https://rubygems.org/ - SSL_connect B: certificate verify failed

[emeyekayee]

gem install pry
ERROR: Could not find a valid gem 'pry' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz)

[bbuck]

This issue has also occurred to me when trying to annotate, and several other gems (as a test). It occurred to me earlier today intermittently but is now preventing me from installing any gem.

In the meantime downgrading back to v 2.0.3 for now seems to have resolved this issue.

[ventsislaf]

I had the same problem. It looks like it is related to OpenSSL security certificates. This worked for me (OS X):

brew tap raggi/ale
brew install openssl-osx-ca

[drbrain]

There are two possible causes for this:

1. You are missing certificates. This is unlikely as RubyGems ships with the certificates it needs to connect to https://rubygems.org
2. There is a timeout connecting to https://rubygems.org or (in your case) https://s3.amazonaws.com

Sadly, OpenSSL does not give good diagnostics for why there was a certificate verification failure. It could be either of the above problems.

PS: You should not use 2.0.3 as it is vulnerable to CVE-2013-4287 and CVE-2013-4363. Use 2.0.10 instead.

[drbrain]

Oh, can you check for timeouts?

[bbuck]

I'm not sure how I would check for timeouts, but I think the issue might be related to ruby 2.0.0-p247 because rubygems 2.0.3, 2.0.10 and 2.1.5 all fail with the same error when installed under this ruby version. However, rubygems 2.0.10 works fine under ruby 2.0.0-p0.

I don't think it would be a timeout, at least for me I receive the SSL failure immediately after trying to install a gem - that would be a short timeout.

[drbrain]

I've asked @evanphx to look into updated certificates for Amazon S3, but since it seems to be related to your ruby version, perhaps @emboss has an idea?

[lephyrius]

Im seeing this error:

gem install redis -v '3.0.5'
ERROR:  Could not find a valid gem 'redis' (= 3.0.5), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/specs.4.8.gz)

[lucamug]

Same problem here:

$ gem install rake --verbose
GET https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
ERROR: Could not find a valid gem 'rake' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz)
HEAD https://rubygems.org/prerelease_specs.4.8.gz
302 Moved Temporarily
HEAD https://rubygems.org/specs.4.8.gz
302 Moved Temporarily

[luislavena]

For the ones still getting this error, would you mind perform the following command with openssl ?

$ openssl s_client -connect rubygems.org:443 -showcerts -status < /dev/null

If you can make a gist with the complete output will allow us to verify the certs obtained from the server and then determine what could be the issue.

Thank you.

[lucamug]

Here is the gist: https://gist.github.com/lucamug/6851433
Consider that I am using Windows 7.

[nmarley]

I've been getting this error for a few days now.

My latest error message:

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/gems/sass-3.2.12.gem)

I'm on OSX 10.7.5 with Ruby 2.0.0p247 and the latest version of rubygems:

$ uname -a
Darwin rivendell 11.4.2 Darwin Kernel Version 11.4.2: Thu Aug 23 16:25:48 PDT 2012; root:xnu-1699.32.7~1/RELEASE_X86_64 x86_64 i386 MacBookPro8,1 Darwin
$ ruby -v
ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-darwin11.4.2]
$ gem -v
2.1.3

Here's my gist: https://gist.github.com/nmarley/6858578

[Serfenia]

I've been having this issue also since friday (when I tried to install the flickraw gem). It worked before, first I thought might be a network issue but it wasn't since I tried it on different wireless and wired networks.

Doing a normal bundle install works, if you set the source insecurely. [edited by @drbrain to remove a broken fix]

Doing a gem install, like I need to do a specific bcrypt-ruby install for windows 7, it won't work.

[luislavena]

@drbrain looking at the certificate issues, seems that the problem is not connecting to rubygems.org and the SSL, but the redirects to Amazon S3 for downloading the gems, which is resulting in the SSL error we are seeing.

Perhaps we can add these certificates too? I have a strong feeling this might be the issue.

I can't test this right now, but will be able to test something starting on Tuesday 😢

[luislavena]

@drbrain I think #673 might be the solution to this.

[bbuck]

@luislavena A little late, but here it is: https://gist.github.com/bbuck/6c4831f21f53365c72df

That's a gist of executing the openssl command you gave.

[nmarley]

My solution to this was to update my CA certs file for the instance of openssl that Ruby is linked against. Since I linked against a manually-compiled OpenSSL in /opt/openssl, the brew openssl-osx-ca command that @vencislaf recommended above didn't work for me. I manually ran the steps and created a certs.pem file via:

security find-certificate -a -p /Library/Keychains/System.keychain > /tmp/certs.pem
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> /tmp/certs.pem

Then I moved the file to the location specified by:

ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'

I'm guessing Amazon updated an SSL cert file about 5 days ago, that or one of the bundled certs that was making this work expired at that time.

[collins001]

Mine issue is a bit different...
Can anyone help with an answer on how to resolve this error.:
C:\DevKit>gem install json --platform=ruby
ERROR: Could not find a valid gem 'json' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - Errno::ECONNABORT
ED: An established connection was aborted by the software in your host machine.

SSL_connect (https://api.rubygems.org/specs.4.8.gz)

[drbrain]

@collins001 what RubyGems version are you using? If ruby is trying to download specs.4.8 you likely have an out-of-date version which does not have the correct CA certificates to securely connect to RubyGems.org.

[3686]

Updating system gems worked for me under bundler:

In my Gemfile:

source 'https://rubygems.org'

(gem spec here)

In elevated powershell:

gem update --system

[vtanathip]

I still have the problem with gem.

this is a fresh install ruby version 2.2.5p319 from http://rubyinstaller.org/

Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

ruby version 2.2.5p319
gem version 2.4.5.1
OS: window 7 64bit

Have anyone an idea to solve this?
Thanks you in advance.

[Fire-Dragon-DoL]

Having this problem too. Wonder what's the cause. I noticed api.rubygems.org has a "too many redirects" error

[RupW]

@vtanathip There's a workaround here: http://guides.rubygems.org/ssl-certificate-update/
You just need to drop the correct GlobalSign root CA into your rubygems ssl_certs folder.

If you watch it fail in procexp you can see it's also trying to find SSL certs in a folder under C;\Users\Justin, so this probably does work for whoever builds the Windows releases at rubyinstaller.org.

[vtanathip]

@RupW Thanks, that's help!!!

Have to say that document resolved my issues. 👍

Hope someone that have the same problem will resolve it.

FYI: I use MANUAL SOLUTION TO SSL ISSUE

[Fire-Dragon-DoL]

I fixed mine by manually installing rubygems and upgrading openssl on osx yosemite

[rishifactual]

Neither @RupW or @Fire-Dragon-DoL 's suggestions worked for me (OSX Yosemite 10.10.5). RubyGems version 2.6.7. Still getting the same error message. Does anyone have other suggestions?

[Fire-Dragon-DoL]

@rishifactual As someone pointed out, it's a problem with RVM rubies, they are built with old openssl. Update openssl, reinstall your ruby with rvm install 2.3.1 --disable-binary, which will force a recompile instead of using rvm binaries. This should address the issue.

[rishifactual]

perfect! Thanks

[Fire-Dragon-DoL]

#1745

[jrvaghela72]

[REDACTED due to creating a security vulnerability]

[Fire-Dragon-DoL]

That's not a solution, you are trading security (a big one) if you use http instead of https, please regret from even recommending that.

[drbrain]

@Fire-Dragon-DoL I redacted it here and flagged it on stack overflow

[officialmmt]

Fix is here http://guides.rubygems.org/ssl-certificate-update/#background it is working on windows 10 x64

[Fire-Dragon-DoL]

@officialmmt nope, I applied that fix and didn't work, the only fix currently was recompiling the rubies

[trajano]

@officialmmt slight alteration for your instructions. I copied the global.pem then I made sure I remove all sources using

gem source --list
gem source --remove ...

Finally I added back rubygems.org

gem source --add https://rubygems.org/

[gabeodess]

I had to reinstall openssl:

brew uninstall --force openssl
brew install openssl

[felixfbecker]

I am still getting this error with a fresh install on windows

[vnluc]

I got this error also. The cause is gem is updated and also the certificates.

Please follow this guide to update gem & the certificates, it helped me out.

http://guides.rubygems.org/ssl-certificate-update/

[vchinthakunta]

This solution did not work for me..If you are facing the same.. try the steps from [REDACTED, advocates insecure connections]
Worked for me!!

[vnluc]

@omidheshmatinia: This is in secure way, better follow my way if it works. Or @ccoenen is ok also.

[ccoenen]

(Edit: the link to the insecure answer was removed, the following is no longer relevant to this discussion, it is referring to the VERIFY_NONE pattern which is a bad idea but which is nonetheless often suggested)

I flag this answer whenever I see it on Stack Overflow, but the moderators there usually don't agree with my assessment that a dangerous way should not be on that site. It appears to be quite hard to understand that YOU ARE F*CKING OPEN TO ALL KINDS OF ATTACKS if you miss that tiny little s in your gem sources.

[fguillen]

In my case:

• OSX 0.12.6
• Ruby 2.0.0-p247
• rbenv 1.1.1-28-gb943955

Updating Ruby to 2.4.2 made the trick.

[samiggapps]

This worked for me https://gist.github.com/fnichol/867550