New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS errors (possibly related to certs since OpenSSL announcement?) #239
Comments
Could you paste the errors? As verbosely as possible :) Ping @grk |
When I type Warning: this Gemfile contains multiple primary sources. Using `source` more than once without a block is a security risk, and may result in installing unexpected gems. To resolve this warning, use a block to indicate which gems should come from the secondary source. To upgrade this warning to an error, run `bundle config disable_multisource true`.
HTTP GET https://rails-assets.org/api/v1/dependencies
HTTP GET https://bundler.rubygems.org/api/v1/dependencies
HTTP 200 OK
Fetching source index from https://rails-assets.org/
Retrying source fetch due to error (2/3): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rails-assets.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Retrying source fetch due to error (3/3): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rails-assets.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Could not verify the SSL certificate for https://rails-assets.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and
change 'https' to 'http'. I completely deleted my version of Ruby and all of its associated gems and installed from scratch to check against it being some kind of problem with Ruby or gems compiled against the wrong OpenSSL version. When I change the Rails-Assets source to use HTTP (but keep Rubygems as HTTPS), I am able to install all my gems. |
I have never needed to do this, but I added an extra CA root bundle, and was able to connect. Apologies for the trouble. |
I'm still experiencing this issue, anything else needs to be done here? |
I had to install an extra CA bundle that wasn't included with OpenSSL over Homebrew. |
@geoffharcourt Was it this: https://github.com/raggi/openssl-osx-ca ? |
All my certificates seems to be upto date. 😿 |
@jasdeepsingh We updated our OpenSSL version. Did it help? |
Same problem here :( |
It's working now! After a while I found this site https://railsapps.github.io/openssl-certificate-verify-failed.html What I did $ brew update && brew install openssl
$ cd /usr/local/etc/openssl/certs
$ curl -O http://curl.haxx.se/ca/cacert.pem
$ mv cacert.pem cert.pem
$ /usr/local/opt/openssl/bin/c_rehash After that it worked fine for me. |
I'm leaving this so others can see @schurig solution. Thanks! |
@schurig's advice helped me too. I tested with a fresh ca bundle created from my system keychains and it was not sufficient: security find-certificate -a -p /Library/Keychains/System.keychain \
/System/Library/Keychains/SystemRootCertificates.keychain > cabundle.pem
curl --cacert cabundle.pem -v https://rails-assets.org
* Rebuilt URL to: https://rails-assets.org/
* Hostname was NOT found in DNS cache
* Trying 178.32.77.8...
* Connected to rails-assets.org (178.32.77.8) port 443 (#0)
* SSL: certificate verification failed (result: 5)
* Closing connection 0
curl: (51) SSL: certificate verification failed (result: 5) Why it works fine then in Safari is beyond me. |
Hey guys, It's still not working for me. I've tried the same debug steps as mentioned by @felixbuenemann and my results are consistent with his and I cannot get it to work over https, the only temporary solution for me was to use http. What is interesting is that I'm getting the same issue for https://gemfury.com/ as well (which I use to host some private gems) |
@jasdeepsingh Have you tried @schurig's advice? It worked for me. |
Could it be that we all have the Yosemite Beta installed? |
@schurig, I am on Yosemite Beta. Is that really the cause? Ugh. |
@geoffharcourt I have no idea. An other friend of mine also had the problem and uses the Yosemite Beta |
Yeah, I'm on 10.3 beta as well. |
I'm on Yosemite Beta as well, I have another OS X machine, which is running previous stable release of OS X, I'm going to try there. @felixbuenemann you meant 10.10.3 right? not 10.3? |
I'm having the same problem and have the Yosemite Beta... 😭 10.10.3 (14D130a) |
@jasdeepsingh Yeah, typo. |
As an additional datapoint, some @gemfury customers are reporting this error as well with OSX 10.10.3 beta. Our SSL certificate for fury.io is issued by "RapidSSL SHA256 CA - G3" as well. |
I can assert that I'm having this same issue with Gemfury too. |
I have a troublingly similar issue, affecting among others some Google sites and apps (including Google Music via ruby and access to e.g SMTP). The Google Internet Authority G2 intermediate cert has expired, and I had to import a new one downloaded from Google into the system keychain. This fixed my SMTP issue but ruby keeps complaining. I'm on 14D130a too. Another machine on 10.10.2 of mine seems entirely unaffected (neither ruby nor Mail.app's SMTP to Gmail). |
Version 10.10.3 (14D131) was released today and the problem is still present 😭 |
@schurig Solution didn't work for me :/ Also using 10.10.3 beta 😭 |
Finally got it to work! I did as @schurig said but on |
I have still error: |
@sarlv Sorry for hijacking the thread, but we had a similar problem with Gemfury and that's the fix we pushed. We are not affiliated w/ Rails-Assets service. |
@rykov Thank you for providing us possible fix for it. We'll try to fix this certificate issue on Rails Assets as well. I'll keep you all posted. |
I had no issues under MRI 2.2.1, but since upgrading to 2.2.2 I'm seeing:
See: https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/ |
Hello! I've updated "GeoTrust Global CA" certificate. Please let me know if it works now. Cheers! |
Yep. Appears to bundle correctly now. Thanks! |
@tallica https://ssltools.geotrust.com/checker/views/certCheck.jsp says it's 👌, but now that "GeoTrust Global CA" is self-signed, you no longer need to include it in the certificate chain. |
@rykov Thanks, removed it from the chain: |
@meskyanichi Can you please confirm that it still works for you? :) |
@tallica it works on this end on ruby 2.2.2 (I had the same exact issue) |
Perfect! Thanks for your help! Closing. |
👍 |
Thank you Michał for handling this! |
Is it back? I'm getting it again. |
We were making some minor updates, it should be stable now. |
Same error still with windows.... |
Does anyone have a solution for windows? |
For windows here is an explanation and fix: |
I don't understand why this keeps happening to me. Same issue, every few days, on different machines. I feel like I should nuke all my Macs just to avoid it from happening over and over. |
@allthesignals What exactly is the error you're getting? Is it precisely the same as the one above? Please file a new issue if not. |
Check out rubygems/rubygems#1758 @allthesignals If you were to nuke something, nuke your RVM. No need to nuke your whole Mac. Nuking the RVM worked for me via:
Like I said, check out that thread for more details. |
It's back! I'm only seeing it when I push to heroku though:
Like I said,
|
Whoops, I spoke too soon. |
I think this might explain it! Looks like https://rails-assets.org/ has a certificate problem of some kind. |
Just got the problem this morning !! the exact same thing as @murdoch |
Looks like the SSL cert has expired today: |
If the Let's Encrypt cron jobs for renewal are installed, it's probably missing a reload hook, so nginx loads the new certificate after a renew. This line in
|
http://openssl.org/news/secadv_20150319.txt
I'm currently getting bad certificate errors since updating to OpenSSL 1.0.2a. I am able to access Rubygems over HTTPS without any issues, so I think this isn't specific to my development machine.
The text was updated successfully, but these errors were encountered: