New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

certificate verify failed (Faraday::SSLError) #253

Closed
crypticsymbols opened this Issue Jul 10, 2015 · 38 comments

Comments

Projects
None yet
@crypticsymbols

crypticsymbols commented Jul 10, 2015

OSX 10.10.3, Ruby 2.2.1p85, gem version 0.9.pre1

Full error:

/Users/username/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:923:in connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (Faraday::SSLError) from /Users/asmith/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:923:inblock in connect'
from /Users/asmith/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/timeout.rb:74:in timeout' from /Users/asmith/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:923:inconnect'
from /Users/asmith/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:863:in do_start' from /Users/asmith/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:852:instart'
from /Users/asmith/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:1375:in request' from /Users/asmith/.rvm/gems/ruby-2.2.1/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:82:inperform_request'
from /Users/asmith/.rvm/gems/ruby-2.2.1/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:40:in block in call' from /Users/asmith/.rvm/gems/ruby-2.2.1/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:87:inwith_net_http_connection'
from /Users/asmith/.rvm/gems/ruby-2.2.1/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:32:in call' from /Users/asmith/.rvm/gems/ruby-2.2.1/gems/faraday-0.9.1/lib/faraday/request/url_encoded.rb:15:incall'
from /Users/asmith/.rvm/gems/ruby-2.2.1/gems/signet-0.6.1/lib/signet/oauth_2/client.rb:957:in fetch_access_token' from /Users/asmith/.rvm/gems/ruby-2.2.1/gems/signet-0.6.1/lib/signet/oauth_2/client.rb:983:infetch_access_token!'
from run.rb:17:in `

'

I am able to hotwire with this at the top:

require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

...but that kinda sucks.

@sqrrrl

This comment has been minimized.

Show comment
Hide comment
@sqrrrl

sqrrrl Jul 10, 2015

Contributor

See #235 for a workaround. The cert bundle in this library has the correct roots. Setting an env variable will have signet pick it up.

I'll take a look at cleaning up signet so it picks up the correct roots by default next week.

Contributor

sqrrrl commented Jul 10, 2015

See #235 for a workaround. The cert bundle in this library has the correct roots. Setting an env variable will have signet pick it up.

I'll take a look at cleaning up signet so it picks up the correct roots by default next week.

@radar

This comment has been minimized.

Show comment
Hide comment
@radar

radar Jul 21, 2015

I was getting this issue on my Mac too. brew update and then brew upgrade openssl fixed it.

radar commented Jul 21, 2015

I was getting this issue on my Mac too. brew update and then brew upgrade openssl fixed it.

@radar

This comment has been minimized.

Show comment
Hide comment
@radar

radar Jul 30, 2015

@sqrrrl I think this issue can be closed now as it can be fixed by updating openssl.

radar commented Jul 30, 2015

@sqrrrl I think this issue can be closed now as it can be fixed by updating openssl.

@asamasoma

This comment has been minimized.

Show comment
Hide comment
@asamasoma

asamasoma Aug 6, 2015

@sqrrrl Updating openssl didn't solve this problem for me. I have to set SSL_CERT_FILE to the bundled cacerts.pem file.

asamasoma commented Aug 6, 2015

@sqrrrl Updating openssl didn't solve this problem for me. I have to set SSL_CERT_FILE to the bundled cacerts.pem file.

@crypticsymbols

This comment has been minimized.

Show comment
Hide comment
@crypticsymbols

crypticsymbols Aug 7, 2015

FWIW, this is what worked for me:

cert_path = Gem.loaded_specs['google-api-client'].full_gem_path+'/lib/cacerts.pem'
ENV['SSL_CERT_FILE'] = cert_path

crypticsymbols commented Aug 7, 2015

FWIW, this is what worked for me:

cert_path = Gem.loaded_specs['google-api-client'].full_gem_path+'/lib/cacerts.pem'
ENV['SSL_CERT_FILE'] = cert_path

@Vanuan

This comment has been minimized.

Show comment
Hide comment
@Vanuan

Vanuan commented Sep 24, 2015

Worth linking: rvm/rvm#3330

@stevestofiel

This comment has been minimized.

Show comment
Hide comment
@stevestofiel

stevestofiel Oct 9, 2015

FWIW, this is what worked for me:

cert_path = Gem.loaded_specs['google-api-client'].full_gem_path+'/lib/cacerts.pem'
ENV['SSL_CERT_FILE'] = cert_path

Thanks crypticsymbols! That worked for me as well on:

ruby 2.2.1p85 (2015-02-26 revision 49769) [x86_64-darwin14] on OS X 10.10.5)
google-api-client (0.8.6)
googleauth (0.4.2)
signet (0.6.1)
jwt (1.5.1)

stevestofiel commented Oct 9, 2015

FWIW, this is what worked for me:

cert_path = Gem.loaded_specs['google-api-client'].full_gem_path+'/lib/cacerts.pem'
ENV['SSL_CERT_FILE'] = cert_path

Thanks crypticsymbols! That worked for me as well on:

ruby 2.2.1p85 (2015-02-26 revision 49769) [x86_64-darwin14] on OS X 10.10.5)
google-api-client (0.8.6)
googleauth (0.4.2)
signet (0.6.1)
jwt (1.5.1)

@schmierkov

This comment has been minimized.

Show comment
Hide comment
@schmierkov

schmierkov Oct 15, 2015

@crypticsymbols thanks a lot, that works for me too!

schmierkov commented Oct 15, 2015

@crypticsymbols thanks a lot, that works for me too!

@Vanuan

This comment has been minimized.

Show comment
Hide comment
@Vanuan

Vanuan Oct 15, 2015

It's far better not to touch any code and fix the damn OS X's ruby 2.2.1 binary.

Vanuan commented Oct 15, 2015

It's far better not to touch any code and fix the damn OS X's ruby 2.2.1 binary.

@crypticsymbols

This comment has been minimized.

Show comment
Hide comment
@crypticsymbols

crypticsymbols Oct 15, 2015

I agree with @Vanuan, code was just a stopgap measure and the other approach is better.

crypticsymbols commented Oct 15, 2015

I agree with @Vanuan, code was just a stopgap measure and the other approach is better.

@psk11

This comment has been minimized.

Show comment
Hide comment
@psk11

psk11 Nov 5, 2015

@Vanuan it does not worked for me

psk11 commented Nov 5, 2015

@Vanuan it does not worked for me

@Yenwod

This comment has been minimized.

Show comment
Hide comment
@Yenwod

Yenwod Nov 18, 2015

Here is what worked for me:

I'm running OS X 10.11.1, Ruby 2.2.1, openssl 1.0.2d_1

Upgrading to Ruby 2.2.3 fixed the problem.

Yenwod commented Nov 18, 2015

Here is what worked for me:

I'm running OS X 10.11.1, Ruby 2.2.1, openssl 1.0.2d_1

Upgrading to Ruby 2.2.3 fixed the problem.

@dblommesteijn

This comment has been minimized.

Show comment
Hide comment
@dblommesteijn

dblommesteijn Jan 8, 2016

A system wide solution would be this (for Yosemite and Ruby 2.2.1):

Downloading this http://curl.haxx.se/ca/cacert.pem, and saving it replacing /usr/local/etc/openssl/cert.pem. Add export SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem to your .bash_profile. All net::http will pickup on ENV['SSL_CERT_FILE'].

RVM and ruby seems to have an outdated CA cert.

dblommesteijn commented Jan 8, 2016

A system wide solution would be this (for Yosemite and Ruby 2.2.1):

Downloading this http://curl.haxx.se/ca/cacert.pem, and saving it replacing /usr/local/etc/openssl/cert.pem. Add export SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem to your .bash_profile. All net::http will pickup on ENV['SSL_CERT_FILE'].

RVM and ruby seems to have an outdated CA cert.

@jb41

This comment has been minimized.

Show comment
Hide comment
@jb41

jb41 Feb 22, 2016

@dblommesteijn thank, works for me

jb41 commented Feb 22, 2016

@dblommesteijn thank, works for me

@bgerd

This comment has been minimized.

Show comment
Hide comment
@bgerd

bgerd Mar 10, 2016

@stevestofiel went with your fix thanks!

i'm running stock: ruby 2.2.1p85.

bgerd commented Mar 10, 2016

@stevestofiel went with your fix thanks!

i'm running stock: ruby 2.2.1p85.

@katrusso

This comment has been minimized.

Show comment
Hide comment
@katrusso

katrusso Mar 12, 2016

@dblommesteijn Thanks, this solution worked for me. :)

katrusso commented Mar 12, 2016

@dblommesteijn Thanks, this solution worked for me. :)

@flyfy1

This comment has been minimized.

