Skip to main content

Ruby: Working Around SSL Errors on OS X

Have you ever seen the following error:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
Apparently, this is a standard problem for Ruby on OS X. The problem is that Ruby is unable to find the root certificates necessary to verify a given certificate. A typical (and very bad) workaround is to turn off certificate validation using some code that looks something like:
...verify_mode = OpenSSL::SSL::VERIFY_NONE
There's a good blog post called How to Cure Net::HTTP’s Risky Default HTTPS Behavior. It shows you how to force all certificates to be verified, but it doesn't show how to make use of the operating system's most up-to-date list of root certificates.

After reading a ton of different blog posts, this is the approach that I created for my Rails app:
# config/initializers/fix_ssl.rb
# 
# Work around errors that look like:
#
#   SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

require 'open-uri'
require 'net/https'

module Net
  class HTTP
    alias_method :original_use_ssl=, :use_ssl=
    
    def use_ssl=(flag)
      # Ubuntu
      if File.exists?('/etc/ssl/certs')
        self.ca_path = '/etc/ssl/certs'
      
      # MacPorts on OS X
      # You'll need to run: sudo port install curl-ca-bundle
      elsif File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
        self.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
      end

      self.verify_mode = OpenSSL::SSL::VERIFY_PEER
      self.original_use_ssl = flag
    end
  end
end
As the code says, you'll have to execute "sudo port install curl-ca-bundle" on OS X to install the root certificates. Unfortunately, I don't know what the brew version of that is.

Hopefully this will be fixed properly soon.
Labels:

Comments

jjinux said…
See also:


http://martinottenwaelter.fr/2010/12/ruby19-and-the-ssl-error/

http://jimneath.org/2011/10/19/ruby-ssl-certificate-verify-failed.html

http://code.google.com/p/google-plus-ruby-starter/issues/detail?id=3#c6

http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html

http://stackoverflow.com/questions/5074164/google-api-ruby-client-translate-api-examples
5:50 PM
jjinux said…
I switched to rvm and this problem went away :-/
2:39 PM
Anonymous said…
Heroku gem 2.21.1 causes the same issue.
12:22 PM
yakshaving said…
Weird -- I'm on RVM, and I still get this error. And I really don't want to install macports.

Any advice?
9:34 PM
jjinux said…
rvm made the problem go away for me, so I wouldn't recommend switching to MacPorts.

Here are the versions I'm using:

$ which ruby
/Users/jjinux/.rvm/rubies/ruby-1.9.2-p290/bin/ruby

$ gem list

*** LOCAL GEMS ***

abstract (1.0.0)
actionmailer (3.0.5)
actionpack (3.0.5)
activemodel (3.0.5)
activerecord (3.0.5)
activeresource (3.0.5)
activesupport (3.0.5)
addressable (2.2.6)
archive-tar-minitar (0.5.2)
arel (2.0.10)
autoparse (0.2.3)
builder (2.1.2)
bundler (1.0.22 ruby)
capybara (1.1.2)
childprocess (0.3.1)
coderay (1.0.5)
columnize (0.3.6)
countries (0.8.1)
crack (0.3.1)
currencies (0.4.0)
diff-lcs (1.1.3)
erubis (2.6.6)
extlib (0.9.15)
factory_girl (2.5.2)
factory_girl_rails (1.6.0)
faraday (0.7.6)
ffi (1.0.11)
google-api-client (0.4.0)
httpadapter (1.0.1)
i18n (0.6.0)
json (1.6.5)
jwt (0.1.4)
launchy (2.0.5)
linecache19 (0.5.12)
mail (2.2.19)
method_source (0.7.0)
mime-types (1.17.2)
multi_json (1.0.4)
multipart-post (1.1.4)
nokogiri (1.5.0)
polyglot (0.3.3)
pry (0.9.8.2)
rack (1.2.5)
rack-mount (0.6.14)
rack-test (0.5.7)
rails (3.0.5)
railties (3.0.5)
rake (0.9.2.2, 0.9.2)
rspec (2.8.0)
rspec-core (2.8.0)
rspec-expectations (2.8.0)
rspec-mocks (2.8.0)
rspec-rails (2.8.1)
ruby-debug-base19 (0.11.25)
ruby-debug19 (0.11.6)
ruby_core_source (0.1.5)
rubyzip (0.9.6.1)
selenium-webdriver (2.19.0)
signet (0.3.2)
slop (2.4.4)
sqlite3 (1.3.5)
thor (0.14.6)
treetop (1.4.10)
tzinfo (0.3.31)
webmock (1.7.10)
will_paginate (3.0.pre)
xpath (0.1.4)

Perhaps if you use the exact same versions, things will work out better for you.
11:38 AM
phil pirj said…
Check out this 'certified' gem. It's targeted to solve this issue.
2:34 AM
Post a Comment

Popular posts from this blog

Ubuntu 20.04 on a 2015 15" MacBook Pro

I decided to give Ubuntu 20.04 a try on my 2015 15" MacBook Pro. I didn't actually install it; I just live booted from a USB thumb drive which was enough to try out everything I wanted. In summary, it's not perfect, and issues with my camera would prevent me from switching, but given the right hardware, I think it's a really viable option. The first thing I wanted to try was what would happen if I plugged in a non-HiDPI screen given that my laptop has a HiDPI screen. Without sub-pixel scaling, whatever scale rate I picked for one screen would apply to the other. However, once I turned on sub-pixel scaling, I was able to pick different scale rates for the internal and external displays. That looked ok. I tried plugging in and unplugging multiple times, and it didn't crash. I doubt it'd work with my Thunderbolt display at work, but it worked fine for my HDMI displays at home. I even plugged it into my TV, and it stuck to the 100% scaling I picked for the othe
1 comment
Read more

Drawing Sierpinski's Triangle in Minecraft Using Python

In his keynote at PyCon, Eben Upton, the Executive Director of the Rasberry Pi Foundation, mentioned that not only has Minecraft been ported to the Rasberry Pi, but you can even control it with Python . Since four of my kids are avid Minecraft fans, I figured this might be a good time to teach them to program using Python. So I started yesterday with the goal of programming something cool for Minecraft and then showing it off at the San Francisco Python Meetup in the evening. The first problem that I faced was that I didn't have a Rasberry Pi. You can't hack Minecraft by just installing the Minecraft client. Speaking of which, I didn't have the Minecraft client installed either ;) My kids always play it on their Nexus 7s. I found an open source Minecraft server called Bukkit that "provides the means to extend the popular Minecraft multiplayer server." Then I found a plugin called RaspberryJuice that implements a subset of the Minecraft Pi modding API for B
4 comments
Read more

Creating Windows 10 Boot Media for a Lenovo Thinkpad T410 Using Only a Mac and a Linux Machine

TL;DR: Giovanni and I struggled trying to get Windows 10 installed on the Lenovo Thinkpad T410. We struggled a lot trying to create the installation media because we only had a Mac and a Linux machine to work with. Everytime we tried to boot the USB thumb drive, it just showed us a blinking cursor. At the end, we finally realized that Windows 10 wasn't supported on this laptop :-/ I've heard that it took Thomas Edison 100 tries to figure out the right material to use as a lightbulb filament. Well, I'm no Thomas Edison, but I thought it might be noteworthy to document our attempts at getting it to boot off a USB thumb drive: Download the ISO. Attempt 1: Use Etcher. Etcher says it doesn't work for Windows. Attempt 2: Use Boot Camp Assistant. It doesn't have that feature anymore. Attempt 3: Use Disk Utility on a Mac. Erase a USB thumb drive: Format: ExFAT Scheme: GUID Partition Map Mount the ISO. Copy everything from
3 comments
Read more