certificate verify failed (unable to get certificate CRL) (OpenSSL::SSL::SSLError)

[bfolkens]

The following example fails after installing "OpenSSL 3.6.0":

require 'net/http'
require 'uri'

uri = URI('https://example.com')

# Creating a POST request, which is a subclass of Net::HTTPGenericRequest
request = Net::HTTP::Post.new(uri)

# Sending the request
Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  response = http.request(request)
  puts response.body
end

With the following error:

/Users/[user]/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/protocol.rb:46:in 'OpenSSL::SSL::SSLSocket#connect_nonblock': SSL_connect returned=1 errno=0 peeraddr=[2600:1406:5e00:6::17ce:bc12]:443 state=error: certificate verify failed (unable to get certificate CRL) (OpenSSL::SSL::SSLError)
        from /Users/bfolkens/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/protocol.rb:46:in 'Net::Protocol#ssl_socket_connect'
        from /Users/bfolkens/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/http.rb:1736:in 'Net::HTTP#connect'
        from /Users/bfolkens/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/http.rb:1636:in 'Net::HTTP#do_start'
        from /Users/bfolkens/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/http.rb:1625:in 'Net::HTTP#start'
        from /Users/bfolkens/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/http.rb:1064:in 'Net::HTTP.start'
        from test.rb:10:in '<main>'

bundle doctor --ssl fails with:

The Gemfile's dependencies are satisfied
Here's your OpenSSL environment:

OpenSSL:       3.3.0
Compiled with: OpenSSL 3.6.0 1 Oct 2025
Loaded with:   OpenSSL 3.6.0 1 Oct 2025

Trying connections to https://rubygems.org:
Bundler:       success
RubyGems:      success
Ruby net/http: failed

Unfortunately, this Ruby can't connect to rubygems.org.

Below affect only Ruby net/http connections:
SSL_CERT_FILE: exists     /opt/homebrew/etc/openssl@3/cert.pem
SSL_CERT_DIR:  exists     /opt/homebrew/etc/openssl@3/certs

Your Ruby can't connect to rubygems.org because you are missing the certificate files OpenSSL needs to verify you are connecting to the genuine rubygems.org servers.

No issues found with the installed bundle

[ledermann]

Same here. It looks like DEFAULT_CERT_STORE is initialized empty, so Ruby cannot verify any SSL connections. I found this temporary workaround:

1. Create ~/.rubyopenssl_default_store.rb:

   require "openssl"
   s = OpenSSL::X509::Store.new.tap(&:set_default_paths)
   OpenSSL::SSL::SSLContext.send(:remove_const, :DEFAULT_CERT_STORE) rescue nil
   OpenSSL::SSL::SSLContext.const_set(:DEFAULT_CERT_STORE, s.freeze)

2. Load it for all Ruby processes, e.g. in your shell config:

   export RUBYOPT="-r$HOME/.rubyopenssl_default_store.rb $RUBYOPT"

[rhenium]

Thanks for your report.

OpenSSL::SSL::SSLContext#set_params uses the default cert store with the OpenSSL::X509::V_FLAG_CRL_CHECK_ALL flag (and no other flags):

openssl/lib/openssl/ssl.rb

Lines 92 to 94 in 7f4886b

	DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
	DEFAULT_CERT_STORE.set_default_paths
	DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL

OpenSSL 3.6.0 appears to have changed the behavior in commit openssl/openssl@b1b4b15, which doesn't look intentional.

At the same time, ruby/openssl shouldn't set that flag by default. It previously had no effect, according to the man page for X509_VERIFY_PARAM_set_flags():

X509_V_FLAG_CRL_CHECK_ALL expands CRL checking to the entire certificate chain if X509_V_FLAG_CRL_CHECK has also been enabled, and is otherwise ignored.

[bfolkens]

Same here. It looks like DEFAULT_CERT_STORE is initialized empty, so Ruby cannot verify any SSL connections. I found this temporary workaround:

1. Create ~/.rubyopenssl_default_store.rb:
   require "openssl"
   s = OpenSSL::X509::Store.new.tap(&:set_default_paths)
   OpenSSL::SSL::SSLContext.send(:remove_const, :DEFAULT_CERT_STORE) rescue nil
   OpenSSL::SSL::SSLContext.const_set(:DEFAULT_CERT_STORE, s.freeze)
2. Load it for all Ruby processes, e.g. in your shell config:
   export RUBYOPT="-r$HOME/.rubyopenssl_default_store.rb $RUBYOPT"

Thank you @ledermann !! this worked

Thanks @rhenium for digging into this

[miharekar]

Thanks @rhenium 🙏

[rhenium]

I've pushed v3.1.2, v3.2.2, and v3.3.1 to rubygems.org with the change in #950.

[DucNguyenTHT]

@rhenium can you make an update for 3.3.4