Show comment
Hide comment
@flyfy1

flyfy1 Mar 29, 2016

Just in case anyone still facing issue.. upgrading to Ruby 2.3.0 helped me. (was in 2.2.3)

flyfy1 commented Mar 29, 2016

Just in case anyone still facing issue.. upgrading to Ruby 2.3.0 helped me. (was in 2.2.3)

@schanami

This comment has been minimized.

Show comment
Hide comment
@schanami

schanami Mar 29, 2016

Same issues here that everyone else went through.

I'm on El Capitan 10.11 and using version ruby 2.2.0

Tried the cert.pem replacement
Tried switching to 2.1.0 and 2.3.0
Tried: rvm osx-ssl-certs update all

What worked for me:
rvm reinstall 2.2.0 --disable-binary
gem pristine nokogiri --version 1.6.7.2

schanami commented Mar 29, 2016

Same issues here that everyone else went through.

I'm on El Capitan 10.11 and using version ruby 2.2.0

Tried the cert.pem replacement
Tried switching to 2.1.0 and 2.3.0
Tried: rvm osx-ssl-certs update all

What worked for me:
rvm reinstall 2.2.0 --disable-binary
gem pristine nokogiri --version 1.6.7.2

@mike0416

This comment has been minimized.

Show comment
Hide comment
@mike0416

mike0416 Mar 30, 2016

like @flyfy1 upgrading to Ruby 2.3.0 fixed the issue for me as well

mike0416 commented Mar 30, 2016

like @flyfy1 upgrading to Ruby 2.3.0 fixed the issue for me as well

@p55

This comment has been minimized.

Show comment
Hide comment
@p55

p55 Mar 31, 2016

upgrading ruby to 2.3.0 solved it for me as well

p55 commented Mar 31, 2016

upgrading ruby to 2.3.0 solved it for me as well

@aral

This comment has been minimized.

Show comment
Hide comment
@aral

aral Mar 31, 2016

With rvm (with Ruby 2.2.3 installed), on OS X, what fixed it for me was:

rvm requirements

aral commented Mar 31, 2016

With rvm (with Ruby 2.2.3 installed), on OS X, what fixed it for me was:

rvm requirements
@arek-rst

This comment has been minimized.

Show comment
Hide comment
@arek-rst

arek-rst Apr 11, 2016

@schanami helped me rvm reinstall 2.2.2 --disable-binary thx

arek-rst commented Apr 11, 2016

@schanami helped me rvm reinstall 2.2.2 --disable-binary thx

@danebez

This comment has been minimized.

Show comment
Hide comment
@danebez

danebez Apr 12, 2016

The solution for me on OS X 10.11.4, Ruby 2.1.2 was running rvm reinstall ruby-2.1.2 --disable-binary or switching to 2.3.0. This is perplexing as colleagues who had the app already set up on their dev machines and have the same OS and Ruby versions had this problem in 2015 but could solve it by simply downloading http://curl.haxx.se/ca/cacert.pem and ensuring that Ruby 2.1.2 was installed with the --with-openssl-dir=$rvm_path/usr flag. Can anyone can explain why installing Ruby from sources solves the problem?

To clarify, none of the following solved the issue:

  • downloading http://curl.haxx.se/ca/cacert.pem, renaming it to cert.pem & pointing to it inside Rails (ENV['SSL_CERT_FILE'] = '/usr/local/etc/openssl/cert.pem') or with a system environment variable
  • running rvm requirements
  • re-installing Ruby 2.1.2: rvm remove 2.1.2 && rvm pkg install openssl && rvm install 2.1.2 --with-openssl-dir=$rvm_path/usr

danebez commented Apr 12, 2016

The solution for me on OS X 10.11.4, Ruby 2.1.2 was running rvm reinstall ruby-2.1.2 --disable-binary or switching to 2.3.0. This is perplexing as colleagues who had the app already set up on their dev machines and have the same OS and Ruby versions had this problem in 2015 but could solve it by simply downloading http://curl.haxx.se/ca/cacert.pem and ensuring that Ruby 2.1.2 was installed with the --with-openssl-dir=$rvm_path/usr flag. Can anyone can explain why installing Ruby from sources solves the problem?

To clarify, none of the following solved the issue:

  • downloading http://curl.haxx.se/ca/cacert.pem, renaming it to cert.pem & pointing to it inside Rails (ENV['SSL_CERT_FILE'] = '/usr/local/etc/openssl/cert.pem') or with a system environment variable
  • running rvm requirements
  • re-installing Ruby 2.1.2: rvm remove 2.1.2 && rvm pkg install openssl && rvm install 2.1.2 --with-openssl-dir=$rvm_path/usr
@Vanuan

This comment has been minimized.

Show comment
Hide comment
@Vanuan

Vanuan Apr 12, 2016

Can anyone can explain why installing Ruby from sources solves the problem?

Because pre-build version doesn't distinguish between different OS X versions (has wrong paths hardcoded). Newer OS X has a different SSL subsystem.

Vanuan commented Apr 12, 2016

Can anyone can explain why installing Ruby from sources solves the problem?

Because pre-build version doesn't distinguish between different OS X versions (has wrong paths hardcoded). Newer OS X has a different SSL subsystem.

@sony-mathew-fd

This comment has been minimized.

Show comment
Hide comment

sony-mathew-fd commented May 17, 2016

@nchodelski

This comment has been minimized.

Show comment
Hide comment
@nchodelski

nchodelski Jun 10, 2016

What worked for me with the error was:

rvm reinstall 2.2.0 --disable-binary
then
rvm requirements

none of the commands higher up this thread worked for some reason.

nchodelski commented Jun 10, 2016

What worked for me with the error was:

rvm reinstall 2.2.0 --disable-binary
then
rvm requirements

none of the commands higher up this thread worked for some reason.

@kschutt

This comment has been minimized.

Show comment
Hide comment
@kschutt

kschutt Jun 14, 2016

@nchodelski thanks! this also worked for me on 2.2.3

kschutt commented Jun 14, 2016

@nchodelski thanks! this also worked for me on 2.2.3

@fenec

This comment has been minimized.

Show comment
Hide comment
@fenec

fenec Jun 21, 2016

RVM > 1.9.1 comes with the method for updating certificates:
rvm osx-ssl-certs update all

credits: http://railsapps.github.io/openssl-certificate-verify-failed.html

fenec commented Jun 21, 2016

RVM > 1.9.1 comes with the method for updating certificates:
rvm osx-ssl-certs update all

credits: http://railsapps.github.io/openssl-certificate-verify-failed.html

@dblommesteijn

This comment has been minimized.

Show comment
Hide comment
@dblommesteijn

dblommesteijn Jun 22, 2016

@fenec this does not always solve the issue. I've given up fixing rvm and have switched to rbenv.

dblommesteijn commented Jun 22, 2016

@fenec this does not always solve the issue. I've given up fixing rvm and have switched to rbenv.

@nchodelski

This comment has been minimized.

Show comment
Hide comment
@nchodelski

nchodelski Jun 22, 2016

I had some issues with this too. When i re installed a different version of
rvm I was able to build and deploy using fastlane (the reason I was trying
to fix my SSL errors in the first place). But it broke another feature for
me. and when i had managed to fix the second error I then had the SSL
authentication issue again. So seems like i can only choose one thing to
work.

I wish i knew what version to install to fix both errors at the same time.

On 22 June 2016 at 08:07, Dennis Blommesteijn notifications@github.com
wrote:

@fenec https://github.com/fenec this does not always solve the issue.
I've given up fixing rvm and have switched to rbenv.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#253 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AKGbMnqRYVXdm5eaDPxGHhyILwdzwyzvks5qOU_GgaJpZM4FWHjO
.

nchodelski commented Jun 22, 2016

I had some issues with this too. When i re installed a different version of
rvm I was able to build and deploy using fastlane (the reason I was trying
to fix my SSL errors in the first place). But it broke another feature for
me. and when i had managed to fix the second error I then had the SSL
authentication issue again. So seems like i can only choose one thing to
work.

I wish i knew what version to install to fix both errors at the same time.

On 22 June 2016 at 08:07, Dennis Blommesteijn notifications@github.com
wrote:

@fenec https://github.com/fenec this does not always solve the issue.
I've given up fixing rvm and have switched to rbenv.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#253 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AKGbMnqRYVXdm5eaDPxGHhyILwdzwyzvks5qOU_GgaJpZM4FWHjO
.

@zegomesjf

This comment has been minimized.

Show comment
Hide comment
@zegomesjf

zegomesjf Jun 24, 2016

I fix the error with
rvm reinstall ruby-2.1.5 --with-openssl-dir=/usr/local

zegomesjf commented Jun 24, 2016

I fix the error with
rvm reinstall ruby-2.1.5 --with-openssl-dir=/usr/local

@yossi-eynav

This comment has been minimized.

Show comment
Hide comment
@yossi-eynav

yossi-eynav commented Nov 20, 2016

Thanks @zegomesjf!

@georgemillo

This comment has been minimized.

Show comment
Hide comment
@georgemillo

georgemillo Jun 26, 2017

I'm not using google-api-ruby-client but I just had this same Faraday error while trying to setup FB login with OAuth on my app, and found this issue. If any future Googlers see this, just writing this to confirm that brew upgrade and brew upgrade openssl worked me for too ;)

georgemillo commented Jun 26, 2017

I'm not using google-api-ruby-client but I just had this same Faraday error while trying to setup FB login with OAuth on my app, and found this issue. If any future Googlers see this, just writing this to confirm that brew upgrade and brew upgrade openssl worked me for too ;)

@sandeep-patle1508

This comment has been minimized.

Show comment
Hide comment
@sandeep-patle1508

sandeep-patle1508 Aug 1, 2017

I have used in this way and it worked for me.
connection = Faraday.new("http://example.com")
connection.ssl.verify_mode = OpenSSL::SSL::VERIFY_NONE

sandeep-patle1508 commented Aug 1, 2017

I have used in this way and it worked for me.
connection = Faraday.new("http://example.com")
connection.ssl.verify_mode = OpenSSL::SSL::VERIFY_NONE

@bryszard

This comment has been minimized.

Show comment
Hide comment
@bryszard

bryszard Sep 20, 2017

Thank you @sony-mathew-fd. The solution pointed by you (https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html) helped a lot. What I had to do:

  1. Recompile ruby - rvm reinstall 2.2.0 --disable-binary
  2. Download new certs from http://curl.haxx.se/ca/cacert.pem and put it to /usr/local/etc/openssl/cert.pem
  3. Add export SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem to .bash_profile

I encountered this problem while I was using google-cloud-ruby gem and Ruby 2.4.0.

bryszard commented Sep 20, 2017

Thank you @sony-mathew-fd. The solution pointed by you (https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html) helped a lot. What I had to do:

  1. Recompile ruby - rvm reinstall 2.2.0 --disable-binary
  2. Download new certs from http://curl.haxx.se/ca/cacert.pem and put it to /usr/local/etc/openssl/cert.pem
  3. Add export SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem to .bash_profile

I encountered this problem while I was using google-cloud-ruby gem and Ruby 2.4.0.

@brauliobo

This comment has been minimized.

Show comment
Hide comment
@brauliobo

brauliobo Sep 21, 2017

Confirmed this problem with jruby 9.1.13.0

brauliobo commented Sep 21, 2017

Confirmed this problem with jruby 9.1.13.0

@vmardian

This comment has been minimized.

Show comment
Hide comment
@vmardian

vmardian Jan 3, 2018

Using OS X 10.10.5 and Ruby 2.3.1 via RBENV, the issue was fixed by performing steps #2 and #3 from @bryszard's response.

vmardian commented Jan 3, 2018

Using OS X 10.10.5 and Ruby 2.3.1 via RBENV, the issue was fixed by performing steps #2 and #3 from @bryszard's response.

@craysiii craysiii referenced this issue Jan 13, 2018

Open

SSLError #4

@geordgez

This comment has been minimized.

Show comment
Hide comment
@geordgez

geordgez Jun 1, 2018

FWIW switching to a different (open) wifi network may help.

I'm no expert in networking/certificates but I recently ran into the same issue when I was trying to hit a Ruby backend with an OAuth callback. My environment was fine (macOS Sierra 10.12.6 + Docker Ruby 2.3.1 base image) and my local certificates were alright but the secured network I was on was modifying certificates to make it unfriendly for the Ruby app.

Just wanted to mention in case someone exhausted all the local options like me and was still getting:
Faraday::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed)

geordgez commented Jun 1, 2018

FWIW switching to a different (open) wifi network may help.

I'm no expert in networking/certificates but I recently ran into the same issue when I was trying to hit a Ruby backend with an OAuth callback. My environment was fine (macOS Sierra 10.12.6 + Docker Ruby 2.3.1 base image) and my local certificates were alright but the secured network I was on was modifying certificates to make it unfriendly for the Ruby app.

Just wanted to mention in case someone exhausted all the local options like me and was still getting:
Faraday::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment