"Unable to download from ..." SSL Certificat Error

[mosdevly]

The error is as follows:

https://gist.github.com/Protosac/a5b86b0461940d36e298

Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/specs.4.8.gz)

I saw some old posts about this but they didn't offer any solutions, since it seemed the error isn't on the user side. Any help appreciated.

[drbrain]

SSLv3 is no longer supported due to POODLE. What OpenSSL version are you using?

[mosdevly]

I'm not sure, but if you tell me where to find that info I'll look.

This problem started about an hour ago. I've been installing gems just fine and I haven't made any real changes to Ruby (I've just been installing gems). It just stopped working.

EDIT: Wanted to mention I'm using Ruby 2.1.0 and I've been installing gems to use with a new Rails installation. I'm an amateur.

[ferventcoder]

https://twitter.com/rubygems_status/status/522816121804558336

[ferventcoder]

I'm running into this as well. I originally reported over at oneclick/rubyinstaller#241 to give @luislavena a heads up.

[luislavena]

@ferventcoder looking into this with RubyGems folks at #rubygems on IRC.

[ferventcoder]

joining...

[ferventcoder]

This is resolved for Windows now based on conversation in irc. Looks like SSLv3 is still disabled, so that is FTW.

[ferventcoder]

@Protosac what platform are/were you seeing this issue from?

[mosdevly]

Windows 7. Thanks all for the information and updates. I'll let you know if I'm still having any issues, but it seems like this is all temporary.

[dwradcliffe]

Recap: Several Windows users were having trouble connecting to rubygems.org with the new SSL cert we deployed today. We rolled back the cert and that seems to have fixed the problem. However, we do need to re-deploy this cert in the very near future.

Looks like this is related or similar to #665 ?

@drbrain Do the vendored certs need to be updated? The new cert has a completely different chain.

[mosdevly]

No issues since the roll back. Sorry I didn't think to mention it earlier but I'm using Windows 7 64-bit if that matters.

[dwradcliffe]

@drbrain Any ideas here? We need to push the new cert out soon - probably this week.

[luislavena]

@dwradcliffe if we change the certs, we need the new chains and new releases of RubyGems versions.

Problem is chicken-egg situation:

• You change certs on the server
• We release updates versions of RubyGems
• Users cannot install them with current version against the new certs

I think this needs to be rolled out in two phases to avoid this:

• Releases of RubyGems that include chains for existing and the certs
• Ensure users upgrade to those versions (1.8.x, 2.x, etc)
• Switch servers to new new certs.

@drbrain does something like the above plan works?

[dwradcliffe]

Sounds like a mess, but I don't think we have a choice.

[indirect]

We also need to release new versions of Bundler, so please ping me about this.

[luislavena]

@dwradcliffe @indirect waiting from @drbrain confirmation if there is something else I'm missing.

[dwradcliffe]

@luislavena @drbrain Can we get this released ASAP? I'm expecting Chrome 39 to ship next week.

[luislavena]

@dwradcliffe I don't control RubyGems releases, I'm only contributor. Perhaps we can get @evanphx also to see if he can do the release?

[dwradcliffe]

Rubygems v2.4.3 has been released. Thanks @drbrain!
New versions of bundler have also been released. Thanks @indirect!
I have re-deployed the new SSL certificate. If you see SSL connection problems, please upgrade to the latest rubygems/bundler.

[luislavena]

@dwradcliffe

Rubygems v2.4.3 has been released.

v2.4.x is broken on Windows. It has been reported and that is still pending someone to tackle that 😢

I have re-deployed the new SSL certificate. If you see SSL connection problems, please upgrade to the latest rubygems/bundler.

Things seems to be working (at least for now)

C:\Users\Luis>ruby -v
ruby 2.1.4p265 (2014-10-27 revision 48166) [i386-mingw32]

C:\Users\Luis>gem --version
2.2.2

C:\Users\Luis>gem update bundler
Updating installed gems
Updating bundler
Fetching: bundler-1.7.5.gem (100%)
Successfully installed bundler-1.7.5
Gems updated: bundler�

C:\Users\Luis>ruby -v
ruby 1.8.7 (2013-06-27 patchlevel 374) [i386-mingw32]

C:\Users\Luis>gem -v
1.8.29

C:\Users\Luis>gem update bundler
Updating installed gems
Updating bundler
Fetching: bundler-1.7.5.gem (100%)
Successfully installed bundler-1.7.5
Gems updated: bundler�

C:\Users\Luis>ruby -v
ruby 1.9.3p545 (2014-02-24) [i386-mingw32]

C:\Users\Luis>gem -v
1.8.29

C:\Users\Luis>gem update bundler
Updating installed gems
Updating bundler
Fetching: bundler-1.7.5.gem (100%)
Successfully installed bundler-1.7.5
Gems updated: bundler�

[courtenay]

I'm still seeing this problem; note a slightly different error (certificate B)

$ ruby -v
ruby 2.1.4p265 (2014-10-27 revision 48166) [x86_64-darwin13.0]

$ gem -v
2.4.3

$ gem install rake
ERROR:  Could not find a valid gem 'rake' (>= 0), here is why:
          Unable to download data from https://rubygems.org - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

[MikaelSmith]

This still seems to be a problem on Windows; I don't see how the gem 2.4.3 release fixed it in any way.

[MikaelSmith]

I [REDACTED], and manually installed 2.4.3. I still see the same errors @courtenay mentioned.

[luislavena]

@dwradcliffe I can confirm that the change of the certificate has broken lot installations where RubyGems is not 2.4.3 possible (due 2.4.x bug I mentioned on Windows)

Also, by the approach taken it is now not possible to update RubyGems since the SSL connection cannot be established.

[luislavena]

Another Ruby 2.1.4 installation:

https://gist.github.com/luislavena/36b91d8896b097885918

[luislavena]

@drbrain @evanphx @skottler or @indirect can any of you revert the new SSL deployed to production?

It broke every single installation of Ruby that do not have the bundled certificates update and is not possible to upgrade to latest version of RubyGems because it can no longer connect to the server.

Not to mention that RubyGems 2.4.x is still broken on Windows.

I'm on IRC if you want to discuss my original plan to get this sorted out (which appears was ignored) 😢

[dwradcliffe]

I have rolled back the cert.

[drbrain]

What does the certificate change have to do with SSLv3 failures? We already don't allow SSLv3:

$ openssl s_client -host rubygems.org -port 443 -ssl3
CONNECTED(00000003)
23485:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s3_pkt.c:1125:SSL alert number 40
23485:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s3_pkt.c:546:

So I'm puzzled why we see users with state=SSLv3 in the error report like @courtenay

[ivanhoinacki]

@MikaelSmith @dwradcliffe I logged just to say I love you hahaha 💃

[gigaimage]

On Win 7 machine:
C:>ruby -v
ruby 2.1.5p273 (2014-11-13 revision 48405) [x64-mingw32]

C:>gem --version
2.2.2

C:>gem update bundler
Updating installed gems
Nothing to update

C:>gem install rails
ERROR: Could not find a valid gem 'rails' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/latest_specs.4.8.gz)

[gigaimage]

I tried updating local gem... but failing on cert error

C:>gem update --system
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError)
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

[dwradcliffe]

@gigaimage You need to update your rubygems version. See:
https://gist.github.com/luislavena/f064211759ee0f806c88

[gigaimage]

@dwradcliffe Thanks!

[gmangalo]

Hi,

Im seeing the same issue without the SSL error on my OS X 10.9.5

C:~ gmangalo$ gem update --system
Latest version currently installed. Aborting.
C:~ gmangalo$ gem -v
2.0.14
C:~ gmangalo$ ruby -v
ruby 2.0.0p481 (2014-05-08 revision 45883) [universal.x86_64-darwin13]
C:~ gmangalo$ ruby -ropenssl -e 'p OpenSSL::OPENSSL_VERSION'
"OpenSSL 0.9.8y 5 Feb 2013"
C:~ gmangalo$ gem install bundler
ERROR: Could not find a valid gem 'bundler' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - no such name (https://rubygems.org/latest_specs.4.8.gz)

Tried adding --source parameter but no avail

[REDACTED - error indicates hostname lookup failure]

[shyakaster]

Am having the same certificate issue on windows 8.1.

[h0jeZvgoxFepBQ2C]

me 2

[drbrain]

@gmangalo you appear to be unable to resolve DNS names properly.

@shyakaster, @lichtamberg check the guide for the certificate error

[ber855]

I'm trying to implement the recommended solution at http://guides.rubygems.org/ssl-certificate-update/ but I don't seem to be able to update rubygems on Windows7 with Ruby21-x64 installed.

 C:\>ruby -v
 ruby 2.1.5p273 (2014-11-13 revision 48405) [x64-mingw32]

 C:\>gem --version
 2.2.2

 C:\>gem install --local C:\rubygems-update-2.2.3.gem
 Successfully installed rubygems-update-2.2.3
 Parsing documentation for rubygems-update-2.2.3
 Done installing documentation for rubygems-update after 0 seconds
 1 gem installed

 C:\>update_rubygems --no-ri --no-rdoc

 C:\>gem --version
 2.2.2

 C:\>update_rubygems --help
 rubygems_update [options]

 This will install the latest version of RubyGems.

        --version=X.Y   Update rubygems from the X.Y version.

 C:\>update_rubygems --no-ri --no-rdoc --version=2.2.2
 C:/Program Files/Ruby21-x64/lib/ruby/gems/2.1.0/gems/rubygems-update-2.2.3/bin/update_rubygems:20:in `exec': No such file or directory - "C:/Program Files/Ruby21-x64/bin/ruby.exe" (Errno::ENOENT)
        from C:/Program Files/Ruby21-x64/lib/ruby/gems/2.1.0/gems/rubygems-update-2.2.3/bin/update_rubygems:20:in `<top (required)>'
        from C:/Program Files/Ruby21-x64/bin/update_rubygems:23:in `load'
        from C:/Program Files/Ruby21-x64/bin/update_rubygems:23:in `\<main\>'

 C:\>dir "C:\Program Files\Ruby21-x64\bin\ruby.exe"
  Volume in drive C is OSDisk
  Volume Serial Number is 0870-8892

  Directory of C:\Program Files\Ruby21-x64\bin

 11/15/2014  09:33 PM           148,828 ruby.exe
                1 File(s)        148,828 bytes
                0 Dir(s)  373,562,097,664 bytes free


 C:\>gem --version
 2.2.2

And then as you would expect:

 C:\>gem update --system
 ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
     SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed  (https://api.rubygems.org/specs.4.8.gz)

Copying the new certificate into the ssl_certs directory manually doesn't appear to work either. Any suggestion you can offer would be greatly appreciated. I'm new to Ruby, and am basically just trying to follow instructions created by a team member who has more experience with Ruby but is similarly stumped by this issue.

[drbrain]

@ber855 RubyGems and gems are not known to work well with directories containing spaces. Does it work when using a space-free directory?

[ber855]

Unfortunately, I'm in a locked-down environment and can't run exe's from outside the "Program Files" or "Program Files (x86)" directory. Gems does seem to run, though. Could that be the source of the "certificate verify failed" error?

At the suggestion of a teammate, I tried dropping back to version 2.0.0p643, which somewhat unexpectedly came with Gems 2.4.6. Unfortunately, I'm still getting the same error.

C:\>where gem
C:\Program Files\Ruby200-x64\bin\gem
C:\Program Files\Ruby200-x64\bin\gem.bat

C:\>ruby -v
ruby 2.0.0p643 (2015-02-25) [x64-mingw32]

C:\>gem --version
2.4.6

C:\>gem update --system
ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

The same teammate now suggests I drop back to version 1.9.3p551... :-/

[ber855]

Dropping back to version 1.9.3p551 did not help.

C:\>where gem
C:\Program Files\Ruby193\bin\gem
C:\Program Files\Ruby193\bin\gem.bat

C:\>ruby -v
ruby 1.9.3p551 (2014-11-13) [i386-mingw32]

C:\>gem --version
1.8.29

C:\>gem update --system
ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)

C:\>gem install --local C:\rubygems-update-1.8.30.gem
Successfully installed rubygems-update-1.8.30
1 gem installed
Installing ri documentation for rubygems-update-1.8.30...
Installing RDoc documentation for rubygems-update-1.8.30...

C:\>update_rubygems --no-ri --no-rdoc

C:\>gem --version
1.8.29

C:\>update_rubygems --help
rubygems_update [options]

This will install the latest version of RubyGems.

        --version=X.Y   Update rubygems from the X.Y version.

C:\>update_rubygems --no-ri --no-rdoc --version=1.8.29
C:/Program Files/Ruby193/lib/ruby/gems/1.9.1/gems/rubygems-update-1.8.30/bin/update_rubygems:20:in `exec': No such file or directory - "C:/Program Files/Ruby193/bin/ruby.exe" (Errno::ENOENT)
        from C:/Program Files/Ruby193/lib/ruby/gems/1.9.1/gems/rubygems-update-1.8.30/bin/update_rubygems:20:in `<top (required)>'
        from C:/Program Files/Ruby193/bin/update_rubygems:23:in `load'
        from C:/Program Files/Ruby193/bin/update_rubygems:23:in `<main>'

C:\>gem --version
1.8.29

And then, as you would expect.

C:\>gem update --system
ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)

Could that space in the path to the ruby or gem exe be preventing me from upgrading the Gems version? If so, I might be able to ask for a temporary exception from the security policy.

[socratesmedina]

I am getting the same error, too:

C:\Sites>gem update bundler
Updating installed gems
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError)
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

[ghost]

I am in the same position, tried every permutation of GEMS / Ruby and to put it mildly its totally broken. Is there an official statement regarding this and when it will be resolved.

[ghost]

C:\WINDOWS\system32>gem install rack --clear-sources --verbose --source https://staging.rubygems.org -v 1.5.2
HEAD https://staging.rubygems.org/api/v1/dependencies
200 OK
GET https://staging.rubygems.org/api/v1/dependencies?gems=rack
200 OK
GET https://staging.rubygems.org/quick/Marshal.4.8/rack-1.5.2.gemspec.rz
302 Moved Temporarily
GET https://rubygems-staging.global.ssl.fastly.net/quick/Marshal.4.8/rack-1.5.2.gemspec.rz
404 Not Found
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError)
bad response Not Found 404 (https://rubygems-staging.global.ssl.fastly.net/quick/Marshal.4.8/rack-1.5.2.gemspec.rz)

C:\WINDOWS\system32>

[dwradcliffe]

@silentbinary Why are you using staging? The full set of gems is not available on staging, and it should not be used.

[ghost]

My Ruby knowledge is zero, I am just trying to follow the recommended fix.

Is there a fix that will solve the issue, as I have tried everything that has been mentioned?

On Thu, Sep 24, 2015 at 3:33 PM, David Radcliffe notifications@github.com
wrote:

@silentbinary https://github.com/silentbinary Why are you using
staging? The full set of gems is not available on staging, and it should
not be used.

—
Reply to this email directly or view it on GitHub
#1050 (comment).

Land Line | 0208 1234 409 | Mobile | 07779256256

Conference Call | 0844737373 | Pin 590342

Email | Skype | Gareth.Davies@SilentBinary.co
Gareth.Davies@SilentBinary.com.uk

LinkedIn | https://www.linkedin.com/in/alwaysdelivers

SilentBinary.Co.Uk accepts no liability for the content of this email, or
for the consequences of any actions taken on the basis of the information
provided, unless that information is subsequently confirmed in writing.

[dwradcliffe]

This is an old issue that is resolved. The mention of staging above was to test a new SSL cert before it was rolled out to production.

[ghost]

I still have the same issue on Windows.

[dwradcliffe]

@silentbinary Looks like your issue is with the softlayer api, not the rubygems api. I'm guessing their HTTPS settings or their certificate are not compatible with windows. You may need to manually install their certificate or something like that.

[ghost]

going to try on Linux tmrw
On 24 Sep 2015 5:12 pm, "David Radcliffe" notifications@github.com wrote:

@silentbinary https://github.com/silentbinary Looks like your issue is
with the softlayer api, not the rubygems api. I'm guessing their HTTPS
settings or their certificate are not compatible with windows. You may need
to manually install their certificate or something like that.

—
Reply to this email directly or view it on GitHub
#1050 (comment).

[lengerfulluse]

Got the same issue. [REDACTED]

[ghost]

I gave up on Windows put have it installed on Ubuntu and it works a treat.

[thovo]

I got the same issue on my Windows 7
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError) SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol (https://api.rubygems.org/specs.4.8.gz)
I think it happened because I am using a company's computer that usualy followed some security policy check of company. I didn't meet this issue with my own laptop. Does someone have any idea to fix it completely?
I tried to use @lengerfulluse command to install gem and it works except some last errors but at least it installed the gem.

[ghost]

I have up and just spun up a linux desktop and had no issue installing.

[dwradcliffe]

The original problem from this issue has been resolved. If you're still experiencing problems that seem related, open a help ticket or a new issue. Thanks!