"Unable to download from ..." SSL Certificat Error #1050

Closed
Protosac opened this Issue Oct 16, 2014 · 63 comments

Projects

None yet
@Protosac

The error is as follows:

https://gist.github.com/Protosac/a5b86b0461940d36e298

Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/specs.4.8.gz)

I saw some old posts about this but they didn't offer any solutions, since it seemed the error isn't on the user side. Any help appreciated.

@drbrain
Member
drbrain commented Oct 16, 2014

SSLv3 is no longer supported due to POODLE. What OpenSSL version are you using?

@Protosac

I'm not sure, but if you tell me where to find that info I'll look.

This problem started about an hour ago. I've been installing gems just fine and I haven't made any real changes to Ruby (I've just been installing gems). It just stopped working.

EDIT: Wanted to mention I'm using Ruby 2.1.0 and I've been installing gems to use with a new Rails installation. I'm an amateur.

@ferventcoder

I'm running into this as well. I originally reported over at oneclick/rubyinstaller#241 to give @luislavena a heads up.

@luislavena
Member

@ferventcoder looking into this with RubyGems folks at #rubygems on IRC.

@ferventcoder

joining...

@ferventcoder

This is resolved for Windows now based on conversation in irc. Looks like SSLv3 is still disabled, so that is FTW.

@ferventcoder

@Protosac what platform are/were you seeing this issue from?

@Protosac

Windows 7. Thanks all for the information and updates. I'll let you know if I'm still having any issues, but it seems like this is all temporary.

@dwradcliffe
Member

Recap: Several Windows users were having trouble connecting to rubygems.org with the new SSL cert we deployed today. We rolled back the cert and that seems to have fixed the problem. However, we do need to re-deploy this cert in the very near future.

Looks like this is related or similar to #665 ?

@drbrain Do the vendored certs need to be updated? The new cert has a completely different chain.

@Protosac

No issues since the roll back. Sorry I didn't think to mention it earlier but I'm using Windows 7 64-bit if that matters.

@dwradcliffe
Member

@drbrain Any ideas here? We need to push the new cert out soon - probably this week.

@luislavena
Member

@dwradcliffe if we change the certs, we need the new chains and new releases of RubyGems versions.

Problem is chicken-egg situation:

  • You change certs on the server
  • We release updates versions of RubyGems
  • Users cannot install them with current version against the new certs

I think this needs to be rolled out in two phases to avoid this:

  • Releases of RubyGems that include chains for existing and the certs
  • Ensure users upgrade to those versions (1.8.x, 2.x, etc)
  • Switch servers to new new certs.

@drbrain does something like the above plan works?

@dwradcliffe
Member

Sounds like a mess, but I don't think we have a choice.

@indirect
Member
indirect commented Nov 3, 2014

We also need to release new versions of Bundler, so please ping me about this.

@luislavena
Member

@dwradcliffe @indirect waiting from @drbrain confirmation if there is something else I'm missing.

@dwradcliffe
Member

@luislavena @drbrain Can we get this released ASAP? I'm expecting Chrome 39 to ship next week.

@luislavena
Member

@dwradcliffe I don't control RubyGems releases, I'm only contributor. Perhaps we can get @evanphx also to see if he can do the release?

@dwradcliffe
Member

Rubygems v2.4.3 has been released. Thanks @drbrain!
New versions of bundler have also been released. Thanks @indirect!
I have re-deployed the new SSL certificate. If you see SSL connection problems, please upgrade to the latest rubygems/bundler.

@luislavena
Member

@dwradcliffe

Rubygems v2.4.3 has been released.

v2.4.x is broken on Windows. It has been reported and that is still pending someone to tackle that 😢

I have re-deployed the new SSL certificate. If you see SSL connection problems, please upgrade to the latest rubygems/bundler.

Things seems to be working (at least for now)

C:\Users\Luis>ruby -v
ruby 2.1.4p265 (2014-10-27 revision 48166) [i386-mingw32]

C:\Users\Luis>gem --version
2.2.2

C:\Users\Luis>gem update bundler
Updating installed gems
Updating bundler
Fetching: bundler-1.7.5.gem (100%)
Successfully installed bundler-1.7.5
Gems updated: bundler�

C:\Users\Luis>ruby -v
ruby 1.8.7 (2013-06-27 patchlevel 374) [i386-mingw32]

C:\Users\Luis>gem -v
1.8.29

C:\Users\Luis>gem update bundler
Updating installed gems
Updating bundler
Fetching: bundler-1.7.5.gem (100%)
Successfully installed bundler-1.7.5
Gems updated: bundler�
C:\Users\Luis>ruby -v
ruby 1.9.3p545 (2014-02-24) [i386-mingw32]

C:\Users\Luis>gem -v
1.8.29

C:\Users\Luis>gem update bundler
Updating installed gems
Updating bundler
Fetching: bundler-1.7.5.gem (100%)
Successfully installed bundler-1.7.5
Gems updated: bundler�

@courtenay

I'm still seeing this problem; note a slightly different error (certificate B)

$ ruby -v
ruby 2.1.4p265 (2014-10-27 revision 48166) [x86_64-darwin13.0]

$ gem -v
2.4.3

$ gem install rake
ERROR:  Could not find a valid gem 'rake' (>= 0), here is why:
          Unable to download data from https://rubygems.org - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
@MikaelSmith

This still seems to be a problem on Windows; I don't see how the gem 2.4.3 release fixed it in any way.

@MikaelSmith

I [REDACTED], and manually installed 2.4.3. I still see the same errors @courtenay mentioned.

@luislavena
Member

@dwradcliffe I can confirm that the change of the certificate has broken lot installations where RubyGems is not 2.4.3 possible (due 2.4.x bug I mentioned on Windows)

Also, by the approach taken it is now not possible to update RubyGems since the SSL connection cannot be established.

@luislavena
Member
@luislavena luislavena reopened this Nov 11, 2014
@luislavena
Member

@drbrain @evanphx @skottler or @indirect can any of you revert the new SSL deployed to production?

It broke every single installation of Ruby that do not have the bundled certificates update and is not possible to upgrade to latest version of RubyGems because it can no longer connect to the server.

Not to mention that RubyGems 2.4.x is still broken on Windows.

I'm on IRC if you want to discuss my original plan to get this sorted out (which appears was ignored) 😢

@dwradcliffe
Member

I have rolled back the cert.

@drbrain
Member
drbrain commented Nov 11, 2014

What does the certificate change have to do with SSLv3 failures? We already don't allow SSLv3:

$ openssl s_client -host rubygems.org -port 443 -ssl3
CONNECTED(00000003)
23485:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s3_pkt.c:1125:SSL alert number 40
23485:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s3_pkt.c:546:

So I'm puzzled why we see users with state=SSLv3 in the error report like @courtenay

@luislavena
Member

@drbrain seems new certs doesn't work with existing version of RubyGems:

https://gist.github.com/luislavena/96b7d47bfb6803a9b881

How users are supposed to upgrade to latest RubyGems if they cannot connect to https://rubygems.org because of the error?

I'm on IRC if you want to discuss this issue.

@drbrain
Member
drbrain commented Nov 11, 2014

@dwradcliffe is there a staging server you can deploy the new certificates to that we can test against?

@indirect
Member

@drbrain the staging server is staging.rubygems.org, and the sample script in this issue tests against it.

@luislavena thank you for the test! I have added the sha1 signed cert and written tests that try connecting to the hosts from your script for bundler: bundler/bundler@080e850. I plan to release point releases of Bundler 1.6 and 1.7 again today with the correct sha1 AddTrust cert.

@drbrain
Member
drbrain commented Nov 14, 2014

2.4.4 is out now, can someone check it?

@MikaelSmith

Update looks good to me. Not sure how to check it against
staging.rubygems.org though.

On Fri, Nov 14, 2014 at 11:28 AM, Eric Hodel notifications@github.com
wrote:

2.4.4 is out now, can someone check it?


Reply to this email directly or view it on GitHub
#1050 (comment).

@dwradcliffe
Member

@MikaelSmith You can run something like this:

gem install rack --clear-sources --verbose --source https://staging.rubygems.org -v 1.5.2

You should see 401 Unauthorized, but shouldn't have any SSL errors.

@MikaelSmith

👍 Looks good.

@drbrain drbrain closed this Nov 22, 2014
@roel666
roel666 commented Dec 21, 2014

Love it

@ivanhoinacki

@MikaelSmith @dwradcliffe I logged just to say I love you hahaha 💃

@gigaimage

On Win 7 machine:
C:>ruby -v
ruby 2.1.5p273 (2014-11-13 revision 48405) [x64-mingw32]

C:>gem --version
2.2.2

C:>gem update bundler
Updating installed gems
Nothing to update

C:>gem install rails
ERROR: Could not find a valid gem 'rails' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/latest_specs.4.8.gz)

@gigaimage

I tried updating local gem... but failing on cert error

C:>gem update --system
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError)
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

@dwradcliffe
Member

@gigaimage You need to update your rubygems version. See:
https://gist.github.com/luislavena/f064211759ee0f806c88

@gigaimage

@dwradcliffe Thanks!

@gmangalo

Hi,

Im seeing the same issue without the SSL error on my OS X 10.9.5

C:~ gmangalo$ gem update --system
Latest version currently installed. Aborting.
C:~ gmangalo$ gem -v
2.0.14
C:~ gmangalo$ ruby -v
ruby 2.0.0p481 (2014-05-08 revision 45883) [universal.x86_64-darwin13]
C:~ gmangalo$ ruby -ropenssl -e 'p OpenSSL::OPENSSL_VERSION'
"OpenSSL 0.9.8y 5 Feb 2013"
C:~ gmangalo$ gem install bundler
ERROR: Could not find a valid gem 'bundler' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - no such name (https://rubygems.org/latest_specs.4.8.gz)

Tried adding --source parameter but no avail

[REDACTED - error indicates hostname lookup failure]

@shyakaster

Am having the same certificate issue on windows 8.1.

@lichtamberg

me 2

@drbrain
Member
drbrain commented Apr 3, 2015

@gmangalo you appear to be unable to resolve DNS names properly.

@shyakaster, @lichtamberg check the guide for the certificate error

@ber855
ber855 commented Apr 13, 2015

I'm trying to implement the recommended solution at http://guides.rubygems.org/ssl-certificate-update/ but I don't seem to be able to update rubygems on Windows7 with Ruby21-x64 installed.

 C:\>ruby -v
 ruby 2.1.5p273 (2014-11-13 revision 48405) [x64-mingw32]

 C:\>gem --version
 2.2.2

 C:\>gem install --local C:\rubygems-update-2.2.3.gem
 Successfully installed rubygems-update-2.2.3
 Parsing documentation for rubygems-update-2.2.3
 Done installing documentation for rubygems-update after 0 seconds
 1 gem installed

 C:\>update_rubygems --no-ri --no-rdoc

 C:\>gem --version
 2.2.2

 C:\>update_rubygems --help
 rubygems_update [options]

 This will install the latest version of RubyGems.

        --version=X.Y   Update rubygems from the X.Y version.

 C:\>update_rubygems --no-ri --no-rdoc --version=2.2.2
 C:/Program Files/Ruby21-x64/lib/ruby/gems/2.1.0/gems/rubygems-update-2.2.3/bin/update_rubygems:20:in `exec': No such file or directory - "C:/Program Files/Ruby21-x64/bin/ruby.exe" (Errno::ENOENT)
        from C:/Program Files/Ruby21-x64/lib/ruby/gems/2.1.0/gems/rubygems-update-2.2.3/bin/update_rubygems:20:in `<top (required)>'
        from C:/Program Files/Ruby21-x64/bin/update_rubygems:23:in `load'
        from C:/Program Files/Ruby21-x64/bin/update_rubygems:23:in `\<main\>'

 C:\>dir "C:\Program Files\Ruby21-x64\bin\ruby.exe"
  Volume in drive C is OSDisk
  Volume Serial Number is 0870-8892

  Directory of C:\Program Files\Ruby21-x64\bin

 11/15/2014  09:33 PM           148,828 ruby.exe
                1 File(s)        148,828 bytes
                0 Dir(s)  373,562,097,664 bytes free


 C:\>gem --version
 2.2.2

And then as you would expect:

 C:\>gem update --system
 ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
     SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed  (https://api.rubygems.org/specs.4.8.gz)

Copying the new certificate into the ssl_certs directory manually doesn't appear to work either. Any suggestion you can offer would be greatly appreciated. I'm new to Ruby, and am basically just trying to follow instructions created by a team member who has more experience with Ruby but is similarly stumped by this issue.

@drbrain
Member
drbrain commented Apr 13, 2015

@ber855 RubyGems and gems are not known to work well with directories containing spaces. Does it work when using a space-free directory?

@ber855
ber855 commented Apr 14, 2015

Unfortunately, I'm in a locked-down environment and can't run exe's from outside the "Program Files" or "Program Files (x86)" directory. Gems does seem to run, though. Could that be the source of the "certificate verify failed" error?

At the suggestion of a teammate, I tried dropping back to version 2.0.0p643, which somewhat unexpectedly came with Gems 2.4.6. Unfortunately, I'm still getting the same error.

C:\>where gem
C:\Program Files\Ruby200-x64\bin\gem
C:\Program Files\Ruby200-x64\bin\gem.bat

C:\>ruby -v
ruby 2.0.0p643 (2015-02-25) [x64-mingw32]

C:\>gem --version
2.4.6

C:\>gem update --system
ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

The same teammate now suggests I drop back to version 1.9.3p551... :-/

@ber855
ber855 commented Apr 14, 2015

Dropping back to version 1.9.3p551 did not help.

C:\>where gem
C:\Program Files\Ruby193\bin\gem
C:\Program Files\Ruby193\bin\gem.bat

C:\>ruby -v
ruby 1.9.3p551 (2014-11-13) [i386-mingw32]

C:\>gem --version
1.8.29

C:\>gem update --system
ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)

C:\>gem install --local C:\rubygems-update-1.8.30.gem
Successfully installed rubygems-update-1.8.30
1 gem installed
Installing ri documentation for rubygems-update-1.8.30...
Installing RDoc documentation for rubygems-update-1.8.30...

C:\>update_rubygems --no-ri --no-rdoc

C:\>gem --version
1.8.29

C:\>update_rubygems --help
rubygems_update [options]

This will install the latest version of RubyGems.

        --version=X.Y   Update rubygems from the X.Y version.

C:\>update_rubygems --no-ri --no-rdoc --version=1.8.29
C:/Program Files/Ruby193/lib/ruby/gems/1.9.1/gems/rubygems-update-1.8.30/bin/update_rubygems:20:in `exec': No such file or directory - "C:/Program Files/Ruby193/bin/ruby.exe" (Errno::ENOENT)
        from C:/Program Files/Ruby193/lib/ruby/gems/1.9.1/gems/rubygems-update-1.8.30/bin/update_rubygems:20:in `<top (required)>'
        from C:/Program Files/Ruby193/bin/update_rubygems:23:in `load'
        from C:/Program Files/Ruby193/bin/update_rubygems:23:in `<main>'

C:\>gem --version
1.8.29

And then, as you would expect.

C:\>gem update --system
ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)

Could that space in the path to the ruby or gem exe be preventing me from upgrading the Gems version? If so, I might be able to ask for a temporary exception from the security policy.

@socratesmedina

I am getting the same error, too:

C:\Sites>gem update bundler
Updating installed gems
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError)
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

@ghost
ghost commented Sep 24, 2015

I am in the same position, tried every permutation of GEMS / Ruby and to put it mildly its totally broken. Is there an official statement regarding this and when it will be resolved.

@ghost
ghost commented Sep 24, 2015

C:\WINDOWS\system32>gem install rack --clear-sources --verbose --source https://staging.rubygems.org -v 1.5.2
HEAD https://staging.rubygems.org/api/v1/dependencies
200 OK
GET https://staging.rubygems.org/api/v1/dependencies?gems=rack
200 OK
GET https://staging.rubygems.org/quick/Marshal.4.8/rack-1.5.2.gemspec.rz
302 Moved Temporarily
GET https://rubygems-staging.global.ssl.fastly.net/quick/Marshal.4.8/rack-1.5.2.gemspec.rz
404 Not Found
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError)
bad response Not Found 404 (https://rubygems-staging.global.ssl.fastly.net/quick/Marshal.4.8/rack-1.5.2.gemspec.rz)

C:\WINDOWS\system32>

@dwradcliffe
Member

@silentbinary Why are you using staging? The full set of gems is not available on staging, and it should not be used.

@ghost
ghost commented Sep 24, 2015

My Ruby knowledge is zero, I am just trying to follow the recommended fix.

Is there a fix that will solve the issue, as I have tried everything that has been mentioned?

On Thu, Sep 24, 2015 at 3:33 PM, David Radcliffe notifications@github.com
wrote:

@silentbinary https://github.com/silentbinary Why are you using
staging? The full set of gems is not available on staging, and it should
not be used.


Reply to this email directly or view it on GitHub
#1050 (comment).

Land Line | 0208 1234 409 | Mobile | 07779256256

Conference Call | 0844737373 | Pin 590342

Email | Skype | Gareth.Davies@SilentBinary.co
Gareth.Davies@SilentBinary.com.uk

LinkedIn | https://www.linkedin.com/in/alwaysdelivers

SilentBinary.Co.Uk accepts no liability for the content of this email, or
for the consequences of any actions taken on the basis of the information
provided, unless that information is subsequently confirmed in writing.

@dwradcliffe
Member

This is an old issue that is resolved. The mention of staging above was to test a new SSL cert before it was rolled out to production.

@ghost
ghost commented Sep 24, 2015

I still have the same issue on Windows.

shot 2

shot1 1

@dwradcliffe
Member

@silentbinary Looks like your issue is with the softlayer api, not the rubygems api. I'm guessing their HTTPS settings or their certificate are not compatible with windows. You may need to manually install their certificate or something like that.

@ghost
ghost commented Sep 24, 2015

going to try on Linux tmrw
On 24 Sep 2015 5:12 pm, "David Radcliffe" notifications@github.com wrote:

@silentbinary https://github.com/silentbinary Looks like your issue is
with the softlayer api, not the rubygems api. I'm guessing their HTTPS
settings or their certificate are not compatible with windows. You may need
to manually install their certificate or something like that.


Reply to this email directly or view it on GitHub
#1050 (comment).

@lengerfulluse

Got the same issue. [REDACTED]

@ghost
ghost commented Dec 1, 2015

I gave up on Windows put have it installed on Ubuntu and it works a treat.

@thovo
thovo commented Jan 11, 2016

I got the same issue on my Windows 7
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError) SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol (https://api.rubygems.org/specs.4.8.gz)
I think it happened because I am using a company's computer that usualy followed some security policy check of company. I didn't meet this issue with my own laptop. Does someone have any idea to fix it completely?
I tried to use @lengerfulluse command to install gem and it works except some last errors but at least it installed the gem.

@ghost
ghost commented Jan 11, 2016

I have up and just spun up a linux desktop and had no issue installing.

@dwradcliffe
Member

The original problem from this issue has been resolved. If you're still experiencing problems that seem related, open a help ticket or a new issue. Thanks!

@dwradcliffe dwradcliffe locked and limited conversation to collaborators Jan 11, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.