SSL cert. error after upgrade to RubyGems 2.6.7 #1800

Closed
diarmuidoconnor opened this Issue Dec 16, 2016 · 24 comments

Comments

Projects
None yet
@diarmuidoconnor

Hi there,
After encountering the well know SSL certificate problem when trying to install a gem:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz

I followed the instructions for using update packages here. As confirmation of its success, I checked the certs were installed

$ gem which rubygems
/Users/diarmuidoconnor/.rvm/rubies/ruby-2.2.1/lib/ruby/site_ruby/2.2.0/rubygems.rb
$
$ cd /Users/diarmuidoconnor/.rvm/rubies/ruby-2.2.1/lib/ruby/site_ruby/2.2.0/rubygems/ssl_certs/
$
$ ls -la
total 48
drwxr-xr-x  11 diarmuidoconnor  staff   374 16 Dec 07:50 .
drwxr-xr-x  71 diarmuidoconnor  staff  2414 16 Dec 07:50 ..
-rw-r--r--   1 diarmuidoconnor  staff  1521 30 Mar  2015 AddTrustExternalCARoot-2048.pem
-rw-r--r--   1 diarmuidoconnor  staff  1952 30 Mar  2015 AddTrustExternalCARoot.pem
-rw-r--r--   1 diarmuidoconnor  staff   834 30 Mar  2015 Class3PublicPrimaryCertificationAuthority.pem
-rw-r--r--   1 diarmuidoconnor  staff  1367 30 Mar  2015 DigiCertHighAssuranceEVRootCA.pem
-rw-r--r--   1 diarmuidoconnor  staff  1740 30 Mar  2015 EntrustnetSecureServerCertificationAuthority.pem
-rw-r--r--   1 diarmuidoconnor  staff  1216 30 Mar  2015 GeoTrustGlobalCA.pem
drwxr-xr-x   3 diarmuidoconnor  staff   102 16 Dec 07:50 index.rubygems.org
drwxr-xr-x   3 diarmuidoconnor  staff   102 16 Dec 07:50 rubygems.global.ssl.fastly.net
drwxr-xr-x   3 diarmuidoconnor  staff   102 16 Dec 07:50 rubygems.org
$
$ ls -la index.rubygems.org/
total 8
drwxr-xr-x   3 diarmuidoconnor  staff   102 16 Dec 07:50 .
drwxr-xr-x  11 diarmuidoconnor  staff   374 16 Dec 07:50 ..
-rw-r--r--   1 diarmuidoconnor  staff  1261 16 Dec 07:50 GlobalSignRootCA.pem
 $ ls -la rubygems.global.ssl.fastly.net/
total 8
drwxr-xr-x   3 diarmuidoconnor  staff   102 16 Dec 07:50 .
drwxr-xr-x  11 diarmuidoconnor  staff   374 16 Dec 07:50 ..
-rw-r--r--   1 diarmuidoconnor  staff  1367 16 Dec 07:50 DigiCertHighAssuranceEVRootCA.pem
 $ ls -la rubygems.org/
total 8
drwxr-xr-x   3 diarmuidoconnor  staff   102 16 Dec 07:50 .
drwxr-xr-x  11 diarmuidoconnor  staff   374 16 Dec 07:50 ..
-rw-r--r--   1 diarmuidoconnor  staff  1521 16 Dec 07:50 AddTrustExternalCARoot.pem
 $ 

Note the files and folders dated '16 Dec' (yesterday). Seeks ok, however when I try to install any gem I still get the same SSL certs error.

As a workaround, I changed my remote sources to use http (instead of https) and installed the gems I need for development - bad solution, I know. Obviously I want to resume using https but cannot.

The environment is:

$ gem env
RubyGems Environment:
 - RUBYGEMS VERSION: 2.6.7
 - RUBY VERSION: 2.2.1 (2015-02-26 patchlevel 85) [x86_64-darwin14]
 - INSTALLATION DIRECTORY: /Users/diarmuidoconnor/.rvm/gems/ruby-2.2.1
 - USER INSTALLATION DIRECTORY: /Users/diarmuidoconnor/.gem/ruby/2.2.0
 - RUBY EXECUTABLE: /Users/diarmuidoconnor/.rvm/rubies/ruby-2.2.1/bin/ruby
 - EXECUTABLE DIRECTORY: /Users/diarmuidoconnor/.rvm/gems/ruby-2.2.1/bin
 - SPEC CACHE DIRECTORY: /Users/diarmuidoconnor/.gem/specs
 - SYSTEM CONFIGURATION DIRECTORY: /etc
 - RUBYGEMS PLATFORMS:
   - ruby
   - x86_64-darwin-14
 - GEM PATHS:
    - /Users/diarmuidoconnor/.rvm/gems/ruby-2.2.1
    - /Users/diarmuidoconnor/.rvm/gems/ruby-2.2.1@global
 - GEM CONFIGURATION:
    - :update_sources => true
    - :verbose => true
    - :backtrace => false
    - :bulk_threshold => 1000
    - :sources => ["http://rubygems.org/"]
    - "gem" => "--no-document"
 - REMOTE SOURCES:
    - http://rubygems.org/
 - SHELL PATH:
    - /Users/diarmuidoconnor/.rvm/gems/ruby-2.2.1/bin
    - /Users/diarmuidoconnor/.rvm/gems/ruby-2.2.1@global/bin
    - /Users/diarmuidoconnor/.rvm/rubies/ruby-2.2.1/bin
    - /Users/diarmuidoconnor/.rvm/bin
    - /Users/diarmuidoconnor/.nvm/versions/node/v4.2.2/bin
    - /usr/bin
    - /bin
    - /usr/sbin
    - /sbin
    - /usr/local/bin
    - /Users/diarmuidoconnor/Development/android-sdk-macosx/tools
    - /usr/local/mongodb/bin
$ 

Some other environment context:

  • rvm 1.26.11
  • OSX 10.9

Thanks in advance of your help

Diarmuid

@drbrain

This comment has been minimized.

Show comment
Hide comment
@drbrain

drbrain Dec 17, 2016

Member

Please upgrade manually to 2.6.8, it will give more information about why your connection is failing.

Member

drbrain commented Dec 17, 2016

Please upgrade manually to 2.6.8, it will give more information about why your connection is failing.

@diarmuidoconnor

This comment has been minimized.

Show comment
Hide comment
@diarmuidoconnor

diarmuidoconnor Dec 17, 2016

Hi,
Not completely sure what you mean by 'upgrade manually'? Is it:
a) As per these instructions
OR
b) Download the Rubygems zip and run ruby setup.rb from the command line.

As a) would not really 'give more information ', I did b) and the response is below:

$ pwd
/Users/diarmuidoconnor/Downloads/rubygems-2.6.8
 $ ruby setup.rb 
RubyGems 2.6.8 installed

=== 2.6.8 / 2016-10-29

Bug fixes:

* Improve SSL verification failure message. Pull request #1751
  by Eric Hodel.
* Ensure `to_spec` falls back on prerelease specs. Pull request
  #1755 by André Arko.
* Update vendored Molinillo to 0.5.3. Pull request #1763 by
  Samuel Giddins.

=== 2.6.7 / 2016-09-26

Bug fixes:

* Install native extensions in the correct location when using the
  `--user-install` flag. Pull request #1683 by Noah Kantrowitz.
* When calling `Gem.sources`, load sources from `configuration`
  if present, else use the default sources. Pull request #1699
  by Luis Sagastume.
* Fail gracefully when attempting to redirect without a Location.
  Pull request #1711 by Samuel Giddins.
* Update vendored Molinillo to 0.5.1. Pull request #1714 by
  Samuel Giddins.

=== 2.6.6 / 2016-06-22

Bug fixes:

* Sort installed versions to make sure we install the latest version when
  running `gem update --system`. As a one-time fix, run
  `gem update --system=2.6.6`. Pull request #1601 by David Radcliffe.

=== 2.6.5 / 2016-06-21

Minor enhancements:

* Support for unified Integer in Ruby 2.4. Pull request #1618
  by SHIBATA Hiroshi.
* Update vendored Molinillo to 0.5.0 for performance improvements.
  Pull request #1638 by Samuel Giddins.

Bug fixes:

* Raise an explicit error if Signer#sign is called with no certs. Pull
  request #1605 by Daniel Berger.
* Update `update_bundled_ca_certificates` utility script for directory
  nesting. Pull request #1583 by James Wen.
* Fix broken symlink support in tar writer (+ fix broken test). Pull
  request #1578 by Cezary Baginski.
* Remove extension directory before (re-)installing. Pull request #1576
  by Jeremy Hinegardner.
* Regenerate test CA certificates with appropriate extensions. Pull
  request #1611 by rhenium.
* Rubygems does not terminate on failed file lock when not superuser. Pull
  request #1582 by Ellen Marie Dash.
* Fix tar headers with a 101 character name. Pull request #1612 by Paweł
  Tomulik.
* Add Gem.platform_defaults to allow implementations to override defaults.
  Pull request #1644 by Charles Oliver Nutter.
* Run Bundler tests on TravisCI. Pull request #1650 by Samuel Giddins.

=== 2.6.4 / 2016-04-26

Minor enhancements:

* Use Gem::Util::NULL_DEVICE instead of hard coded strings. Pull request #1588
  by Chris Charabaruk.
* Use File.symlink on MS Windows if supported. Pull request #1418
  by Nobuyoshi Nakada.

Bug fixes:

* Redact uri password from error output when gem fetch fails. Pull request
  #1565 by Brian Fletcher.
* Suppress warnings. Pull request #1594 by Nobuyoshi Nakada.
* Escape user-supplied content served on web pages by `gem server` to avoid
  potential XSS vulnerabilities. Samuel Giddins.

=== 2.6.3 / 2016-04-05

Minor enhancements:

* Lazily calculate Gem::LoadError exception messages. Pull request #1550
  by Aaron Patterson.
* New fastly cert. Pull request #1548 by David Radcliffe.
* Organize and cleanup SSL certs. Pull request #1555 by James Wen.
* [RubyGems] Make deprecation message for paths= more helpful. Pull
  request #1562 by Samuel Giddins.
* Show default gems when using "gem list". Pull request #1570 by Luis
  Sagastume.

Bug fixes:

* Stub ordering should be consistent regardless of how cache is populated.
  Pull request #1552 by Aaron Patterson.
* Handle cases when the @@stubs variable contains non-stubs. Pull request
  #1558 by Per Lundberg.
* Fix test on Windows for inconsistent temp path. Pull request #1554 by
  Hiroshi Shirosaki.
* Fix `Gem.find_spec_for_exe` picks oldest gem. Pull request #1566 by
  Shinichi Maeshima.
* [Owner] Fallback to email and userid when owner email is missing. Pull
  request #1569 by Samuel Giddins.
* [Installer] Handle nil existing executable. Pull request #1561 by Samuel
  Giddins.
* Allow two digit version numbers in the tests. Pull request #1575 by unak.

=== 2.6.2 / 2016-03-12

Bug fixes:

* Fix wrong version of gem activation for bin stub. Pull request #1527 by
  Aaron Patterson.
* Speed up gem activation failures. Pull request #1539 by Aaron Patterson.
* Fix platform sorting in the resolver. Pull request #1542 by Samuel E.
  Giddins.
* Ensure we unlock the monitor even if try_activate throws. Pull request
  #1538 by Charles Oliver Nutter.


=== 2.6.1 / 2016-02-28

Bug fixes:

* Ensure `default_path` and `home` are set for paths. Pull request #1513
  by Aaron Patterson.
* Restore but deprecate support for Array values on `Gem.paths=`. Pull
  request #1514 by Aaron Patterson.
* Fix invalid gem file preventing gem install from working. Pull request
  #1499 by Luis Sagastume.

=== 2.6.0 / 2016-02-26

Minor enhancements:

* RubyGems now defaults the `gem push` to the gem's "allowed_push_host"
  metadata setting.  Pull request #1486 by Josh Lane.
* Update bundled Molinillo to 0.4.3. Pull request #1493 by Samuel E. Giddins.
* Add version option to gem open command. Pull request #1483 by Hrvoje
  Šimić.
* Feature/add silent flag. Pull request #1455 by Luis Sagastume.
* Allow specifying gem requirements via env variables. Pull request #1472
  by Samuel E. Giddins.

Bug fixes:

* RubyGems now stores `gem push` credentials under the host you signed-in for.
  Pull request #1485 by Josh Lane.
* Move `coding` location to first line. Pull request #1471 by SHIBATA
  Hiroshi.
* [PathSupport] Handle a regexp path separator. Pull request #1469 by
  Samuel E. Giddins.
* Clean up the PathSupport object. Pull request #1094 by Aaron Patterson.
* Join with File::PATH_SEPARATOR in Gem.use_paths. Pull request #1476 by
  Samuel E. Giddins.
* Handle when the gem home and gem path arent set in the config file. Pull
  request #1478 by Samuel E. Giddins.
* Terminate TimeoutHandler. Pull request #1479 by Nobuyoshi Nakada.
* Remove redundant cache. Pull request #1482 by Eileen M. Uchitelle.
* Freeze `Gem::Version@segments` instance variable. Pull request #1487 by
  Ben Dean.
* Gem cleanup is trying to uninstall gems outside GEM_HOME and reporting
  an error after it tries. Pull request #1353 by Luis Sagastume.
* Avoid duplicated sources. Pull request #1489 by Luis Sagastume.
* Better description for quiet flag. Pull request #1491 by Luis Sagastume.
* Raise error if find_by_name returns with nil. Pull request #1494 by
  Zoltán Hegedüs.
* Find_files only from loaded_gems when using gemdeps. Pull request #1277
  by Michal Papis.


------------------------------------------------------------------------------

RubyGems installed the following executables:
	/Users/diarmuidoconnor/.rvm/rubies/ruby-2.2.1/bin/gem

Does this help?

Diarmuid

Hi,
Not completely sure what you mean by 'upgrade manually'? Is it:
a) As per these instructions
OR
b) Download the Rubygems zip and run ruby setup.rb from the command line.

As a) would not really 'give more information ', I did b) and the response is below:

$ pwd
/Users/diarmuidoconnor/Downloads/rubygems-2.6.8
 $ ruby setup.rb 
RubyGems 2.6.8 installed

=== 2.6.8 / 2016-10-29

Bug fixes:

* Improve SSL verification failure message. Pull request #1751
  by Eric Hodel.
* Ensure `to_spec` falls back on prerelease specs. Pull request
  #1755 by André Arko.
* Update vendored Molinillo to 0.5.3. Pull request #1763 by
  Samuel Giddins.

=== 2.6.7 / 2016-09-26

Bug fixes:

* Install native extensions in the correct location when using the
  `--user-install` flag. Pull request #1683 by Noah Kantrowitz.
* When calling `Gem.sources`, load sources from `configuration`
  if present, else use the default sources. Pull request #1699
  by Luis Sagastume.
* Fail gracefully when attempting to redirect without a Location.
  Pull request #1711 by Samuel Giddins.
* Update vendored Molinillo to 0.5.1. Pull request #1714 by
  Samuel Giddins.

=== 2.6.6 / 2016-06-22

Bug fixes:

* Sort installed versions to make sure we install the latest version when
  running `gem update --system`. As a one-time fix, run
  `gem update --system=2.6.6`. Pull request #1601 by David Radcliffe.

=== 2.6.5 / 2016-06-21

Minor enhancements:

* Support for unified Integer in Ruby 2.4. Pull request #1618
  by SHIBATA Hiroshi.
* Update vendored Molinillo to 0.5.0 for performance improvements.
  Pull request #1638 by Samuel Giddins.

Bug fixes:

* Raise an explicit error if Signer#sign is called with no certs. Pull
  request #1605 by Daniel Berger.
* Update `update_bundled_ca_certificates` utility script for directory
  nesting. Pull request #1583 by James Wen.
* Fix broken symlink support in tar writer (+ fix broken test). Pull
  request #1578 by Cezary Baginski.
* Remove extension directory before (re-)installing. Pull request #1576
  by Jeremy Hinegardner.
* Regenerate test CA certificates with appropriate extensions. Pull
  request #1611 by rhenium.
* Rubygems does not terminate on failed file lock when not superuser. Pull
  request #1582 by Ellen Marie Dash.
* Fix tar headers with a 101 character name. Pull request #1612 by Paweł
  Tomulik.
* Add Gem.platform_defaults to allow implementations to override defaults.
  Pull request #1644 by Charles Oliver Nutter.
* Run Bundler tests on TravisCI. Pull request #1650 by Samuel Giddins.

=== 2.6.4 / 2016-04-26

Minor enhancements:

* Use Gem::Util::NULL_DEVICE instead of hard coded strings. Pull request #1588
  by Chris Charabaruk.
* Use File.symlink on MS Windows if supported. Pull request #1418
  by Nobuyoshi Nakada.

Bug fixes:

* Redact uri password from error output when gem fetch fails. Pull request
  #1565 by Brian Fletcher.
* Suppress warnings. Pull request #1594 by Nobuyoshi Nakada.
* Escape user-supplied content served on web pages by `gem server` to avoid
  potential XSS vulnerabilities. Samuel Giddins.

=== 2.6.3 / 2016-04-05

Minor enhancements:

* Lazily calculate Gem::LoadError exception messages. Pull request #1550
  by Aaron Patterson.
* New fastly cert. Pull request #1548 by David Radcliffe.
* Organize and cleanup SSL certs. Pull request #1555 by James Wen.
* [RubyGems] Make deprecation message for paths= more helpful. Pull
  request #1562 by Samuel Giddins.
* Show default gems when using "gem list". Pull request #1570 by Luis
  Sagastume.

Bug fixes:

* Stub ordering should be consistent regardless of how cache is populated.
  Pull request #1552 by Aaron Patterson.
* Handle cases when the @@stubs variable contains non-stubs. Pull request
  #1558 by Per Lundberg.
* Fix test on Windows for inconsistent temp path. Pull request #1554 by
  Hiroshi Shirosaki.
* Fix `Gem.find_spec_for_exe` picks oldest gem. Pull request #1566 by
  Shinichi Maeshima.
* [Owner] Fallback to email and userid when owner email is missing. Pull
  request #1569 by Samuel Giddins.
* [Installer] Handle nil existing executable. Pull request #1561 by Samuel
  Giddins.
* Allow two digit version numbers in the tests. Pull request #1575 by unak.

=== 2.6.2 / 2016-03-12

Bug fixes:

* Fix wrong version of gem activation for bin stub. Pull request #1527 by
  Aaron Patterson.
* Speed up gem activation failures. Pull request #1539 by Aaron Patterson.
* Fix platform sorting in the resolver. Pull request #1542 by Samuel E.
  Giddins.
* Ensure we unlock the monitor even if try_activate throws. Pull request
  #1538 by Charles Oliver Nutter.


=== 2.6.1 / 2016-02-28

Bug fixes:

* Ensure `default_path` and `home` are set for paths. Pull request #1513
  by Aaron Patterson.
* Restore but deprecate support for Array values on `Gem.paths=`. Pull
  request #1514 by Aaron Patterson.
* Fix invalid gem file preventing gem install from working. Pull request
  #1499 by Luis Sagastume.

=== 2.6.0 / 2016-02-26

Minor enhancements:

* RubyGems now defaults the `gem push` to the gem's "allowed_push_host"
  metadata setting.  Pull request #1486 by Josh Lane.
* Update bundled Molinillo to 0.4.3. Pull request #1493 by Samuel E. Giddins.
* Add version option to gem open command. Pull request #1483 by Hrvoje
  Šimić.
* Feature/add silent flag. Pull request #1455 by Luis Sagastume.
* Allow specifying gem requirements via env variables. Pull request #1472
  by Samuel E. Giddins.

Bug fixes:

* RubyGems now stores `gem push` credentials under the host you signed-in for.
  Pull request #1485 by Josh Lane.
* Move `coding` location to first line. Pull request #1471 by SHIBATA
  Hiroshi.
* [PathSupport] Handle a regexp path separator. Pull request #1469 by
  Samuel E. Giddins.
* Clean up the PathSupport object. Pull request #1094 by Aaron Patterson.
* Join with File::PATH_SEPARATOR in Gem.use_paths. Pull request #1476 by
  Samuel E. Giddins.
* Handle when the gem home and gem path arent set in the config file. Pull
  request #1478 by Samuel E. Giddins.
* Terminate TimeoutHandler. Pull request #1479 by Nobuyoshi Nakada.
* Remove redundant cache. Pull request #1482 by Eileen M. Uchitelle.
* Freeze `Gem::Version@segments` instance variable. Pull request #1487 by
  Ben Dean.
* Gem cleanup is trying to uninstall gems outside GEM_HOME and reporting
  an error after it tries. Pull request #1353 by Luis Sagastume.
* Avoid duplicated sources. Pull request #1489 by Luis Sagastume.
* Better description for quiet flag. Pull request #1491 by Luis Sagastume.
* Raise error if find_by_name returns with nil. Pull request #1494 by
  Zoltán Hegedüs.
* Find_files only from loaded_gems when using gemdeps. Pull request #1277
  by Michal Papis.


------------------------------------------------------------------------------

RubyGems installed the following executables:
	/Users/diarmuidoconnor/.rvm/rubies/ruby-2.2.1/bin/gem

Does this help?

Diarmuid

@lilach

This comment has been minimized.

Show comment
Hide comment
@lilach

lilach Dec 20, 2016

I'm getting the SSL error too.
I upgraded to rubygems 2.6.8 and when running a gem install ... i get this message:

ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR:  Could not find a valid gem 'bundler' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z

I installed the GlobalSignCA.pem manually, following the instructions here.

Thanks
Lilach

lilach commented Dec 20, 2016

I'm getting the SSL error too.
I upgraded to rubygems 2.6.8 and when running a gem install ... i get this message:

ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR:  Could not find a valid gem 'bundler' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z

I installed the GlobalSignCA.pem manually, following the instructions here.

Thanks
Lilach

@drbrain

This comment has been minimized.

Show comment
Hide comment
@drbrain

drbrain Dec 20, 2016

Member

@lilach you need to remove the expired GlobalSign CA certificate. Most people have found it in OS X Keychain, provided you're using that OS.

Member

drbrain commented Dec 20, 2016

@lilach you need to remove the expired GlobalSign CA certificate. Most people have found it in OS X Keychain, provided you're using that OS.

@drbrain

This comment has been minimized.

Show comment
Hide comment
@drbrain

drbrain Dec 20, 2016

Member

@diarmuidoconnor what SSL error do you see now?

Member

drbrain commented Dec 20, 2016

@diarmuidoconnor what SSL error do you see now?

@Decoydoll

This comment has been minimized.

Show comment
Hide comment
@Decoydoll

Decoydoll Dec 20, 2016

Hi,

I also got a problem related to the SSL. Here is what was printed on my console when i try to make a new rails project :

Fetching source index from https://rubygems.org/
Could not verify the SSL certificate for
https://rubygems.org/quick/Marshal.4.8/sqlite3-0.0.0.gemspec.rz.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification. For
information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect
without using SSL, edit your Gemfile sources and change 'https' to 'http'.

I have followed the official instruction in here too.

Here is my ssl_certs directory :

image

FYI i got my ruby installation from rubyinstaller.org and i'm using Win 10.

Really appreciate for your help, thanks ! XD

Hi,

I also got a problem related to the SSL. Here is what was printed on my console when i try to make a new rails project :

Fetching source index from https://rubygems.org/
Could not verify the SSL certificate for
https://rubygems.org/quick/Marshal.4.8/sqlite3-0.0.0.gemspec.rz.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification. For
information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect
without using SSL, edit your Gemfile sources and change 'https' to 'http'.

I have followed the official instruction in here too.

Here is my ssl_certs directory :

image

FYI i got my ruby installation from rubyinstaller.org and i'm using Win 10.

Really appreciate for your help, thanks ! XD

@drbrain

This comment has been minimized.

Show comment
Hide comment
@drbrain

drbrain Dec 20, 2016

Member

@Decoydoll That error is from Bundler, what error do you get with gem install sqlite3 using RubyGems 2.6.8?

Member

drbrain commented Dec 20, 2016

@Decoydoll That error is from Bundler, what error do you get with gem install sqlite3 using RubyGems 2.6.8?

@lilach

This comment has been minimized.

Show comment
Hide comment
@lilach

lilach Dec 21, 2016

Thanks, @drbrain. I tried looking for an expired certificate, but everything is valid. Do you have any other ideas? (I am using macOS Sierra)

lilach commented Dec 21, 2016

Thanks, @drbrain. I tried looking for an expired certificate, but everything is valid. Do you have any other ideas? (I am using macOS Sierra)

@diarmuidoconnor

This comment has been minimized.

Show comment
Hide comment
@diarmuidoconnor

diarmuidoconnor Dec 21, 2016

Hi @drbrain,
No progress unfortunately. For example, if I simply try to add the secure rubygems source to my environment, I still get the same error:

 $ gem sources -a https://rubygems.org/
ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
Error fetching https://rubygems.org/:
	SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
 $ 

BTY, I noticed from the above response that the offending certificate has the exact same expiry date as @lilach. Is this significant? I checked the expiry of the cert I THOUGHT was being used (according to response from 'gem which rubygems' command) and it's fine:

$ openssl x509 -enddate -noout -in index.rubygems.org/GlobalSignRootCA.pem 
notAfter=Jan 28 12:00:00 2028 GMT
 $

No old certs hanging around in Keychain either (although I am not very familiar with that utility).

So, I am currently installing insecurely (over http) for now. Any help still appreciated.

Diarmuid

Hi @drbrain,
No progress unfortunately. For example, if I simply try to add the secure rubygems source to my environment, I still get the same error:

 $ gem sources -a https://rubygems.org/
ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
Error fetching https://rubygems.org/:
	SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
 $ 

BTY, I noticed from the above response that the offending certificate has the exact same expiry date as @lilach. Is this significant? I checked the expiry of the cert I THOUGHT was being used (according to response from 'gem which rubygems' command) and it's fine:

$ openssl x509 -enddate -noout -in index.rubygems.org/GlobalSignRootCA.pem 
notAfter=Jan 28 12:00:00 2028 GMT
 $

No old certs hanging around in Keychain either (although I am not very familiar with that utility).

So, I am currently installing insecurely (over http) for now. Any help still appreciated.

Diarmuid

@Decoydoll

This comment has been minimized.

Show comment
Hide comment
@Decoydoll

Decoydoll Dec 21, 2016

@drbrain haha, i got no error when i ran gem install sqlite3 :v.

Previously, i solved the problem by changing source 'https://rubygems.org' in the Gemfile in my rails project directory and running the bundle install, but now it is reverted back to source 'https://rubygems.org' and when i run the bundle install, there is no error :v.

Btw, thank you so much for your response !!

Decoydoll commented Dec 21, 2016

@drbrain haha, i got no error when i ran gem install sqlite3 :v.

Previously, i solved the problem by changing source 'https://rubygems.org' in the Gemfile in my rails project directory and running the bundle install, but now it is reverted back to source 'https://rubygems.org' and when i run the bundle install, there is no error :v.

Btw, thank you so much for your response !!

@drbrain

This comment has been minimized.

Show comment
Hide comment
@drbrain

drbrain Dec 21, 2016

Member

@diarmuidoconnor @lilach you both have this expired certificate in your trusted CA list: https://support.globalsign.com/customer/portal/articles/1426272-expiration-of-old-globalsign-2014-root-ca-certificate

Some people have found the expired certificate in the OS X keychain, some have found it in ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE'

Member

drbrain commented Dec 21, 2016

@diarmuidoconnor @lilach you both have this expired certificate in your trusted CA list: https://support.globalsign.com/customer/portal/articles/1426272-expiration-of-old-globalsign-2014-root-ca-certificate

Some people have found the expired certificate in the OS X keychain, some have found it in ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE'

@haydenzone

This comment has been minimized.

Show comment
Hide comment
@haydenzone

haydenzone Dec 30, 2016

I've followed the instructions here, and I'm still seeing this.

gem install rails
ERROR:  Could not find a valid gem 'rails' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
$ gem which rubygems
/usr/local/lib/ruby/site_ruby/2.2.0/rubygems.rb
$ cd /usr/local/lib/ruby/site_ruby/2.2.0/rubygems/ssl_certs/
$ ls -Roa
total 8
drwxr-xr-x   6 hayden   204 Dec 29 21:12 .
drwxr-xr-x  71 hayden  2414 Dec 29 21:05 ..
-rw-r--r--   1 hayden  1261 Dec 29 21:10 GlobalSignRootCA.pem
drwxr-xr-x   3 hayden   102 Dec 29 21:05 index.rubygems.org
drwxr-xr-x   4 hayden   136 Dec 29 21:22 rubygems.global.ssl.fastly.net
drwxr-xr-x   4 hayden   136 Dec 29 21:15 rubygems.org

./index.rubygems.org:
total 8
drwxr-xr-x  3 hayden   102 Dec 29 21:05 .
drwxr-xr-x  6 hayden   204 Dec 29 21:12 ..
-rw-r--r--  1 hayden  1261 Dec 29 21:22 GlobalSignRootCA.pem

./rubygems.global.ssl.fastly.net:
total 16
drwxr-xr-x  4 hayden   136 Dec 29 21:22 .
drwxr-xr-x  6 hayden   204 Dec 29 21:12 ..
-rw-r--r--  1 hayden  1367 Dec 29 21:05 DigiCertHighAssuranceEVRootCA.pem
-rw-r--r--  1 hayden  1261 Dec 29 21:22 GlobalSignRootCA.pem

./rubygems.org:
total 16
drwxr-xr-x  4 hayden   136 Dec 29 21:15 .
drwxr-xr-x  6 hayden   204 Dec 29 21:12 ..
-rw-r--r--  1 hayden  1521 Dec 29 21:05 AddTrustExternalCARoot.pem
-rw-r--r--  1 hayden  1261 Dec 29 21:15 GlobalSignRootCA.pem
gem env
RubyGems Environment:
  - RUBYGEMS VERSION: 2.6.7
  - RUBY VERSION: 2.2.0 (2014-12-25 patchlevel 0) [x86_64-darwin14]
  - INSTALLATION DIRECTORY: /usr/local/lib/ruby/gems/2.2.0
  - USER INSTALLATION DIRECTORY: /Users/hayden/.gem/ruby/2.2.0
  - RUBY EXECUTABLE: /usr/local/opt/ruby/bin/ruby
  - EXECUTABLE DIRECTORY: /usr/local/bin
  - SPEC CACHE DIRECTORY: /Users/hayden/.gem/specs
  - SYSTEM CONFIGURATION DIRECTORY: /usr/local/Cellar/ruby/2.2.0/etc
  - RUBYGEMS PLATFORMS:
    - ruby
    - x86_64-darwin-14
  - GEM PATHS:
     - /usr/local/lib/ruby/gems/2.2.0
     - /Users/hayden/.gem/ruby/2.2.0
     - /usr/local/Cellar/ruby/2.2.0/lib/ruby/gems/2.2.0
  - GEM CONFIGURATION:
     - :update_sources => true
     - :verbose => true
     - :backtrace => false
     - :bulk_threshold => 1000
  - REMOTE SOURCES:
     - https://rubygems.org/
  - SHELL PATH:
     - /usr/local/bin
     - /usr/bin
     - /bin
     - /usr/sbin
     - /sbin
     - /Users/hayden/.rvm/bin

I opened the "Keychain Access" tool and searched for "GlobalSign". It yielded 5 results - 4 named "GlobalSign" and 1 named "GlobalSign Root CA". They all had expiration dates well in the future (earliest being 2021).

Running ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE' yielded /usr/local/etc/openssl/cert.pem

Running openssl x509 -text -noout -in /usr/local/etc/openssl/cert.pem yielded:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 915974705 (0x3698aa31)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=com.apple.systemdefault, O=System Identity
        Validity
            Not Before: Nov 23 10:24:35 2013 GMT
            Not After : Nov 18 10:24:35 2033 GMT
        Subject: CN=com.apple.systemdefault, O=System Identity
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ce:cd:1d:10:1d:1c:9d:01:a2:8a:2b:15:6e:f9:
                    c4:da:cf:91:01:36:c8:13:55:e0:6d:72:95:00:ed:
                    f8:36:9a:6c:39:64:b3:6c:4f:66:c7:81:3d:dd:1d:
                    8c:89:1c:ca:ac:fe:36:aa:d1:ce:fb:dd:8d:f5:7c:
                    39:ea:00:79:0d:8f:07:92:c6:2e:5a:b7:b0:5c:1c:
                    8e:e1:73:62:4b:89:9b:44:d6:4d:57:5c:2c:89:fc:
                    15:ae:60:52:82:65:fc:51:ba:67:c6:5a:09:d0:e5:
                    fa:f6:d0:40:44:e3:4f:85:1e:2f:31:f2:0f:24:bb:
                    92:5d:1c:db:30:59:c4:35:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                1.2.840.113635.100.4.4
    Signature Algorithm: sha1WithRSAEncryption
        61:2e:2b:4b:1f:af:ff:89:1a:ca:e7:6b:39:16:6b:7a:f1:3b:
        aa:c7:e9:55:c8:72:3c:52:35:ba:19:24:4d:e8:97:48:43:14:
        f7:8c:0a:35:5c:ce:c8:ef:1b:1b:24:78:24:e4:ae:dd:4e:eb:
        69:40:b0:ad:ee:22:ff:03:66:6c:ed:ae:b0:c4:55:48:02:07:
        50:3e:94:1a:cc:40:42:a9:1a:6d:3d:16:41:31:9e:13:36:6d:
        e6:17:d6:54:3d:4e:8f:01:20:25:a8:6e:22:eb:27:fd:fc:79:
        e7:e3:63:45:fd:7d:5f:4f:fd:c1:50:4a:d6:ab:66:27:1b:73:
        28:aa

Running macOS Sierra 10.12.2

haydenzone commented Dec 30, 2016

I've followed the instructions here, and I'm still seeing this.

gem install rails
ERROR:  Could not find a valid gem 'rails' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
$ gem which rubygems
/usr/local/lib/ruby/site_ruby/2.2.0/rubygems.rb
$ cd /usr/local/lib/ruby/site_ruby/2.2.0/rubygems/ssl_certs/
$ ls -Roa
total 8
drwxr-xr-x   6 hayden   204 Dec 29 21:12 .
drwxr-xr-x  71 hayden  2414 Dec 29 21:05 ..
-rw-r--r--   1 hayden  1261 Dec 29 21:10 GlobalSignRootCA.pem
drwxr-xr-x   3 hayden   102 Dec 29 21:05 index.rubygems.org
drwxr-xr-x   4 hayden   136 Dec 29 21:22 rubygems.global.ssl.fastly.net
drwxr-xr-x   4 hayden   136 Dec 29 21:15 rubygems.org

./index.rubygems.org:
total 8
drwxr-xr-x  3 hayden   102 Dec 29 21:05 .
drwxr-xr-x  6 hayden   204 Dec 29 21:12 ..
-rw-r--r--  1 hayden  1261 Dec 29 21:22 GlobalSignRootCA.pem

./rubygems.global.ssl.fastly.net:
total 16
drwxr-xr-x  4 hayden   136 Dec 29 21:22 .
drwxr-xr-x  6 hayden   204 Dec 29 21:12 ..
-rw-r--r--  1 hayden  1367 Dec 29 21:05 DigiCertHighAssuranceEVRootCA.pem
-rw-r--r--  1 hayden  1261 Dec 29 21:22 GlobalSignRootCA.pem

./rubygems.org:
total 16
drwxr-xr-x  4 hayden   136 Dec 29 21:15 .
drwxr-xr-x  6 hayden   204 Dec 29 21:12 ..
-rw-r--r--  1 hayden  1521 Dec 29 21:05 AddTrustExternalCARoot.pem
-rw-r--r--  1 hayden  1261 Dec 29 21:15 GlobalSignRootCA.pem
gem env
RubyGems Environment:
  - RUBYGEMS VERSION: 2.6.7
  - RUBY VERSION: 2.2.0 (2014-12-25 patchlevel 0) [x86_64-darwin14]
  - INSTALLATION DIRECTORY: /usr/local/lib/ruby/gems/2.2.0
  - USER INSTALLATION DIRECTORY: /Users/hayden/.gem/ruby/2.2.0
  - RUBY EXECUTABLE: /usr/local/opt/ruby/bin/ruby
  - EXECUTABLE DIRECTORY: /usr/local/bin
  - SPEC CACHE DIRECTORY: /Users/hayden/.gem/specs
  - SYSTEM CONFIGURATION DIRECTORY: /usr/local/Cellar/ruby/2.2.0/etc
  - RUBYGEMS PLATFORMS:
    - ruby
    - x86_64-darwin-14
  - GEM PATHS:
     - /usr/local/lib/ruby/gems/2.2.0
     - /Users/hayden/.gem/ruby/2.2.0
     - /usr/local/Cellar/ruby/2.2.0/lib/ruby/gems/2.2.0
  - GEM CONFIGURATION:
     - :update_sources => true
     - :verbose => true
     - :backtrace => false
     - :bulk_threshold => 1000
  - REMOTE SOURCES:
     - https://rubygems.org/
  - SHELL PATH:
     - /usr/local/bin
     - /usr/bin
     - /bin
     - /usr/sbin
     - /sbin
     - /Users/hayden/.rvm/bin

I opened the "Keychain Access" tool and searched for "GlobalSign". It yielded 5 results - 4 named "GlobalSign" and 1 named "GlobalSign Root CA". They all had expiration dates well in the future (earliest being 2021).

Running ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE' yielded /usr/local/etc/openssl/cert.pem

Running openssl x509 -text -noout -in /usr/local/etc/openssl/cert.pem yielded:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 915974705 (0x3698aa31)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=com.apple.systemdefault, O=System Identity
        Validity
            Not Before: Nov 23 10:24:35 2013 GMT
            Not After : Nov 18 10:24:35 2033 GMT
        Subject: CN=com.apple.systemdefault, O=System Identity
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ce:cd:1d:10:1d:1c:9d:01:a2:8a:2b:15:6e:f9:
                    c4:da:cf:91:01:36:c8:13:55:e0:6d:72:95:00:ed:
                    f8:36:9a:6c:39:64:b3:6c:4f:66:c7:81:3d:dd:1d:
                    8c:89:1c:ca:ac:fe:36:aa:d1:ce:fb:dd:8d:f5:7c:
                    39:ea:00:79:0d:8f:07:92:c6:2e:5a:b7:b0:5c:1c:
                    8e:e1:73:62:4b:89:9b:44:d6:4d:57:5c:2c:89:fc:
                    15:ae:60:52:82:65:fc:51:ba:67:c6:5a:09:d0:e5:
                    fa:f6:d0:40:44:e3:4f:85:1e:2f:31:f2:0f:24:bb:
                    92:5d:1c:db:30:59:c4:35:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                1.2.840.113635.100.4.4
    Signature Algorithm: sha1WithRSAEncryption
        61:2e:2b:4b:1f:af:ff:89:1a:ca:e7:6b:39:16:6b:7a:f1:3b:
        aa:c7:e9:55:c8:72:3c:52:35:ba:19:24:4d:e8:97:48:43:14:
        f7:8c:0a:35:5c:ce:c8:ef:1b:1b:24:78:24:e4:ae:dd:4e:eb:
        69:40:b0:ad:ee:22:ff:03:66:6c:ed:ae:b0:c4:55:48:02:07:
        50:3e:94:1a:cc:40:42:a9:1a:6d:3d:16:41:31:9e:13:36:6d:
        e6:17:d6:54:3d:4e:8f:01:20:25:a8:6e:22:eb:27:fd:fc:79:
        e7:e3:63:45:fd:7d:5f:4f:fd:c1:50:4a:d6:ab:66:27:1b:73:
        28:aa

Running macOS Sierra 10.12.2

@haydenzone

This comment has been minimized.

Show comment
Hide comment
@haydenzone

haydenzone Dec 30, 2016

Did some more searching, and I think I found the fix

$ rvm osx-ssl-certs status all
Certificates for /usr/local/etc/openssl/cert.pem: Old.
$ rvm osx-ssl-certs update all
Updating certificates for /usr/local/etc/openssl/cert.pem: Updating certificates in '/usr/local/etc/openssl/cert.pem'.
Updated.
$ rvm osx-ssl-certs status all
Certificates for /usr/local/etc/openssl/cert.pem: Up to date.

After that, it worked!

Did some more searching, and I think I found the fix

$ rvm osx-ssl-certs status all
Certificates for /usr/local/etc/openssl/cert.pem: Old.
$ rvm osx-ssl-certs update all
Updating certificates for /usr/local/etc/openssl/cert.pem: Updating certificates in '/usr/local/etc/openssl/cert.pem'.
Updated.
$ rvm osx-ssl-certs status all
Certificates for /usr/local/etc/openssl/cert.pem: Up to date.

After that, it worked!

@jrmhaig

This comment has been minimized.

Show comment
Hide comment
@jrmhaig

jrmhaig Jan 5, 2017

I had the same problem as @haydenzone except that the solution he gave didn't work. I got:

$ rvm osx-ssl-certs update all
Updating certificates for /usr/local/etc/openssl/cert.pem: Already up to date.

I had to do this instead:

$ curl https://curl.haxx.se/ca/cacert.pem > /usr/local/etc/openssl/cert.pem

and this solved the problem for me.

jrmhaig commented Jan 5, 2017

I had the same problem as @haydenzone except that the solution he gave didn't work. I got:

$ rvm osx-ssl-certs update all
Updating certificates for /usr/local/etc/openssl/cert.pem: Already up to date.

I had to do this instead:

$ curl https://curl.haxx.se/ca/cacert.pem > /usr/local/etc/openssl/cert.pem

and this solved the problem for me.

@alanevans

This comment has been minimized.

Show comment
Hide comment
@alanevans

alanevans Jan 12, 2017

Also, for the record, tried all the normal documented solutions, but nothing worked. @jrmhaig's fix finally worked for me.

Also, for the record, tried all the normal documented solutions, but nothing worked. @jrmhaig's fix finally worked for me.

@JohnIrle

This comment has been minimized.

Show comment
Hide comment
@JohnIrle

JohnIrle Jan 15, 2017

@jrmhaig's fix worked for me too. Could you explain why it worked? I'm a little worried about downloading a certificate from a website with haxx in the name. 😆

@jrmhaig's fix worked for me too. Could you explain why it worked? I'm a little worried about downloading a certificate from a website with haxx in the name. 😆

@drbrain

This comment has been minimized.

Show comment
Hide comment
@drbrain

drbrain Jan 15, 2017

Member

You probably have the expired GlobalSign CA certificate (expired over a decade ago, which has been renewed) in your keychain (which RVM uses to build its keys). Furthermore, OpenSSL doesn't ignore expired certificates if a refreshed one for the same guy is also present.

Using cURL's certificates means you don't get poisoned by the old certificate.

Member

drbrain commented Jan 15, 2017

You probably have the expired GlobalSign CA certificate (expired over a decade ago, which has been renewed) in your keychain (which RVM uses to build its keys). Furthermore, OpenSSL doesn't ignore expired certificates if a refreshed one for the same guy is also present.

Using cURL's certificates means you don't get poisoned by the old certificate.

@jrmhaig

This comment has been minimized.

Show comment
Hide comment
@jrmhaig

jrmhaig Jan 15, 2017

Ahem Just download the file and don't ask too many questions. 😈

Seriously though, https://curl.haxx.se/ is the home page for libcurl, which includes the curl command, and they provide an up-to-date copy of the Mozilla CA certificate store here: https://curl.haxx.se/docs/caextract.html

jrmhaig commented Jan 15, 2017

Ahem Just download the file and don't ask too many questions. 😈

Seriously though, https://curl.haxx.se/ is the home page for libcurl, which includes the curl command, and they provide an up-to-date copy of the Mozilla CA certificate store here: https://curl.haxx.se/docs/caextract.html

@CollinChaffin

This comment has been minimized.

Show comment
Hide comment
@CollinChaffin

CollinChaffin Feb 2, 2017

Brand new Ruby user on WINDOWS so all the above doesn't apply to me. Have to say was excited to try Ruby for the first time and I'm over two hrs into it and it's broken right out of the box I've now read a handful of "fix" directions for the broken SSL that seem to date back years yet in 2017 running the latest windows installer x64 results for some reason in a product that won't work with all broken SSL and can't even update itself or install the gems due to the same SSL errors I see posted from three years ago. Kind of disappointing but still trying to get it to work.

The last I've tried is manually downloading all the root pem files and they to be correct in the following location:

C:\ruby23\lib\ruby\2.3.0\rubygems\ssl_certs

Yet when I run any net command this for example, here's the error:

`connect_nonblock': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

C:>gem env version
2.6.7

Now, I see mention of some "manual" updating to a higher version, but again as a new user I went to this page: https://rubyinstaller.org/ and ran the installer for windows. I then, after the first SSL error found this page: http://guides.rubygems.org/ssl-certificate-update/ that correctly stated: "You’ve probably reached this page after encountering the following SSL error when trying to pull updates from RubyGems". Correct. So, ran through all the auto and then manual just to verify "fixes":

First per the page, I did this: Download rubygems-update-2.6.7.gem and manually updated since the automated update/install is broken due to this error. This was successful.

Then, the remaining fix steps are listed on this page as follows:

"Step 1: Obtain the new trust certificate
Step 2: Locate RubyGems certificate directory in your installation
Step 3: Copy new trust certificate
Step 4: Profit"

I did these, without errors. Certs all look good even manually downloaded all with curl and did comparisons.

Then, re-ran my command above. Same exact error. No changes. So something is still broken.

I'd really appreciate some pointers as to what I might have missed bearing in mind this is on Windows as I'm running out of ideas. It's a shame that on a clean system that's never seen the Ruby language before that the install process leaves a system so broken and requires this much effort just to correct the install but hopefully what ever is left here is minimal.

Brand new Ruby user on WINDOWS so all the above doesn't apply to me. Have to say was excited to try Ruby for the first time and I'm over two hrs into it and it's broken right out of the box I've now read a handful of "fix" directions for the broken SSL that seem to date back years yet in 2017 running the latest windows installer x64 results for some reason in a product that won't work with all broken SSL and can't even update itself or install the gems due to the same SSL errors I see posted from three years ago. Kind of disappointing but still trying to get it to work.

The last I've tried is manually downloading all the root pem files and they to be correct in the following location:

C:\ruby23\lib\ruby\2.3.0\rubygems\ssl_certs

Yet when I run any net command this for example, here's the error:

`connect_nonblock': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

C:>gem env version
2.6.7

Now, I see mention of some "manual" updating to a higher version, but again as a new user I went to this page: https://rubyinstaller.org/ and ran the installer for windows. I then, after the first SSL error found this page: http://guides.rubygems.org/ssl-certificate-update/ that correctly stated: "You’ve probably reached this page after encountering the following SSL error when trying to pull updates from RubyGems". Correct. So, ran through all the auto and then manual just to verify "fixes":

First per the page, I did this: Download rubygems-update-2.6.7.gem and manually updated since the automated update/install is broken due to this error. This was successful.

Then, the remaining fix steps are listed on this page as follows:

"Step 1: Obtain the new trust certificate
Step 2: Locate RubyGems certificate directory in your installation
Step 3: Copy new trust certificate
Step 4: Profit"

I did these, without errors. Certs all look good even manually downloaded all with curl and did comparisons.

Then, re-ran my command above. Same exact error. No changes. So something is still broken.

I'd really appreciate some pointers as to what I might have missed bearing in mind this is on Windows as I'm running out of ideas. It's a shame that on a clean system that's never seen the Ruby language before that the install process leaves a system so broken and requires this much effort just to correct the install but hopefully what ever is left here is minimal.

@CollinChaffin

This comment has been minimized.

Show comment
Hide comment
@CollinChaffin

CollinChaffin Feb 2, 2017

Quick update: I'm wondering why it looks like something is forcing Ruby to use SSLv3 which is disabled by default? Is this a totally different issue than just the rubygem local PEM files?

When I run this to test the cert chain using the openssl on the same 2 Windows PCs I'm testing with, it uses TLS and is just fine:

C:>openssl s_client -showcerts -connect github.com:443

Produces (truncated):

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assu
rance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Exte
nded Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = US, jurisdictio
nST = Delaware, serialNumber = 5157550, street = "88 Colin P Kelly, Jr Street",
postalCode = 94107, C = US, ST = California, L = San Francisco, O = "GitHub, Inc
.", CN = github.com
verify return:1
xxx
Certificate chain
0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Dela
ware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=
US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validati
on Server CA
xx-----BEGIN CERTIFICATE-----
xx
(REMOVED)
xx
(THE IMPORTANT PART)
xxx
SSL handshake has read 3642 bytes and written 432 bytes
xxx
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
xx
(REMOVED)
xx

So clearly openssl is properly using TLSv1 and everything is okay.

Yet when I run it through Ruby to Github's site as an example, it throws this SSL error that states "SSLv3":

C:>ruby -rnet/https -e "Net::HTTP.get URI('https://github.com')"

C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:933:in connect_nonblock': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B : certificate verify failed (OpenSSL::SSL::SSLError) from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:933:inconnect'
from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:863:in do_start' from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:852:instart'
from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:584:in start' from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:479:inget_response'
from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:456:in get' from -e:1:in

'

So, I'm new with Ruby so what is instructing Ruby to use SSLv3 and does this help with insight as to what the heck is going on? Again this is 2 clean Windows PCs now, one I even used Chocolatey to install Ruby but exact same SSL errors right out of the box.

CollinChaffin commented Feb 2, 2017

Quick update: I'm wondering why it looks like something is forcing Ruby to use SSLv3 which is disabled by default? Is this a totally different issue than just the rubygem local PEM files?

When I run this to test the cert chain using the openssl on the same 2 Windows PCs I'm testing with, it uses TLS and is just fine:

C:>openssl s_client -showcerts -connect github.com:443

Produces (truncated):

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assu
rance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Exte
nded Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = US, jurisdictio
nST = Delaware, serialNumber = 5157550, street = "88 Colin P Kelly, Jr Street",
postalCode = 94107, C = US, ST = California, L = San Francisco, O = "GitHub, Inc
.", CN = github.com
verify return:1
xxx
Certificate chain
0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Dela
ware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=
US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validati
on Server CA
xx-----BEGIN CERTIFICATE-----
xx
(REMOVED)
xx
(THE IMPORTANT PART)
xxx
SSL handshake has read 3642 bytes and written 432 bytes
xxx
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
xx
(REMOVED)
xx

So clearly openssl is properly using TLSv1 and everything is okay.

Yet when I run it through Ruby to Github's site as an example, it throws this SSL error that states "SSLv3":

C:>ruby -rnet/https -e "Net::HTTP.get URI('https://github.com')"

C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:933:in connect_nonblock': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B : certificate verify failed (OpenSSL::SSL::SSLError) from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:933:inconnect'
from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:863:in do_start' from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:852:instart'
from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:584:in start' from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:479:inget_response'
from C:/ProgramData/chocolatey/apps/ruby23/lib/ruby/2.3.0/net/http.rb:456:in get' from -e:1:in

'

So, I'm new with Ruby so what is instructing Ruby to use SSLv3 and does this help with insight as to what the heck is going on? Again this is 2 clean Windows PCs now, one I even used Chocolatey to install Ruby but exact same SSL errors right out of the box.

@CollinChaffin

This comment has been minimized.

Show comment
Hide comment
@CollinChaffin

CollinChaffin Feb 2, 2017

This page is exactly what's happening, yet none of those solutions are written for windows but all the non-windows users in that thread seem to confirm the issue. Clearly there is something still missing in today's installations with the Ruby build that this page makes it sound like when Ruby is actually built, it's not being built with a default certificate bundle to trust. Albeit, this is a writeup from FOUR years ago, so I was hessitant as to whether four years later the Ruby being built could possibly still have this issue and that's what I'm seeing, but after looking through it and doing more testing, it sure seems to be the same issue. The question is, on WINDOWS how do you fix this, and then the bigger question should be how do you update Ruby or the installer to fix this permanently in the future.

https://gist.github.com/mislav/5026283

This page is exactly what's happening, yet none of those solutions are written for windows but all the non-windows users in that thread seem to confirm the issue. Clearly there is something still missing in today's installations with the Ruby build that this page makes it sound like when Ruby is actually built, it's not being built with a default certificate bundle to trust. Albeit, this is a writeup from FOUR years ago, so I was hessitant as to whether four years later the Ruby being built could possibly still have this issue and that's what I'm seeing, but after looking through it and doing more testing, it sure seems to be the same issue. The question is, on WINDOWS how do you fix this, and then the bigger question should be how do you update Ruby or the installer to fix this permanently in the future.

https://gist.github.com/mislav/5026283

@drbrain

This comment has been minimized.

Show comment
Hide comment
@drbrain

drbrain Feb 2, 2017

Member

tl;dr: OpenSSL is not a user friendly library. RubyGems 2.6.8 does everything it can to work around this.

OpenSSL always says "SSLv3" in errors when it really made a TLS connection. It's misleading.

Without providing a verify callback like RubyGems 2.6.8 and newer do, you can't see why you got that error. The real error is hidden.

Neither OpenSSL nor ruby have ever provided a default certificate bundle. That has been up to the operating system to provide. Some ruby installers have decided to provide one for ruby.

RubyGems ships with trusted certificates for connecting to RubyGems.org.

Unfortunately OpenSSL has a misfeature where if you have an expired and a valid certificate for the same CA key OpenSSL will choose the expired one and give an error (verify_callback lets you see it). There is no way to tell where this key lives (which file) from ruby. There is no way to ignore the expired CA certificate while also allowing arbitrary HTTPS gem sources.

Member

drbrain commented Feb 2, 2017

tl;dr: OpenSSL is not a user friendly library. RubyGems 2.6.8 does everything it can to work around this.

OpenSSL always says "SSLv3" in errors when it really made a TLS connection. It's misleading.

Without providing a verify callback like RubyGems 2.6.8 and newer do, you can't see why you got that error. The real error is hidden.

Neither OpenSSL nor ruby have ever provided a default certificate bundle. That has been up to the operating system to provide. Some ruby installers have decided to provide one for ruby.

RubyGems ships with trusted certificates for connecting to RubyGems.org.

Unfortunately OpenSSL has a misfeature where if you have an expired and a valid certificate for the same CA key OpenSSL will choose the expired one and give an error (verify_callback lets you see it). There is no way to tell where this key lives (which file) from ruby. There is no way to ignore the expired CA certificate while also allowing arbitrary HTTPS gem sources.

@maaxiim

This comment has been minimized.

Show comment
Hide comment
@maaxiim

maaxiim Aug 23, 2017

In case anyone else should find themselves faced with this issue, even after following all of the instructions mentioned above, this is what I did to get it working on my machine:

On page : http://guides.rubygems.org/ssl-certificate-update/#manual-solution-to-ssl-issue
It states:
"**Step 3: Copy new trust certificate

Now, locate ssl_certs directory and copy the .pem file we obtained from previous step inside.

It will be listed with other files like AddTrustExternalCARoot.pem**"

However, when I navigated to this location, there were 3 subdirectories and no .PEM files. Within the subdirectories, were a number of different .PEM files. Adding the " GlobalSignRootCA.pem" file into all of those subdirectories and then issuing 'gem update' worked for me. Incidentally, I had to add my own proxies certs too, but you may not have that issue.

maaxiim commented Aug 23, 2017

In case anyone else should find themselves faced with this issue, even after following all of the instructions mentioned above, this is what I did to get it working on my machine:

On page : http://guides.rubygems.org/ssl-certificate-update/#manual-solution-to-ssl-issue
It states:
"**Step 3: Copy new trust certificate

Now, locate ssl_certs directory and copy the .pem file we obtained from previous step inside.

It will be listed with other files like AddTrustExternalCARoot.pem**"

However, when I navigated to this location, there were 3 subdirectories and no .PEM files. Within the subdirectories, were a number of different .PEM files. Adding the " GlobalSignRootCA.pem" file into all of those subdirectories and then issuing 'gem update' worked for me. Incidentally, I had to add my own proxies certs too, but you may not have that issue.

@colby-swandale

This comment has been minimized.

Show comment
Hide comment
@colby-swandale

colby-swandale Sep 18, 2017

Member

I'm closing this for now. If you're still experiencing your original issue don't be afraid to re-open this ticket.

Member

colby-swandale commented Sep 18, 2017

I'm closing this for now. If you're still experiencing your original issue don't be afraid to re-open this ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment