SSL_connect failure when running "rails new" #319

Closed
DanielKehoe opened this Issue Apr 22, 2012 · 106 comments

Projects

None yet
@DanielKehoe

I'm using Mac OS 10.6.8. I'm using RubyGems 1.8.23. I've installed Ruby 1.9.3p194 using rvm version 1.12.3. I have rake 0.9.2.2 and bundler version 1.1.3. When I run rails new testapp I get an error:

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B (https://rubygems.org/gems/rake-0.9.2.2.gem) An error occured while installing rake (0.9.2.2), and Bundler cannot continue.

I found a Stack Overflow discussion "bundle install fails with SSL certificate verification error"[1] which suggests to create or modify a file called .gemrc in your home path, including the line :ssl_verify_mode: 0. That works but the RubyGems 1.8.23 release notes say this is not recommended.

Instead, the RubyGems 1.8.23 release notes recommend:

configure SSL certificate usage in RubyGems through the :ssl_ca_cert and :ssl_verify_mode options in ~/.gemrc and /etc/gemrc. The recommended way is to set :ssl_ca_cert to the CA certificate for your server or a certificate bundle containing your CA certification

All I'm doing is connecting to https://rubygems.org/. It's not a "custom RubyGems server."

I didn't have this problem before installing RubyGems 1.8.23 and Ruby 1.9.3p194.

Why do I get the failure?

What's the recommended way to fix this?

[1] http://stackoverflow.com/questions/10246023/bundle-install-fails-with-ssl-certificate-verification-error

@zenspider
Contributor

You can use the gem source command to fix your source to use plain http (or edit gemrc directly)

@DanielKehoe

Could the error be due to an outdated SSL certificate on my local computer? Any other likely reason?

@zenspider
Contributor

I don't think so, but I've been out of the loop on this one. AFAIK, it's because the HTTPS source is redirecting to an HTTP url and that's bad so we're not allowing it to happen anymore. Downgrading your source to HTTP should be sufficient since it is just rubygems.org.

@DanielKehoe

I've used the command sudo gem sources -a http://rubygems.org and my .gemrc file looks like this:

:backtrace: false
:benchmark: false
:bulk_threshold: 1000
:sources:
- http://gems.rubyforge.org/
- http://gemcutter.org/
- http://gems.github.com
- http://rubygems.org
:update_sources: true
:verbose: true
install: --no-rdoc --no-ri
update: --no-rdoc --no-ri

I'm still getting the same error.

The error should be easy to reproduce. Just use rvm to create a new gemset, then gem install rails and rails new testapp to see the error.

As you know, when we use the rails new testapp command, Rails generates a Gemfile that contains source 'https://rubygems.org'. I presume that overrides any source I add to the .gemrc file.

So what's going on? It doesn't make sense that https://rubygems.org would be redirected to an http server.

Besides, the source lib/rubygems/remote_fetcher.rb looks like it would raise a FetchError with the message "redirecting to non-https resource" if the problem was a redirect from https to http.

@luislavena
Member

I would suggest you remove the following sources:

  • gems.rubyforge.org
  • gemcutter.org

Those two are dead. Gemcutter become rubygems and the domain might be redirecting to an HTTPS connection. The RubyForge one is no longer the source for gems.

You can remove the sources:

gem sources -r http://gems.rubyforge.org
gem sources -r http://gemcutter.org
@DanielKehoe

@luislavena thank you for the tip. However the error persists after I've removed the two superfluous gem sources.

@luislavena
Member

@DanielKehoe can you run gem install rake --verbose ?

I can't reproduce with latest RubyGems.

@luislavena
Member

@DanielKehoe better yet, can you check your Gemfile (since you mentioned Bundler) do not contain `source "https://rubygems.org" in it?

@DanielKehoe

@luislavena the problem is exactly this: When the rails new command is used, the Gemfile installed by Rails specifies https://rubygems.org/ as the source for gems. As far as I know, it overrides any other gem source set in .gemrc. There's no way to change the gem source in the Gemfile when you run rails new because it comes from a template file in the Rails gem itself. So when I try to create a new Rails application it fails with the SSL_connect error.

@luislavena
Member

@DanielKehoe can't you rails new foo --skip-bundle ?

Your problem is that your installation is having issues to validate the certs, RubyGems and Ruby 1.9.3-p194 bundles with it a .pem file with the certs, and that is what RubyGems should be using to validate.

If is failing for you then the issue is something else.

@DanielKehoe

Here is the detailed guide I am using to install Rails:
http://railsapps.github.com/installing-rails.html

Here are the specific steps to reproduce the error:

  • install rvm (https://rvm.io/rvm/install/)
  • $ rvm install ruby-1.9.3-p194
  • $ rvm --default use ruby-1.9.3-p194
  • $ rvm ruby-1.9.3-p194@rails32 --create --default
  • $ gem install rails
  • $ rails new testapp

My .gemrc looks like this:

---
:backtrace: false
:benchmark: false
:bulk_threshold: 1000
:sources:
- https://gems.github.com
- http://rubygems.org
:update_sources: true
:verbose: true
install: --no-rdoc --no-ri
update: --no-rdoc --no-ri
# :ssl_verify_mode: 0
@luislavena
Member

Remove https from github.

Sorry for top posting. Sent from mobile.
On Apr 23, 2012 9:06 PM, "Daniel Kehoe" <
reply@reply.github.com>
wrote:

Here is the detailed guide I am using to install Rails:
http://railsapps.github.com/installing-rails.html

Here are the specific steps to reproduce the error:

  • install rvm (https://rvm.io/rvm/install/)
  • $ rvm install ruby-1.9.3-p194
  • $ rvm --default use ruby-1.9.3-p194
  • $ rvm ruby-1.9.3-p194 @rails32 --create --default
  • $ gem install rails
  • $ rails new testapp

My .gemrc looks like this:

---
:backtrace: false
:benchmark: false
:bulk_threshold: 1000
:sources:
- https://gems.github.com
- http://rubygems.org
:update_sources: true
:verbose: true
install: --no-rdoc --no-ri
update: --no-rdoc --no-ri
# :ssl_verify_mode: 0

Reply to this email directly or view it on GitHub:
#319 (comment)

@DanielKehoe

@luislavena yes, I can use rails new foo --skip-bundle and then edit the Gemfile if I'm going to build a Rails app from scratch. I still have a problem if I try to use an app template to generate a new app, for example:

rails new myapp -m https://raw.github.com/RailsApps/rails3-application-templates/master/rails3-haml-html5-template.rb --skip-bundle

I've got a number of app templates on GitHub and quite a few people using them. I haven't had a lot of reports of this error, but I've had a few, and I'm seeing it myself. I'd like to get to the bottom of what's at issue so I can advise others who report the problem. I don't want to just suggest :ssl_verify_mode: 0 if there's a more appropriate fix.

@nahi
Contributor
nahi commented Apr 24, 2012

The root problem is at server side that tries to redirect 'https://rubygems.org/' to 'https://bb-m.rubygems.org/'. https://bb-m.rubygems.org is wrongly configured for SSL connection so that we're getting SSL certification failure. In addition to it, even we configure rubygems to ignore certification failure, https://bb-m.rubygems.org/ redirects clients to http://rubygems.org/* (redirecting to non https resource) anyway we can't make it run by client configuration.

I sent a mail about this investigation to @evanphx and @drbrain 16.5 hours ago but RubyGems team could not fix the server until the conference ends because they are attending RailsConf now... Please use the workaround @luislavena suggested.

@DanielKehoe

Thank you, @nahi. I am happy to know the source of the error. Ironic to hear the problem can't be fixed immediately because everyone is at RailsConf. But I'm glad the problem is identified and a fix forthcoming. I appreciate everyone's efforts to build a better Ruby!

@pbiggar
pbiggar commented Apr 24, 2012

@DanielKehoe - is the bug fixed? Or should I follow to bug somewhere else?

@DanielKehoe DanielKehoe reopened this Apr 24, 2012
@DanielKehoe

@pbiggar I believe @nahi says it will be unresolved until the RubyGems team fixes the server.

@nahi
Contributor
nahi commented Apr 24, 2012

@DanielKehoe @pbiggar Right. Hope this issue fixed soon...

@DanielKehoe

Here's my summary for anyone following a link here. Correct me if I'm wrong.

If you try rails new foo to build a new Rails application with RubyGems 1.8.23 and Ruby 1.9.3-p194 you'll get an error because RubyGems now verifies SSL certificates and Bundler tries to connect with https://rubygems.org/ when you build a new Rails app and https://rubygems.org/ is wrongly configured for SSL connections. The RubyGems team will soon fix the server but until then, use rails new foo --skip-bundle to build a new Rails app and then edit the Gemfile to use http://rubygems.org/.

If you are using an application template from the RailsApps project on GitHub, --skip-bundle won't work but you can edit your ~/.gemrc file and set :ssl_verify_mode: 0 to skip SSL certificate verification. Consider that a temporary workaround and remove it when the https://rubygems.org/ server gets fixed.

Thank you @nahi and @luislavena.

@nahi
Contributor
nahi commented Apr 24, 2012

@DanielKehoe Thanks for the summary. I'm not sure if :ssl_verify_mode: 0 works. https://bb-m.rubygems.org/ redirects the access to http://rubygems.org/ so the latest RubyGems stops there because of "https -> http" insecure redirection. You should update ":sources" in .gemrc to not include https://rubygems.org/ for a workaround. Does it work for you?

Anyways, as you said, it's a temporary workaround and changes should be reverted once rubygems.org is properly configured (hopefully) soon.

@krbullock

AFAICT, rubygems.org has fixed this now:

❧  curl -I https://rubygems.org/gems/rake-0.9.2.2.gem
HTTP/1.1 302 Moved Temporarily
...
Location: https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem

❧  curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem
HTTP/1.0 200 OK
...

and the bundle install step of rails new foo works for me.

@evanphx
Member
evanphx commented Apr 24, 2012

I've updated the cert on bb-m so the problem should be fixed. Please reopen if not.

@evanphx evanphx closed this Apr 24, 2012
@DanielKehoe

Excellent! I appreciate your efforts to build a better Ruby. And congratulations to @drbrain on the Ruby Heroes award!

@DanielKehoe

With rails new foo I'm still getting the error:

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 
read server certificate B (https://rubygems.org/gems/rake-0.9.2.2.gem)

I saw

curl -I https://rubygems.org/gems/rake-0.9.2.2.gem
HTTP/1.1 302 Moved Temporarily
...
Location: http://production.cf.rubygems.org/gems/rake-0.9.2.2.gem

curl -I http://production.cf.rubygems.org/gems/rake-0.9.2.2.gem
HTTP/1.0 200 OK
...

I also saw

curl -I https://rubygems.org/gems/rake-0.9.2.2.gem
HTTP/1.1 302 Moved Temporarily
...
Location: https://rubygems.cachefly.net/gems/rake-0.9.2.2.gem

curl -I https://rubygems.cachefly.net/gems/rake-0.9.2.2.gem
HTTP/1.1 200 OK
...
@evanphx
Member
evanphx commented Apr 24, 2012

I've removed the mirrors from the SSL redirections for now. The only one you should see is https://rubygems.org => https://d2chzxaqi4y7f8.cloudfront.net.

@DanielKehoe

@evanphx I'm still getting the error. Anything further I can do to diagnose?

@evanphx
Member
evanphx commented Apr 24, 2012

Hm... very odd. Did you hand compile openssl? Any chance you set the :ssl_ca_cert option? That overrides the builtin bundles entirely and might cause this depending on what you set it to.

@evanphx evanphx reopened this Apr 24, 2012
@DanielKehoe

I tracked down the source of the (continuing) failure to an outdated version of OpenSSL on my machine:

$ openssl version
OpenSSL 0.9.8m 25 Feb 2010

I updated OpenSSL using MacPorts:

$ sudo port sync; sudo port selfupdate; sudo port install openssl
...
$ openssl version
OpenSSL 1.0.1a 19 Apr 2012

And successfully ran rails new foo.

I'm using Mac OS 10.6.8 and many Mac users who have not upgraded to Lion will have old versions of OpenSSL on their systems. I wonder if it would be helpful in the error message to suggest updating OpenSSL? Anything else that would minimize the issue for other users?

@evanphx I appreciate your time and perseverance in helping me identify the source of the problem (especially while busy at RailsConf!). Blessings!

@joliss
joliss commented Apr 28, 2012

I'm having a similar (presumably the same) issue:

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure (https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem)
An error occured while installing activesupport (3.2.3), and Bundler cannot continue.
Make sure that `gem install activesupport -v '3.2.3'` succeeds before bundling.
  • Rubygems 1.8.24
  • Ruby 1.9.3-p125 or 1.9.3-p194
  • bundler 1.1.3
  • Ubuntu 12.04
  • OpenSSL 1.0.1

If there's anything I can do to debug the issue, let me know. So far my only solution has been to use a non-https source in my Gemfile.

I'm thinking it might be related to my recent upgrade to Ubuntu 12.04 / OpenSSL 1.0.1.

@nahi
Contributor
nahi commented Apr 28, 2012

Can you try this? It works for me on 12.04 + 1.0.1 + 2.0.0dev.

% ruby -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem")).bytesize'
Fetching: activesupport-3.2.3.gem (100%)
312832
@gaurish
gaurish commented Apr 28, 2012

I too have the same issue on Ubuntu 12.04 LTS with OpenSSL 1.0.1. Tried with ruby 1.9.3(both p125 & p194).

get the following message:
Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure

@joliss
making source as http worked, Thanks for the workaround

@yesmar
yesmar commented Apr 28, 2012

I've got a similar issue with Ubuntu 12.04:

$ uname -srv
Linux 3.2.0-24-generic #37-Ubuntu SMP Wed Apr 25 08:43:22 UTC 2012
$ ruby --version
ruby 1.9.3p194 (2012-04-20 revision 35410) [x86_64-linux]
$ gem --version
1.8.24
$ openssl version
OpenSSL 1.0.1 14 Mar 2012
$ ruby -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem")).bytesize'
/usr/local/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:331:in `rescue in connection_for': SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure (https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem) (Gem::RemoteFetcher::FetchError)
    from /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:328:in `connection_for'
    from /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:413:in `request'
    from /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:205:in `fetch_http'
    from -e:1:in `<main>'
@nahi
Contributor
nahi commented Apr 29, 2012

Thanks @yesmar, can you please try that again with -d?; ruby -d -r...

@DanielKehoe

I've summarized this issue with steps for diagnosis, plus several workarounds in an article:
http://railsapps.github.com/openssl-certificate-verify-failed.html

@nahi
Contributor
nahi commented Apr 29, 2012

Please try this and show me the result; ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))'

@nahi
Contributor
nahi commented Apr 29, 2012

And this, too, please; ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem")'

@nahi
Contributor
nahi commented Apr 29, 2012

I installed 1.9.3-p194, openssl 1.0.1 GA, gem update --system to 1.8.24, but it works for me...

@yesmar
yesmar commented Apr 29, 2012

Hi, here are outputs for all of those commands you requested:

$ ruby -d -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem")).bytesize'
Exception `LoadError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems.rb:1264 - cannot load such file -- rubygems/defaults/operating_system
Exception `LoadError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems.rb:1273 - cannot load such file -- rubygems/defaults/ruby
Exception `Gem::LoadError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/dependency.rb:247 - Could not find psych (>= 1.2.1, ~> 1.2) amongst [actionmailer-3.2.3, actionpack-3.2.3, activemodel-3.2.3, activerecord-3.2.3, activeresource-3.2.3, activesupport-3.2.3, addressable-2.2.7, arel-3.0.2, bcrypt-ruby-3.0.1, bigdecimal-1.1.0, binding_of_caller-0.6.7, bootstrap-sass-2.0.2, bootstrap-sass-2.0.0, bootstrap-will_paginate-0.0.7, bootstrap-will_paginate-0.0.5, builder-3.0.0, bundler-1.1.3, capybara-1.1.2, childprocess-0.3.2, coderay-1.0.6, coffee-rails-3.2.2, coffee-script-2.2.0, coffee-script-source-1.3.1, cucumber-1.1.9, cucumber-rails-1.3.0, cucumber-rails-1.2.1, database_cleaner-0.7.2, database_cleaner-0.7.0, diff-lcs-1.1.3, erubis-2.7.0, execjs-1.3.1, factory_girl-3.2.0, factory_girl-2.3.2, factory_girl_rails-3.2.0, factory_girl_rails-1.4.0, faker-1.0.1, fattr-2.2.1, ffi-1.0.11, gherkin-2.9.3, guard-1.0.1, guard-rspec-0.7.0, guard-rspec-0.5.5, guard-spork-0.7.1, guard-spork-0.3.2, haml-3.1.4, heroku-2.25.0, hike-1.2.1, hpricot-0.8.6, htmlentities-4.3.1, i18n-0.6.0, io-console-0.3, journey-1.0.3, jquery-rails-2.0.2, jquery-rails-2.0.0, json-1.7.0, json-1.5.4, launchy-2.1.0, libwebsocket-0.1.3, mail-2.4.4, method_source-0.7.1, mime-types-1.18, minitest-2.12.1, minitest-2.5.1, minitest-context-0.4.0, multi_json-1.3.2, netrc-0.7.1, nokogiri-1.5.2, polyglot-0.3.3, pry-0.9.9.4, pry-remote-0.1.3, pry-stack_explorer-0.4.2, puma-1.2.2, puma-1.2.1, rack-1.4.1, rack-cache-1.2, rack-protection-1.2.0, rack-ssl-1.3.2, rack-test-0.6.1, rails-3.2.3, railties-3.2.3, rake-0.9.2.2, rb-fsevent-0.9.1, rb-fsevent-0.4.3.1, rdoc-3.12, rdoc-3.9.4, rest-client-1.6.7, rspec-2.9.0, rspec-core-2.9.0, rspec-expectations-2.9.1, rspec-mocks-2.9.0, rspec-rails-2.9.0, rubygems-update-1.8.24, rubyzip-0.9.8, rush-0.6.8, sass-3.1.16, sass-rails-3.2.5, sass-rails-3.2.4, selenium-webdriver-2.21.2, session-3.1.0, shotgun-0.9, sinatra-1.3.2, slop-3.1.1, slop-2.4.4, spork-0.9.0, sprockets-2.4.1, sprockets-2.1.3, sqlite3-1.3.6, sqlite3-1.3.5, tarantula-0.4.3, term-ansicolor-1.0.7, thor-0.14.6, tilt-1.3.3, treetop-1.4.10, tzinfo-0.3.33, uglifier-1.2.4, uglifier-1.2.3, will_paginate-3.0.3, xpath-0.1.4]
Exception `NameError' at /usr/local/lib/ruby/1.9.1/psych/core_ext.rb:16 - method `to_yaml' not defined in Object
Exception `NameError' at /usr/local/lib/ruby/1.9.1/psych/core_ext.rb:29 - method `yaml_as' not defined in Module
Exception `NameError' at /usr/local/lib/ruby/1.9.1/psych/deprecated.rb:79 - undefined method `to_yaml_properties' for class `Object'
Exception `NameError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/syck_hack.rb:20 - constant Psych::Syck not defined
Exception `NameError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/syck_hack.rb:42 - method `to_s' not defined in Syck::DefaultKey
Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/net/http.rb:799 - SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure
Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/net/http.rb:806 - SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure
Exception `Gem::RemoteFetcher::FetchError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:331 - SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure (https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem)
/usr/local/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:331:in `rescue in connection_for': SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure (https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem) (Gem::RemoteFetcher::FetchError)
    from /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:328:in `connection_for'
    from /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:413:in `request'
    from /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:205:in `fetch_http'

$ ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))'
["/usr/local/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem"]

$ ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem")'
/usr/local/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require': cannot load such file -- httpclient (LoadError)
    from /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'
@nahi
Contributor
nahi commented Apr 29, 2012

@yesmar Thanks. For the last command, please install "httpclient" gem first: gem install httpclient

One more: ruby -ropenssl -e 'p OpenSSL::OPENSSL_VERSION'

@ghost
ghost commented Apr 29, 2012

My output is below. Maybe it noteworthy that I cannot use https even with curl:

balazs@bird:~$ curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

balazs@bird:$ ruby -d -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfr...")).bytesize'
Exception LoadError' at /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems.rb:1264 - cannot load such file -- rubygems/defaults/operating_system ExceptionLoadError' at /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems.rb:1273 - cannot load such file -- rubygems/defaults/ruby
Exception Gem::LoadError' at /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/dependency.rb:247 - Could not find psych (>= 1.2.1, ~> 1.2) amongst [actionmailer-3.2.3, actionpack-3.2.3, activemodel-3.2.3, activerecord-3.2.3, activeresource-3.2.3, activesupport-3.2.3, arel-3.0.2, builder-3.0.0, bundler-1.1.3, erubis-2.7.0, hike-1.2.1, i18n-0.6.0, journey-1.0.3, json-1.7.0, mail-2.4.4, mime-types-1.18, multi_json-1.3.3, polyglot-0.3.3, rack-1.4.1, rack-cache-1.2, rack-ssl-1.3.2, rack-test-0.6.1, rails-3.2.3, railties-3.2.3, rake-0.9.2.2, rdoc-3.12, rubygems-bundler-0.9.0, rvm-1.11.3.3, sprockets-2.1.3, thor-0.14.6, tilt-1.3.3, treetop-1.4.10, tzinfo-0.3.33] ExceptionNameError' at /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/psych/core_ext.rb:16 - method to_yaml' not defined in Object ExceptionNameError' at /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/psych/core_ext.rb:29 - method yaml_as' not defined in Module ExceptionNameError' at /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/psych/deprecated.rb:79 - undefined method to_yaml_properties' for classObject'
Exception NameError' at /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/syck_hack.rb:20 - constant Psych::Syck not defined ExceptionNameError' at /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/syck_hack.rb:42 - method to_s' not defined in Syck::DefaultKey ExceptionSocketError' at /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:762 - getaddrinfo: Name or service not known
/home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:762:in initialize': getaddrinfo: Name or service not known (SocketError) from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:762:inopen'
from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:762:in block in connect' from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:intimeout'
from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in timeout' from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:762:inconnect'
from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in do_start' from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:750:instart'
from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:329:in connection_for' from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:413:inrequest'
from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:205:in fetch_http' from -e:1:in

'
balazs@bird:$ ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))'
["/home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem"]
balazs@bird:~$ ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfr...")'
/home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in require': cannot load such file -- httpclient (LoadError) from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:inrequire'

@ghost
ghost commented Apr 29, 2012

balazs@bird:~$ ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem")'
/home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in require': cannot load such file -- httpclient (LoadError) from /home/balazs/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:inrequire'

@nahi
Contributor
nahi commented Apr 29, 2012

Here's my result on Ubuntu 12.04

% uname -a
Linux ubuntu 2.6.39.1-linode34 #1 SMP Tue Jun 21 10:29:24 EDT 2011 i686 GNU/Linux
% ruby -v
ruby 1.9.3p194 (2012-04-20) [i686-linux]
% ruby -d -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem")).bytesize' 
Exception `LoadError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems.rb:1264 - cannot load such file -- rubygems/defaults/operating_system
Exception `LoadError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems.rb:1273 - cannot load such file -- rubygems/defaults/ruby
Exception `Gem::LoadError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/dependency.rb:247 - Could not find psych (>= 1.2.1, ~> 1.2) amongst [activesupport-3.0.6, addressable-2.2.4, bigdecimal-1.1.0, builder-2.1.2, bundle-0.0.1, bundler-1.0.18, crack-0.1.8, curb-0.7.15, eventmachine-0.12.10, excon-0.6.1, faraday-0.6.0, httparty-0.7.4, httpclient-2.2.1, httpclient-2.2.0, i18n-0.5.0, io-console-0.3, json-1.5.4, json-1.5.1, mime-types-1.16, minitest-2.5.1, minitest-1.6.0, multipart-post-1.1.0, patron-0.4.11, rack-1.2.2, rake-0.9.2.2, rake-0.8.7, rdoc-3.9.4, rdoc-2.5.8, rest-client-1.6.1, right_http_connection-1.3.0, rubygems-update-1.8.24, rubygems-update-1.8.8, rubygems-update-1.7.2, rufus-lru-1.0.3, rufus-verbs-1.0.0, simplehttp-0.1.3, typhoeus-0.2.4, wrest-1.4.2]
Exception `LoadError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36 - cannot load such file -- psych
Exception `LoadError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:63 - cannot load such file -- psych
Exception `LoadError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36 - cannot load such file -- psych
Exception `LoadError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:63 - cannot load such file -- psych
/usr/local/lib/ruby/1.9.1/yaml.rb:56:in `<top (required)>':
It seems your ruby installation is missing psych (for YAML output).
To eliminate this warning, please install libyaml and reinstall your ruby.
Exception `NameError' at /usr/local/lib/ruby/1.9.1/syck/tag.rb:81 - method `yaml_as' not defined in Module
Exception `NameError' at /usr/local/lib/ruby/1.9.1/syck/rubytypes.rb:13 - undefined method `to_yaml_properties' for class `Object'
Exception `NameError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/syck_hack.rb:20 - constant Syck::Syck not defined
Exception `NameError' at /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/syck_hack.rb:42 - method `to_s' not defined in Syck::DefaultKey
Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: activesupport-3.2.3.gem ( 11%)Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: activesupport-3.2.3.gem ( 16%)Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: activesupport-3.2.3.gem ( 26%)Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: activesupport-3.2.3.gem ( 37%)Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: activesupport-3.2.3.gem ( 53%)Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: activesupport-3.2.3.gem ( 68%)Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: activesupport-3.2.3.gem ( 84%)Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /usr/local/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: activesupport-3.2.3.gem (100%)
312832
% ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))'
["/usr/local/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem"]
% ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem")'
#<OpenSSL::X509::Certificate subject=/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority, issuer=/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority, serial=927650371, not_before=1999-05-25 16:09:40 UTC, not_after=2019-05-25 16:39:40 UTC>
#<OpenSSL::X509::Certificate subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA, issuer=/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority, serial=1116160165, not_before=2006-10-01 05:00:00 UTC, not_after=2014-07-26 18:15:15 UTC>
#<OpenSSL::X509::Certificate subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3, issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA, serial=11059457423120897085043097253941199374, not_before=2007-04-03 00:00:00 UTC, not_after=2022-04-03 00:00:00 UTC>
#<OpenSSL::X509::Certificate subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.cloudfront.net, issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3, serial=2275231799468253218031285453314983164, not_before=2010-11-10 00:00:00 UTC, not_after=2013-11-13 23:59:59 UTC>
@nahi
Contributor
nahi commented Apr 29, 2012

And for the last one:

% ruby -ropenssl -e 'p OpenSSL::OPENSSL_VERSION'
"OpenSSL 1.0.1 14 Mar 2012"
@yesmar
yesmar commented Apr 29, 2012

Some additional command output:

$ ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem")'
/usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:300:in `connect': SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure (OpenSSL::SSL::SSLError)
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:300:in `ssl_connect'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:739:in `block in connect'
    from /usr/local/lib/ruby/1.9.1/timeout.rb:68:in `timeout'
    from /usr/local/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:731:in `connect'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:594:in `query'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:161:in `query'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:1060:in `do_get_block'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:869:in `block in do_request'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:956:in `protect_keep_alive_disconnected'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:868:in `do_request'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:756:in `request'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:661:in `get'
    from -e:1:in `<main>'
ramsey@trilobyte ~/Development/rails/sample_app  $ ruby -ropenssl -e 'p OpenSSL::OPENSSL_VERSION'
"OpenSSL 1.0.1 14 Mar 2012"
@ghost
ghost commented Apr 29, 2012

balazs@bird:~$ ruby -ropenssl -e 'p OpenSSL::OPENSSL_VERSION'
"OpenSSL 1.0.1 14 Mar 2012"

@nahi
Contributor
nahi commented Apr 29, 2012

Hmm. I realized that it's not a verification issue. I should try clean install of 12.04 which installs OpenSSL 1.0.1 GA (I installed manually, and upgraded version from Ubuntu 11.11.)

All guys are using clean install Ubuntu 12.04 and built-in OpenSSL (1.0.1 GA), right? Any exception?

@yesmar
yesmar commented Apr 29, 2012

@nahi Good idea. My Ubuntu is 12.04 LTS x86_64 Desktop, freshly installed and not upgraded.

@ghost
ghost commented Apr 29, 2012

Fresh install here. 12.04 LTS x86_64 Desktop as well.

@yesmar
yesmar commented Apr 29, 2012

@nahi My SSL packages are:

$ dpkg --get-selections | grep -v deinstall | grep ssl
libcurl4-openssl-dev                install
libgnutls-openssl27             install
libssl-dev                  install
libssl-doc                  install
libssl1.0.0                 install
openssl                     install
python-openssl                  install
ssl-cert                    install
@nahi
Contributor
nahi commented Apr 29, 2012

@jomagam Yeah, dubious.

% ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.options = OpenSSL::SSL::OP_NO_SSLv2|OpenSSL::SSL::OP_NO_SSLv3; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem")'

Can someone try it?

@yesmar
yesmar commented Apr 29, 2012

@nahi

$ ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.options = OpenSSL::SSL::OP_NO_SSLv2|OpenSSL::SSL::OP_NO_SSLv3; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem")'
/usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:300:in `connect': SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure (OpenSSL::SSL::SSLError)
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:300:in `ssl_connect'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:739:in `block in connect'
    from /usr/local/lib/ruby/1.9.1/timeout.rb:68:in `timeout'
    from /usr/local/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:731:in `connect'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:594:in `query'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient/session.rb:161:in `query'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:1060:in `do_get_block'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:869:in `block in do_request'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:956:in `protect_keep_alive_disconnected'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:868:in `do_request'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:756:in `request'
    from /usr/local/lib/ruby/gems/1.9.1/gems/httpclient-2.2.4/lib/httpclient.rb:661:in `get'
    from -e:1:in `<main>'
@nahi
Contributor
nahi commented Apr 29, 2012

Even if it works, net/http (and wrapping RubyGems) don't have an interface to customize it. Hmm.

@joliss
joliss commented Apr 29, 2012

I should try clean install of 12.04 which installs OpenSSL 1.0.1 GA (I installed manually, and upgraded version from Ubuntu 11.11.)

All guys are using clean install Ubuntu 12.04 and built-in OpenSSL (1.0.1 GA), right? Any exception?

I have the same error messages @yesmar et al report with a 12.04 upgraded from 11.10, with the Ubuntu openssl package.

@joliss
joliss commented Apr 29, 2012

On Sun, Apr 29, 2012 at 05:26, Hiroshi Nakamura
reply@reply.github.com
wrote:

Hmm. I realized that it's not a verification issue. I should try clean install of 12.04 which installs OpenSSL 1.0.1 GA (I installed manually, and upgraded version from Ubuntu 11.11.)

Would you like a 12.04 toy VM on EC2 (with root access) to test it
out? Just email me your SSH pubkey and it's all yours.

Jo

Jo Liss
http://www.opinionatedprogrammer.com/

@nahi
Contributor
nahi commented Apr 29, 2012

Thanks all. I have now a fresh install 12.04 and confirmed that the error happens with the openssl it has.

For a workaround, we need to specify the protocol version explicitly but there's no such API even in httpclient gem. So using 'http' or build openssl and ruby by yourself would be a workaround so far...

@gaurish
gaurish commented Apr 29, 2012

I was able to reproduce the error with curl itself.

$ curl -Iv https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem
* About to connect() to d2chzxaqi4y7f8.cloudfront.net port 443 (#0)
*   Trying 204.246.165.140... connected
* successfully set certificate verify locations:
*   CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection #0
 curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Specifying protocol as SSLv3, it starts working again:

$ curl -Iv -3 https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem
* About to connect() to d2chzxaqi4y7f8.cloudfront.net port 443 (#0)
*   Trying 204.246.165.28... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-MD5
* Server certificate:
*    subject: C=US; ST=Washington; L=Seattle; O=Amazon.com, Inc.; CN=*.cloudfront.net
*    start date: 2010-11-10 00:00:00 GMT
*    expire date: 2013-11-13 23:59:59 GMT
*    subjectAltName: d2chzxaqi4y7f8.cloudfront.net matched
*    issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert High Assurance CA-3
*    SSL certificate verify ok.
> HEAD /gems/activesupport-3.2.3.gem HTTP/1.1
> User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23     librtmp/2.3
> Host: d2chzxaqi4y7f8.cloudfront.net
> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
HTTP/1.0 200 OK
< x-amz-id-2: M0xyIenIhNNVWooZSbUpAYdiy+sNKUdkGo92BbYS1Tnb+D8Yx4mt7CXL+9+IBeTj

< x-amz-request-id: A96C87E2CE2A8017

< Date: Fri, 30 Mar 2012 23:00:25 GMT

< Last-Modified: Fri, 30 Mar 2012 22:26:19 GMT

< ETag: "2ad46d1695282863d06f44f47b85ce9b"

< Accept-Ranges: bytes

< Content-Type: binary/octet-stream

< Content-Length: 312832

< Server: AmazonS3

< Age: 27691

< X-Cache: Hit from cloudfront

< X-Amz-Cf-Id: 3KEKKmhpV9EYM1ssKIPPVX8fpGutrT-EX07iXWsAUl2HAre31Ej-jA==

< Via: 1.0 9197153d6a4a6de4a33765876f858402.cloudfront.net (CloudFront)

< Connection: close
@gaurish
gaurish commented Apr 29, 2012

Further, this issue occurs with rubygems site only, and any other https site works as expected, example:

$ curl -Iv https://dl.dropbox.com/s/bguf9bkw7ww7k6i/Mumbai-Tweet-Drive-Comic.jpg
  * About to connect() to dl.dropbox.com port 443 (#0)
  *   Trying 107.20.162.145... connected
  * successfully set certificate verify locations:
  *   CAfile: none
    CApath: /etc/ssl/certs
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server key exchange (12):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSL connection using DHE-RSA-AES256-SHA
  * Server certificate:
  *      subject: C=US; ST=California; L=San Francisco; O=Dropbox, Inc.; CN=*.dropbox.com
  *      start date: 2011-12-01 00:00:00 GMT
  *      expire date: 2014-01-29 23:59:59 GMT
  *      common name: *.dropbox.com (matched)
  *      issuer: C=US; O=Thawte, Inc.; CN=Thawte SSL CA
  *      SSL certificate verify ok.
  > HEAD /s/bguf9bkw7ww7k6i/Mumbai-Tweet-Drive-Comic.jpg HTTP/1.1
  > User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23   librtmp/2.3
  > Host: dl.dropbox.com
  > Accept: */*
  > 
  < HTTP/1.1 405 Method Not Allowed
  < Server: nginx/1.0.14

  < Date: Sun, 29 Apr 2012 08:55:54 GMT

  < Content-Type: application/json

  < Connection: keep-alive

  * no chunk, no close, no size. Assume close to signal end

  < 
  * Closing connection #0
 * SSLv3, TLS alert, Client hello (1):`

So, question is:
Why does this issue crop up only with rubygems & not with other sites(like dropbox)?

@nahi
Contributor
nahi commented Apr 29, 2012
  • client try to send cipher list that contains more than 50
  • Ubuntu's openssl cut the list up to 50
  • AWS cloudfont's SSL server configuration cannot find the cipher it can use in the list

Any AWS cloudfont SSL server would not allow to connect from Ubuntu 12.04, if I understand correctly.

@gaurish
gaurish commented Apr 29, 2012

@nahi
so I guess this an issue with Ubuntu & not a rubygems bug then?

@nahi
Contributor
nahi commented Apr 29, 2012

I'm afraid that it's not an issue of RubyGems nor OpenSSL. Ubuntu seems to be preparing a fix of their OpenSSL custom build, but AWS could change the SSL server configuration. For a workaround, please use http or plain OpenSSL build.

@evanphx
Member
evanphx commented Apr 29, 2012

Because there is clearly an issue between cloudfront SSL and some OpenSSL builds, I'm going to disable redirecting to cloudfront for now.

@gaurish Can you try curl -lv -I -L https://s3.amazonaws.com/production.s3.rubygems.org/gems/gx-1.1.0.gem and see if you see the issue? If it's fine, I'll add that into the redirection pool as well.

@evanphx
Member
evanphx commented Apr 29, 2012

I booted a 12.04 VM on EC2 to do some testing and reproduced the problem with cloudfront. For now, I've set bb-m, cloudily, and s3.amazonaws.com to the redirection pool for https. This should resolve the problem until ubuntu and cloudfront figure out what to do.

@evanphx evanphx closed this Apr 29, 2012
@gaurish
gaurish commented Apr 29, 2012

Disabling CF has fixed the problem for me.

@evanphx
I appreciate your proactive approach. Thanks!

@jrochkind

Should this be resolved for end-users yet?

I am having this problem with rubygems 1.8.24 on an OSX 10.5.8 machine.

The weird thing is that it says, eg Make sure that "gem install coffee-script -v '2.2.0'" succeeds before bundling., and running that directly with gem does succeed. But bundle install does not.

Once I manually gem install coffee-script for instance, bundler doesn't complain about coffee-script anymore, it goes on to complaining about something else. coffee-rails in my case. Okay, I have to manually gem install coffee-rails. Rinse, repeat.

Why can gem install something without complaining about cert errors, but bundle install cannot install that same thing without complaining about cert errors? Is this actually a bundler problem? (update bundler 1.1.3)

update again PS: This is the exact error message i'm getting from bundle install but not gem install

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/gems/jquery-rails-2.0.2.gem)
@DanielKehoe

@jrochkind have you tried the solutions (especially updating OpenSSL) described in this article: http://railsapps.github.com/openssl-certificate-verify-failed.html ?

@jrochkind

Ugh, what a mess, thanks for the link @DanielKehoe, I had not seen that before. I'll try to work through it I guess. Sounds like maybe I need to update my openssl; that article is kind of contradictory, it says you ought not to have to update openssl, and says if your openssl is older than 1.0.1 (as mine is, on an older OSX), then you do have to update it. So guess I'm gonna have to try that. thanks. was not aware of this problem in general, just found this ticket googling for my error message, more publicity might be good.

@jrochkind

If you’re still getting the error “SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure”, run the diagnostic below and add your report to the issue SSL_connect failure when running ‘rails new’. Please supply details: OS version, Ruby version, RubyGems version, OpenSSL version, error message.

OSX 10.5.8

$ uname -srv
Darwin 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386
$ ruby -v
ruby 1.9.3p194 (2012-04-20 revision 35410) [i386-darwin9.8.0]
$ gem -v
1.8.24
$ openssl version
OpenSSL 0.9.7l 28 Sep 2006
$ ruby -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://s3.amazonaws.com/production.s3.rubygems.org/gems/builder-3.0.0.gem")).bytesize'
/Users/jrochkind/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:331:in `rescue in connection_for': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/gems/builder-3.0.0.gem) (Gem::RemoteFetcher::FetchError)
    from /Users/jrochkind/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:328:in `connection_for'
    from /Users/jrochkind/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:413:in `request'
    from /Users/jrochkind/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:205:in `fetch_http'
    from -e:1:in `<main>'
@DanielKehoe

@jrochkind, The article suggests, "You should see OpenSSL 1.0.1 or newer. If not, try updating OpenSSL."

@jrochkind

okay, you wrote it so you must know! Just trying to go through it and do what it says. I thought it was saying that with rubygems 1.9.4 and after april 20, you ought not need to need updated certs or a specific openssl version, and if you did you guys wanted to know because it ought not to be neccesary. But I guess i misunderstood.

It also suggests using trying rvm pkg install openssl, however doing that, rvm says it's package is "openssl-0.9.8t" , which is not openssl 1.0.1 or newer like you say, so I think I won't bother pursuing that?

So on to figuring out how to get openssl updated on this machine. I don't use macports, it's not installed on this machine. homebrew is, i'll see if i can manage to get a newer openssl with that, and report back on the comments on that article. (It's not clear to me if I need to recompile ruby after upgrading openssl or not, I'll try it first without I guess).

If someone wanted to write a technical summary/overview of what's wrong with versions of openssl prior to 1.0.1 that keep it from working with rubygems, I'd definitely be interested in reading it.

@yesmar
yesmar commented May 3, 2012

@jrochkind You can get some technical details on why you want to upgrade OpenSSL from NIST's National Vulnerability DatabaseCVE-2012-2110.

TL;DR Versions of OpenSSL prior to version 1.0.1a suffer from an integer overflow in the asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c. Exploitation of this vulnerability leads to code execution. If your program exposes the asn1_d2i_read_bio function to untrusted user input in any way then I can feed it a specially crafted file (such as a certificate or key) and cause it to execute machine instructions which I specify. Bottom line: you really want to upgrade your OpenSSL.

For what it's worth, Mark Dowd published details on this piece of buggy code in The Art of Software Security Assessment back in 2006. Here's a scan of the page in question. Funny that no one noticed until now, eh?

Here's how I upgrade my OpenSSL on OS X 10.7:

curl -L -O http://www.openssl.org/source/openssl-1.0.1b.tar.gz.asc
curl -L -O http://www.openssl.org/source/openssl-1.0.1b.tar.gz
gpg --verify openssl-1.0.1b.tar.gz.asc
tar xvzf openssl-1.0.1b.tar.gz
cd openssl-1.0.1b
perl ./Configure shared zlib --prefix=/opt/local darwin64-x86_64-cc
make
make test
sudo make install

Why be at the mercy of package managers when you can do it yourself? <smirk/>

@jrochkind

@yesmar thanks a lot for those compile from source instructions.

@gaurish
gaurish commented May 3, 2012

Hey everyone,
after a recent security update on Ubuntu 12.04, this bug has been fix for me. connections from Ubuntu 12.04 to CF servers work just fine now.

$ curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/activesupport-3.2.3.gem
HTTP/1.0 200 OK
x-amz-id-2: M0xyIenIhNNVWooZSbUpAYdiy+sNKUdkGo92BbYS1Tnb+D8Yx4mt7CXL+9+IBeTj
x-amz-request-id: A96C87E2CE2A8017
Date: Fri, 30 Mar 2012 23:00:25 GMT
Last-Modified: Fri, 30 Mar 2012 22:26:19 GMT
ETag: "2ad46d1695282863d06f44f47b85ce9b"
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Content-Length: 312832
Server: AmazonS3
Age: 57633
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: TYdBH8Igv_wu2NMb6fRxKPG8R5iWd_dp37eTNvJlwpfHwBT8tstYFQ==
Via: 1.0 0062b28cc051d8135de139b1951e546f.cloudfront.net (CloudFront)
Connection: close

So it seems Ubuntu people has sorted out this issue & that workaround won't be needed. Hence, Cloudfront can be enabled again.

@yesmar
yesmar commented May 3, 2012

Yup, I just verified that things are working for me now without using any of the documented workarounds.

@evanphx
Member
evanphx commented May 3, 2012

@yesmar Did you have to install a new version of openssl? I was going to try to get a 10.5.8 machine today to do some experiments on.

@yesmar
yesmar commented May 3, 2012

@evanphx I'm probably not the best guy to ask that question of. I maintain a fairly large toolchain in /opt/local that always includes the latest versions of OpenSSL, Ruby, and RubyGems. So I don't know if I had to install a new OpenSSL because I always install a new OpenSSL. <grin/>

@evanphx
Member
evanphx commented May 3, 2012

@yesmar Ah ok. @jrochkind did you get it working?

@jrochkind

@evanphx I did not get it working on Mac OSX 10.5.8 without updating openssl. Currently in the middle of trying to update openssl, I seem to have messed up my system by trying to use the 'rvm pack install' method, which did not work.

@jrochkind

@evanphx I seem to have gotten it working without an openssl update on Mac OSX 10.5.8. My openssl is still the stock OSX 10.5.8, openssl 0.9.7

I can't explain exactly what I did to do so, it involved lots of hacking with lots of dead ends. It did involve updating rvm to head and reinstalling mri 1.9.3.

The unexplainable thing is that the situation after all my hacking as far as versions of various software is identical to the situation before my hacking. ruby, rubygems, and openssl are all the same versions as they were before. But now it works, before it didn't. I have no idea.


bash-4.2$ uname -srv
Darwin 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386
bash-4.2$ ruby -v
ruby 1.9.3p194 (2012-04-20 revision 35410) [i386-darwin9.8.0]
bash-4.2$ gem -v
1.8.24
bash-4.2$ openssl version
OpenSSL 0.9.7l 28 Sep 2006
@joanbarros

Just an FYI.

I was getting this error due to network issues at work. I only changed the source in the Gemfile and this solved the problem. Maybe it's not a bug just a case of configuration.

Maybe if rails uses 2 sources, 1 primary and 1 to fall back on (first go to HTTPS and then to HTTP). This will no longer occur.

@crescendant

For users on Windows, using RailsInstaller, https://gist.github.com/867550

@shawnwall

I've updated openssl through macports and am using the latest 1.9.3. using the latest rvm. I'm still getting the error (on osx lion)

@shawnwall

In case anyone else still can't fix this, and you are using rvm and macports, here was my solution:

sudo port install curl-ca-bundle
export SSL_CERT_FILE=/opt/local/share/curl/curl-ca-bundle.crt

I added the export to my .bash_profile for future use

@sbwoodside

On Mac OS X 10.7.4. I have just tried the "homebrew" workaround from http://railsapps.github.com/openssl-certificate-verify-failed.html and initially it worked, but now it's stopped working again.

Diagnotics are in https://gist.github.com/3432113

UPDATE:
Installing the fake cert worked:

cd /usr/local/etc/openssl/
curl -O http://curl.haxx.se/ca/cacert.pem
mv cacert.pem cert.em
@benamir
benamir commented Nov 7, 2012

Hi Guys, I updated openssl to 1.0.1 a month ago and creating a new rails app from the app composer worked, but now when I try

rails new app -m http://raw.github.com/RailsApps/rails-composer/master/composer.rb -T -O

I get the issue again:

/Users/macuser/.rvm/rubies/ruby-1.9.3-p125/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

ruby 1.9.3p125
gem -v 1.8.24
OpenSSL 1.0.1b 26 Apr 2012
curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem
HTTP/1.0 200 OK

running:
ruby -d -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'

gets:
Exception LoadError' at /Users/macuser/.rvm/rubies/ruby-1.9.3-p125/lib/ruby/site_ruby/1.9.1/rubygems.rb:1264 - cannot load such file -- rubygems/defaults/operating_system ExceptionLoadError' at /Users/macuser/.rvm/rubies/ruby-1.9.3-p125/lib/ruby/site_ruby/1.9.1/rubygems.rb:1273 - cannot load such file -- rubygems/defaults/ruby
Exception Gem::LoadError' at /Users/macuser/.rvm/rubies/ruby-1.9.3-p125/lib/ruby/site_ruby/1.9.1/rubygems/dependency.rb:247 - Could not find psych (>= 1.2.1, ~> 1.2) amongst [actionmailer-3.2.3, actionpack-3.2.8, actionpack-3.2.3, activemodel-3.2.8, activemodel-3.2.3, activerecord-3.2.3, activeresource-3.2.3, activesupport-3.2.8, activesupport-3.2.3, addressable-2.3.2, arel-3.0.2, bcrypt-ruby-3.0.1, bootstrap-sass-2.1.0.0, bootstrap-timepicker-rails-0.1.2, builder-3.0.4, builder-3.0.3, builder-3.0.0, bundler-1.2.1, bundler-1.1.3, cancan-1.6.8, capistrano-2.13.4, capybara-1.1.2, carrierwave-0.6.2, childprocess-0.3.5, coffee-rails-3.2.2, coffee-script-2.2.0, coffee-script-source-1.4.0, coffee-script-source-1.3.3, commonjs-0.2.6, cucumber-1.2.1, cucumber-rails-1.3.0, database_cleaner-0.9.1, devise-2.1.2, devise_invitable-1.1.0, diff-lcs-1.1.3, email_spec-1.2.1, erubis-2.7.0, execjs-1.4.0, factory_girl-4.1.0, factory_girl_rails-4.1.0, ffi-1.1.5, gherkin-2.11.4, highline-1.6.15, hike-1.2.1, i18n-0.6.1, i18n-0.6.ExceptionNameError' at /Users/macuser/.rvm/rubies/ruby-1.9.3-p125/lib/ruby/1.9.1/psych/core_ext.rb:16 - method `to_yaml' not defined in Object

Running:
ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))
result:
["/Users/macuser/.rvm/rubies/ruby-1.9.3-p125/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem"]

running:
ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))'

result:
/Users/macuser/.rvm/rubies/ruby-1.9.3-p125/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in require': cannot load such file -- httpclient (LoadError) from /Users/macuser/.rvm/rubies/ruby-1.9.3-p125/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:inrequire'

@gregorycarter

Hi everyone, I'm also unable to get app composer working due to the "SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)" fail.

os = 10.6.8
ruby 1.9.3p286 (2012-10-12 revision 37165) [x86_64-darwin10.8.0]
OpenSSL 1.0.1b 26 Apr 2012
curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem
HTTP/1.0 200 OK

Running: ruby -d -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'

Gets:

Exception `LoadError' at /Users/gregcarter/.rvm/rubies/ruby-1.9.3-p286/lib/ruby/site_ruby/1.9.1/rubygems.rb:1264 - cannot load such file -- rubygems/defaults/operating_system
Exception `LoadError' at /Users/gregcarter/.rvm/rubies/ruby-1.9.3-p286/lib/ruby/site_ruby/1.9.1/rubygems.rb:1273 - cannot load such file -- rubygems/defaults/ruby
Exception `Gem::LoadError' at /Users/gregcarter/.rvm/rubies/ruby-1.9.3-p286/lib/ruby/site_ruby/1.9.1/rubygems/dependency.rb:247 - Could not find psych (>= 1.2.1, ~> 1.2) amongst [actionmailer-3.2.8, actionpack-3.2.8, activemodel-3.2.8, activerecord-3.2.8, activeresource-3.2.8, activesupport-3.2.8, arel-3.0.2, builder-3.1.4, builder-3.0.4, bundler-1.2.1, erubis-2.7.0, hike-1.2.1, i18n-0.6.1, journey-1.0.4, json-1.7.5, mail-2.4.4, mime-types-1.19, multi_json-1.3.7, polyglot-0.3.3, rack-1.4.1, rack-cache-1.2, rack-ssl-1.3.2, rack-test-0.6.2, rails-3.2.8, railties-3.2.8, rake-0.9.2.2, rdoc-3.12, rubygems-bundler-1.1.0, rvm-1.11.3.5, sprockets-2.8.1, sprockets-2.1.3, thor-0.16.0, tilt-1.3.3, treetop-1.4.12, tzinfo-0.3.35]

Running: ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))'

Gets: ["/Users/gregcarter/.rvm/rubies/ruby-1.9.3-p286/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem"]

Running: ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")'

Gets:

/Users/gregcarter/.rvm/rubies/ruby-1.9.3-p286/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require': cannot load such file -- httpclient (LoadError)
    from /Users/gregcarter/.rvm/rubies/ruby-1.9.3-p286/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'

As well as updating openssl, I've also tried the :ssl_verify_mode: 0 Doesn't work.

Any thoughts on how to resolve this would be great!

Thanks,

Greg

@abowhill

Hi all,

I'm unable to get app composer to work either. Same error,

apply https://raw.github.com/RailsApps/rails-composer/master/composer.rb

/home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

I'm running FreeBSD stable RELENG_9

$ uname -srv
FreeBSD 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #3: Thu Dec  6 08:31:23 PST 2012     
root@kosmos:/usr/obj/usr/src/sys/GENERIC

$ ruby -v
ruby 1.9.3p362 (2012-12-25 revision 38607) [i386-freebsd9.1]

$ gem -v
1.8.24

$ openssl version
OpenSSL 1.0.1c 10 May 2012

$ curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem
HTTP/1.0 200 OK
Content-Type: binary/octet-stream
Content-Length: 111616
Connection: keep-alive
x-amz-id-2: uDYszZG4X0W0Ioi8Ir8F0tTqTwaQtn/oiM17ayeuWkAw1hKbMQRsPM0oI+NFCuwf
x-amz-request-id: 84B4BE2541F8964D
Date: Mon, 24 Dec 2012 05:25:36 GMT
Last-Modified: Sat, 22 Oct 2011 15:19:16 GMT
ETag: "28e731d5c59dd721d6387f80b25a2ba1"
Accept-Ranges: bytes
Server: AmazonS3
Age: 55054
X-Amz-Cf-Id: hThNIMpFNGGBWfOddJntp9y-4Wrg6ouh62uoVYSyp1WmGWyo4sdhfA==
Via: 1.0 17d8abe7315d00a9aa5a5ff2e9c3ee62.cloudfront.net (CloudFront)
X-Cache: Hit from cloudfront

$ ruby -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'
Fetching: rake-0.9.2.2.gem (100%)
111616


$ ruby -d -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'
Exception `LoadError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/site_ruby/1.9.1/rubygems.rb:1264 - cannot load such file -- rubygems/defaults/operating_system
Exception `LoadError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/site_ruby/1.9.1/rubygems.rb:1273 - cannot load such file -- rubygems/defaults/ruby
Exception `Gem::LoadError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/site_ruby/1.9.1/rubygems/dependency.rb:247 - Could not find psych (>= 1.2.1, ~> 1.2) amongst [abstract-1.0.0, actionmailer-3.2.11, actionmailer-3.2.9, actionmailer-3.0.10, actionpack-3.2.11, actionpack-3.2.9, actionpack-3.0.10, activemodel-3.2.11, activemodel-3.2.9, activemodel-3.0.10, activerecord-3.2.11, activerecord-3.2.9, activerecord-3.0.10, activeresource-3.2.11, activeresource-3.2.9, activeresource-3.0.10, activesupport-3.2.11, activesupport-3.2.9, activesupport-3.0.10, addressable-2.3.2, arel-3.0.2, arel-2.0.10, bcrypt-ruby-3.0.1, builder-3.0.4, builder-2.1.2, bundler-1.2.3, capybara-1.1.2, childprocess-0.3.6, coffee-rails-3.2.2, coffee-script-2.2.0, coffee-script-source-1.4.0, devise-1.4.7, diff-lcs-1.1.3, erubis-2.7.0, erubis-2.6.6, execjs-1.4.0, ffi-1.3.1, hike-1.2.1, i18n-0.6.1, i18n-0.5.0, journey-1.0.4, jquery-rails-2.1.4, jquery-rails-2.0.2, json-1.7.6, json-1.7.5, libwebsocket-0.1.7.1, mail-2.4.4, mail-2.2.19, mimException `NameError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/psych/core_ext.rb:16 - method `to_yaml' not defined in Object
Exception `NameError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/psych/core_ext.rb:29 - method `yaml_as' not defined in Module
Exception `NameError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/psych/deprecated.rb:79 - undefined method `to_yaml_properties' for class `Object'
Exception `NameError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/site_ruby/1.9.1/rubygems/syck_hack.rb:20 - constant Psych::Syck not defined
Exception `NameError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/site_ruby/1.9.1/rubygems/syck_hack.rb:42 - method `to_s' not defined in Syck::DefaultKey
Exception `ArgumentError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/psych/scalar_scanner.rb:91 - invalid value for Integer(): "--no-rdoc --no-ri"
Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: rake-0.9.2.2.gem ( 15%)Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: rake-0.9.2.2.gem ( 29%)Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: rake-0.9.2.2.gem ( 44%)Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: rake-0.9.2.2.gem ( 59%)Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: rake-0.9.2.2.gem ( 88%)Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Exception `OpenSSL::SSL::SSLError' at /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block
Fetching: rake-0.9.2.2.gem (100%)
111616

$ ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))'
["/home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem"]

$ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")'
/home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require': cannot load such file -- httpclient (LoadError)
        from /home/kosmos/.rvm/rubies/ruby-1.9.3-p362/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'

I replaced OpenSSL in my OS, so am not sure what to do now.

Any help would be appreciated.

Thanks!

@drbrain
Member
drbrain commented Jan 14, 2013

@abowhill your problem is not a RubyGems problem, please file a ticket on the app composer project.

@simont
simont commented Jan 17, 2013

In case this is useful for others, I have was having the composer error:

/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

I updated openssl on the mac, rebuilt ruby 1.9.3 in rvm, etc. and all to no avail until I came across this post

http://andrewdeponte.com/2012/09/07/rvm-installed-ruby-%28ssl-certificate-verify-failed%29.html

which gives you a nice way to recreate the issue using IRB, then the fix is a curl command to put an updated certificate file into RVM's ssl directory and then (at least for me) the problem was solved and then generator worked correctly.

I hope this is useful to others.

@abowhill

I'd like to add that I was able to fix the OpenSSL problem listed (FreeBSD platform) by doing an 'rvm pkg install openssl' similar to the previous post. The problem is fixed (a workaround) by rvm. The source of the problem is not composer.

@unchris unchris referenced this issue in Shopify/shopify_app Jan 29, 2013
Closed

clean deploy gets Faraday Error #31

@rosenfeld

I'm having intermitent issues with SSL for a long time now in Debian sid which I've been able to work around by replacing the https source with the http version. But I can't finish configuring rbx 2.0.0 because it checks for lots of dependencies (Checking dependencies for ...) and eventually one of them will timeout when using SSL. I tried to run configure with RUBYGEMS_HOST=http://rubygems.org and now, instead of SSL timeout errors now I get another error:

previous error:

net/http.rb:918:inconnect': SSL_connect SYSCALL returned=5 errno=0 state=unknown state (OpenSSL::SSL::SSLError)`

current error (after changing source to http):

/home/rodrigo/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/protocol.rb:153:inread_nonblock': end of file reached (EOFError)`

The error doesn't happen for all dependencies and not always for the same one.

I've been experiencing a hard time in the last months with regards to downloading gems from RubyGems. I didn't notice any other SSL/HTTPS related issues with anything else. Actually, Maven also seems to take too much time to download a pom (very tine file) sometimes which I'm assuming would eventually timeout although I don't wait to be sure (just press Ctrl+C and run the command again).

Any help on what this could be related to would be very helpful as this is driving me nuts already... :(

@rosenfeld

If it helps, I tried to run this command many times:

curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem

It succeeded 6 times but in the 7th I got this:

curl: (35) Unknown SSL protocol error in connection to d2chzxaqi4y7f8.cloudfront.net:443

@rosenfeld

I could finally track down the issue to my router, a Netgear WGR614 v7. Maybe it's misconfigured somehow, but the fact is that if I take it out and connect directly to my Internet provider the problem go away. I'm so happy to find out the cause! :) Now I need to find a good router to replace mine :)

@rosenfeld

The interesting thing is that I replaced my router with another identical model from my parents (they were experiencing other issues with it) and this one doesn't cause any issues :) Go figure it out... But I guess I won't buy another Netgear anytime soon just in case :)

@rkh
rkh commented Oct 16, 2013

We are seeing this a lot on Travis CI:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: wrong version number

Example: https://travis-ci.org/deiga/new-Roydon/builds/12606737

@dovadi
dovadi commented Oct 16, 2013

I get the same message with my builds on Semaphore:

Fetching source index from https://rubygems.org/
Installing rake (10.1.0) 
....
....
Installing net-scp (1.1.2) 
Installing ruby-hmac (0.4.0) 
Installing fog (1.15.0) 
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: wrong version number
An error occurred while installing carrierwave_direct (0.0.13), and Bundler
cannot continue.
Make sure that `gem install carrierwave_direct -v '0.0.13'` succeeds before
bundling.
@jonharmon

Fixed this problem on my macbook air. This problem started when I was running Mac OS X 10.8 and remained after upgrading to 10.9. Below is the error when trying to do > gem install compass:

ERROR: Could not find a valid gem 'compass' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz)

I'm back up and running again, I must have screwed something up in rvm as when I switched back to the pre-rvm state everything works again.

If this happened after installing rvm do:

rvm system

to revert back to your pre-rvm ruby.

Hopefully this helps others new to ruby like myself.

@drbrain
Member
drbrain commented Oct 16, 2013

@rkh read server hello A: wrong version number typically indicates the connection was closed during the SSL handshake (OpenSSL does not propagate underlying errors upward).

I more frequently get Errno::ETIMEDOUT from Travis when making outbound connections.

It seems that Travis VMs may have occasional connectivity problems.

@jonharmon read server certificate B: certificate verify failedmay be due to connection problems or missing certificates (which can be solved by updating RubyGems)

@sergiogomez

I've got it with

rvm osx-ssl-certs update

as seen it http://stackoverflow.com/a/19143664

@cuong2k
cuong2k commented Oct 22, 2015

Hi !
Please support case bundle install fluentd error ;
bundle install (Centos 6.7 64bit)

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/gems/cool.io-1.4.1.gem)

[root@localhost ]# ruby -v
ruby 2.2.1p85 (2015-02-26 revision 49769) [x86_64-linux]

[root@localhost ]# gem -v
2.2.3

Thanks,

@agis-
Contributor
agis- commented Oct 22, 2015

@cuong2k Have you tried the other suggestions mentioned in this issue? For example, if you're using rvm you can try rvm osx-ssl-certs update.

@uchennafokoye

I am also having a similar error with RailApp.

Gibbon::MailChimpError at /visitors
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed @title=nil, @detail=nil, @body=nil, @raw_body=nil, @status_code=nil

I have updated openssl with macport but I had already generated a new app with rails apps composer before updating the openssl. Could that be my issue? Any clues on how to fix this? I don't want to regenerate an entirely new app again.

@uchennafokoye

Here's how I bypassed the error. This is a temporary solution.

I created a file in config/initializers called bypass_ssl_verification_for_open_uri.rb and then I placed this code:

OpenSSL::SSL.const_set(:VERIFY_PEER, OpenSSL::SSL::VERIFY_NONE)

You would get a warning :VERIFY_PEER has already been set, but once you reset your server, it should all work!

@lalehmb
lalehmb commented Feb 20, 2016

I get the same error on vargant , linux system. and there's no rvm command on the machine + i'm a total newbie to ruby at least!

may someone help me handle this? as everything i find is related to mac or windows!

@drbrain
Member
drbrain commented Jan 17, 2017

@mcshakes bundler errors are reported on the bundler repo, this is RubyGems.

Do you get an error with gem install?

@mcshakes
mcshakes commented Jan 17, 2017 edited

Hmm I did, but reinstalled the latest version of Ruby and copy-pasting a certificate in the .pem file. This fixed gem install errors. My mistake! Thanks, and I'll head on over to the bundler. Will delete previous comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment