/bin/c_rehash
# Reinstall Ruby from source
rvm reinstall 2.2.3 --disable-binary

Upvotes: 2

singh2005
singh2005

Reputation: 1311

The latest rubygem-update-2.6.7 has resolved this issue. http://guides.rubygems.org/ssl-certificate-update/

Upvotes: 1

ndnenkov
ndnenkov

Reputation: 36110

I had to reinstall Ruby. This should solve it if you are using Ubuntu & rbenv:

rbenv uninstall your_version

# install dependencies
sudo apt-get install autoconf bison build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev libgdbm3 libgdbm-dev

# install ruby with patch
curl -fsSL https://gist.github.com/mislav/055441129184a1512bb5.txt | \
  rbenv install --patch your_version

For more information, check out the rbenv Wiki on the matter.

Upvotes: 0

Saurin Parikh
Saurin Parikh

Reputation: 9

Just run the certified-update executable and this command will make sure that all your certificates are up-to-date.

This worked for my Ruby on Rails application in Windows.

Upvotes: 0

Tarun Rathi
Tarun Rathi

Reputation: 597

If you are running your rails app locally then just add this line at the bottom of application.rb.

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

After this you can use the app without any issues. You may call it a hack but it is not recommended. Use only when you need to run locally

Upvotes: 3

Jesse Farmer
Jesse Farmer

Reputation: 469

Add this to your gemfile:

gem 'cliver', :git => 'git://github.com/yaauie/cliver', :ref => '5617ce'

Upvotes: -1

Nitish Kumar
Nitish Kumar

Reputation: 419

Just add gem 'certified' in your gemfile and run bundle install.

  1. gem 'certified'
  2. bundle install

Upvotes: 18

bruckerrlb
bruckerrlb

Reputation: 305

Installing the following package on Ubuntu fixed the issue for me

sudo apt-get install libssl-dev

Upvotes: 0

user2573222
user2573222

Reputation: 207

Adding gem 'certified', '~> 1.0' to my Gemfile and running bundle solved this issue for me.

Upvotes: 1

Albert.Qing
Albert.Qing

Reputation: 4625

Sometime it's not always rvm's problem in MAC OSX,if you remove .rvm,the problem still(espcially while you backup data from timemachine) ,you can try this way.

1.brew update
2.brew install openssl

Upvotes: 1

htanata
htanata

Reputation: 36954

If you're using RVM on OS X, you probably need to run this:

rvm osx-ssl-certs update all

More information here: http://rvm.io/support/fixing-broken-ssl-certificates

And here is the full explanation: https://github.com/wayneeseguin/rvm/blob/master/help/osx-ssl-certs.md

Update

On Ruby 2.2, you may have to reinstall Ruby from source to fix this. Here's how (replace 2.2.3 with your Ruby version):

rvm reinstall 2.2.3 --disable-binary

Credit to https://stackoverflow.com/a/32363597/4353 and Ian Connor.

Upvotes: 139

Wraithseeker
Wraithseeker

Reputation: 1904

I fixed this problem by running this in terminal. Full writeup is available over here

rvm install 2.2.0 --disable-binary

Upvotes: 4

Scott
Scott

Reputation: 7284

Here's another option for debugging purposes.

Be sure never to use this in any production environment, as it will negate benefits of using SSL in the first place. It is only ever valid to do this in your local development environment.

require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

Upvotes: 15

paulmorar
paulmorar

Reputation: 353

The reason that you get this error on OSX is the rvm-installed ruby.

If you run into this issue on OSX you can find a really broad explanation of it in this blog post:

http://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html

The short version is that, for some versions of Ruby, RVM downloads pre-compiled binaries, which look for certificates in the wrong location. By forcing RVM to download the source and compile on your own machine, you ensure that the configuration for the certificate location is correct.

The command to do this is:

rvm install 2.2.0 --disable-binary

if you already have the version in question, you can re-install it with: 

rvm reinstall 2.2.0 --disable-binary

(obviously, substitute your ruby version as needed).

Upvotes: 24

monteirobrena
monteirobrena

Reputation: 2620

I've try install curl-ca-bundle with brew, but the package is no available more:

$ brew install curl-ca-bundle
Error: No available formula for curl-ca-bundle 
Searching formulae...
Searching taps...

The solution that worked to me on Mac was:

 $ cd /usr/local/etc/openssl/certs/
 $ sudo curl -O http://curl.haxx.se/ca/cacert.pem

Add this line in your ~/.bash_profile (or ~/.zshrc for zsh):

export SSL_CERT_FILE=/usr/local/etc/openssl/certs/cacert.pem

Then update your terminal:

$ source ~/.bash_profile

Upvotes: 12

abcd_win
abcd_win

Reputation: 107

This can be the issue of the broken/invalid SSL certificates. On mac you can use this command to update the SSL certificates:

rvm osx-ssl-certs update all

Upvotes: 0

Mike Park
Mike Park

Reputation: 1985

On Mac OS X Lion with the latest macport:

sudo port install curl-ca-bundle  
export SSL_CERT_FILE=/opt/local/share/curl/curl-ca-bundle.crt

Then, rerun the failed job.

Note, the cert file location seems to have changed since Eric G answered on May 12.

Upvotes: 17

Duccio Giovannelli
Duccio Giovannelli

Reputation: 329

If you have a symbolic link in the /usr/local/etc/openssl pointing to cert.pem try to do this:

ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE" (should be /usr/local/etc/openssl)
cd /usr/local/etc/openssl
wget http://curl.haxx.se/ca/cacert.pem
ln -s cacert.pem 77ee3751.0 (77ee3751.0 is my symbolic link, should depend on the openssl version)

Upvotes: 2

Dave Brace
Dave Brace

Reputation: 1809

I ran into this issue and the suggested fix of rvm osx-ssl-certs update all did not work despite that I am an RVM user on OSX.

The fix that worked for me was re-installing the latest version of openssl:

brew update
brew remove openssl
brew install openssl

Upvotes: 4

Quv
Quv

Reputation: 3149

While knowing it's rather a lame solution, I'm still sharing this because it seems like very few people answering here use Windows, and I think some of Windows users (me included) would appreciate a simple and intuitive approach.

require 'openssl'
puts OpenSSL::X509::DEFAULT_CERT_FILE

That tells where your openssl is looking for the cert file. My name is not Luis, but mine was C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0l/ssl/cert.pem. The path may be different depending on each own environments (e.g. openknapsack instead of luislavena).

The path didn't change even after set SSL_CERT_FILE=C:\foo\bar\baz\cert.pem via the console, so... I created the directory C:\Users\Luis\Code\luislavena\knap-build\var\knapsack\software\x86-windows\openssl\1.0.0l\ssl in my local disk and put a cert file into it.

Lame as it is, this will surely work.

Upvotes: 12

Erik G.
Erik G.

Reputation: 1599

I ran into a similar problem when trying to use the JQuery generator for Rails 3

I solved it like this:

  1. Get the CURL Certificate Authority (CA) bundle. You can do this with:

    • sudo port install curl-ca-bundle [if you are using MacPorts]
    • or just pull it down directly wget http://curl.haxx.se/ca/cacert.pem

  2. Execute the ruby code that is trying to verify the SSL certification: SSL_CERT_FILE=/opt/local/etc/certs/cacert.pem rails generate jquery:install. In your case, you want to either set this as an environment variable somewhere the server picks it up or add something like ENV['SSL_CERT_FILE'] = /path/to/your/new/cacert.pem in your environment.rb file.

You can also just install the CA files (I haven't tried this) to the OS -- there are lengthy instructions here -- this should work in a similar fashion, but I have not tried this personally.

Basically, the issue you are hitting is that some web service is responding with a certificate signed against a CA that OpenSSL cannot verify.

Upvotes: 140

PackedUp
PackedUp

Reputation: 391

I had trouble for a number of days and was hacking around. This link proved out to be extremely helpful for me. It helped me to do a successful upgrade of the SSL on MAC OS X 9.

Upvotes: 1

Synthesis
Synthesis

Reputation: 230

OS X 10.8.x with Homebrew:

brew install curl-ca-bundle
brew list curl-ca-bundle
cp /usr/local/Cellar/curl-ca-bundle/1.87/share/ca-bundle.crt /usr/local/etc/openssl/cert.pem

Upvotes: 7

Pratik Bothra
Pratik Bothra

Reputation: 2694

The most straightforward answer which worked for me was this 

sudo apt-get install openssl ca-certificates

And voila!!!

Upvotes: 7

martoche
martoche

Reputation: 529

Ruby can't find any root certificates to trust.

Take a look at this blog post for a solution: "Ruby 1.9 and the SSL error".

The solution is to install the curl-ca-bundle port which contains the same root certificates used by Firefox:

sudo port install curl-ca-bundle

and tell your https object to use it:

https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'

Note that if you want your code to run on Ubuntu, you need to set the ca_path attribute instead, with the default certificates location /etc/ssl/certs.

Upvotes: 31

Related Questions