Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
SSL cert. error after upgrade to RubyGems 2.6.7 #1800
I followed the instructions for using update packages here. As confirmation of its success, I checked the certs were installed
Note the files and folders dated '16 Dec' (yesterday). Seeks ok, however when I try to install any gem I still get the same SSL certs error.
As a workaround, I changed my remote sources to use http (instead of https) and installed the gems I need for development - bad solution, I know. Obviously I want to resume using https but cannot.
The environment is:
Some other environment context:
Thanks in advance of your help
As a) would not really 'give more information ', I did b) and the response is below:
Does this help?
I'm getting the SSL error too.
I installed the GlobalSignCA.pem manually, following the instructions here.
I also got a problem related to the SSL. Here is what was printed on my console when i try to make a new rails project :
I have followed the official instruction in here too.
Here is my ssl_certs directory :
FYI i got my ruby installation from rubyinstaller.org and i'm using Win 10.
Really appreciate for your help, thanks ! XD
BTY, I noticed from the above response that the offending certificate has the exact same expiry date as @lilach. Is this significant? I checked the expiry of the cert I THOUGHT was being used (according to response from 'gem which rubygems' command) and it's fine:
No old certs hanging around in Keychain either (although I am not very familiar with that utility).
So, I am currently installing insecurely (over http) for now. Any help still appreciated.
@drbrain haha, i got no error when i ran
Previously, i solved the problem by changing
Btw, thank you so much for your response !!
@diarmuidoconnor @lilach you both have this expired certificate in your trusted CA list: https://support.globalsign.com/customer/portal/articles/1426272-expiration-of-old-globalsign-2014-root-ca-certificate
Some people have found the expired certificate in the OS X keychain, some have found it in
I've followed the instructions here, and I'm still seeing this.
I opened the "Keychain Access" tool and searched for "GlobalSign". It yielded 5 results - 4 named "GlobalSign" and 1 named "GlobalSign Root CA". They all had expiration dates well in the future (earliest being 2021).
Running macOS Sierra 10.12.2
Did some more searching, and I think I found the fix
After that, it worked!
I had the same problem as @haydenzone except that the solution he gave didn't work. I got:
$ rvm osx-ssl-certs update all Updating certificates for /usr/local/etc/openssl/cert.pem: Already up to date.
I had to do this instead:
$ curl https://curl.haxx.se/ca/cacert.pem > /usr/local/etc/openssl/cert.pem
and this solved the problem for me.
You probably have the expired GlobalSign CA certificate (expired over a decade ago, which has been renewed) in your keychain (which RVM uses to build its keys). Furthermore, OpenSSL doesn't ignore expired certificates if a refreshed one for the same guy is also present.
Using cURL's certificates means you don't get poisoned by the old certificate.
Brand new Ruby user on WINDOWS so all the above doesn't apply to me. Have to say was excited to try Ruby for the first time and I'm over two hrs into it and it's broken right out of the box I've now read a handful of "fix" directions for the broken SSL that seem to date back years yet in 2017 running the latest windows installer x64 results for some reason in a product that won't work with all broken SSL and can't even update itself or install the gems due to the same SSL errors I see posted from three years ago. Kind of disappointing but still trying to get it to work.
The last I've tried is manually downloading all the root pem files and they to be correct in the following location:
Yet when I run any net command this for example, here's the error:
`connect_nonblock': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
C:>gem env version
Now, I see mention of some "manual" updating to a higher version, but again as a new user I went to this page: https://rubyinstaller.org/ and ran the installer for windows. I then, after the first SSL error found this page: http://guides.rubygems.org/ssl-certificate-update/ that correctly stated: "You’ve probably reached this page after encountering the following SSL error when trying to pull updates from RubyGems". Correct. So, ran through all the auto and then manual just to verify "fixes":
First per the page, I did this: Download rubygems-update-2.6.7.gem and manually updated since the automated update/install is broken due to this error. This was successful.
Then, the remaining fix steps are listed on this page as follows:
"Step 1: Obtain the new trust certificate
I did these, without errors. Certs all look good even manually downloaded all with curl and did comparisons.
Then, re-ran my command above. Same exact error. No changes. So something is still broken.
I'd really appreciate some pointers as to what I might have missed bearing in mind this is on Windows as I'm running out of ideas. It's a shame that on a clean system that's never seen the Ruby language before that the install process leaves a system so broken and requires this much effort just to correct the install but hopefully what ever is left here is minimal.
Quick update: I'm wondering why it looks like something is forcing Ruby to use SSLv3 which is disabled by default? Is this a totally different issue than just the rubygem local PEM files?
When I run this to test the cert chain using the openssl on the same 2 Windows PCs I'm testing with, it uses TLS and is just fine:
C:>openssl s_client -showcerts -connect github.com:443
So clearly openssl is properly using TLSv1 and everything is okay.
Yet when I run it through Ruby to Github's site as an example, it throws this SSL error that states "SSLv3":
C:>ruby -rnet/https -e "Net::HTTP.get URI('https://github.com')"
So, I'm new with Ruby so what is instructing Ruby to use SSLv3 and does this help with insight as to what the heck is going on? Again this is 2 clean Windows PCs now, one I even used Chocolatey to install Ruby but exact same SSL errors right out of the box.
This page is exactly what's happening, yet none of those solutions are written for windows but all the non-windows users in that thread seem to confirm the issue. Clearly there is something still missing in today's installations with the Ruby build that this page makes it sound like when Ruby is actually built, it's not being built with a default certificate bundle to trust. Albeit, this is a writeup from FOUR years ago, so I was hessitant as to whether four years later the Ruby being built could possibly still have this issue and that's what I'm seeing, but after looking through it and doing more testing, it sure seems to be the same issue. The question is, on WINDOWS how do you fix this, and then the bigger question should be how do you update Ruby or the installer to fix this permanently in the future.
tl;dr: OpenSSL is not a user friendly library. RubyGems 2.6.8 does everything it can to work around this.
OpenSSL always says "SSLv3" in errors when it really made a TLS connection. It's misleading.
Without providing a verify callback like RubyGems 2.6.8 and newer do, you can't see why you got that error. The real error is hidden.
Neither OpenSSL nor ruby have ever provided a default certificate bundle. That has been up to the operating system to provide. Some ruby installers have decided to provide one for ruby.
RubyGems ships with trusted certificates for connecting to RubyGems.org.
Unfortunately OpenSSL has a misfeature where if you have an expired and a valid certificate for the same CA key OpenSSL will choose the expired one and give an error (verify_callback lets you see it). There is no way to tell where this key lives (which file) from ruby. There is no way to ignore the expired CA certificate while also allowing arbitrary HTTPS gem sources.
referenced this issue
Apr 4, 2017
In case anyone else should find themselves faced with this issue, even after following all of the instructions mentioned above, this is what I did to get it working on my machine:
On page : http://guides.rubygems.org/ssl-certificate-update/#manual-solution-to-ssl-issue
Now, locate ssl_certs directory and copy the .pem file we obtained from previous step inside.
It will be listed with other files like AddTrustExternalCARoot.pem**"
However, when I navigated to this location, there were 3 subdirectories and no .PEM files. Within the subdirectories, were a number of different .PEM files. Adding the " GlobalSignRootCA.pem" file into all of those subdirectories and then issuing 'gem update' worked for me. Incidentally, I had to add my own proxies certs too, but you may not have that issue.