Skip to main content

Ruby: Working Around SSL Errors on OS X

Have you ever seen the following error:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
Apparently, this is a standard problem for Ruby on OS X. The problem is that Ruby is unable to find the root certificates necessary to verify a given certificate. A typical (and very bad) workaround is to turn off certificate validation using some code that looks something like:
...verify_mode = OpenSSL::SSL::VERIFY_NONE
There's a good blog post called How to Cure Net::HTTP’s Risky Default HTTPS Behavior. It shows you how to force all certificates to be verified, but it doesn't show how to make use of the operating system's most up-to-date list of root certificates.

After reading a ton of different blog posts, this is the approach that I created for my Rails app:
# config/initializers/fix_ssl.rb
#
# Work around errors that look like:
#
# SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

require 'open-uri'
require 'net/https'

module Net
class HTTP
alias_method :original_use_ssl=, :use_ssl=

def use_ssl=(flag)
# Ubuntu
if File.exists?('/etc/ssl/certs')
self.ca_path = '/etc/ssl/certs'

# MacPorts on OS X
# You'll need to run: sudo port install curl-ca-bundle
elsif File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
self.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
end

self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.original_use_ssl = flag
end
end
end
As the code says, you'll have to execute "sudo port install curl-ca-bundle" on OS X to install the root certificates. Unfortunately, I don't know what the brew version of that is.

Hopefully this will be fixed properly soon.

Comments

jjinux said…
See also:


http://martinottenwaelter.fr/2010/12/ruby19-and-the-ssl-error/

http://jimneath.org/2011/10/19/ruby-ssl-certificate-verify-failed.html

http://code.google.com/p/google-plus-ruby-starter/issues/detail?id=3#c6

http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html

http://stackoverflow.com/questions/5074164/google-api-ruby-client-translate-api-examples
jjinux said…
I switched to rvm and this problem went away :-/
Anonymous said…
Heroku gem 2.21.1 causes the same issue.
yakshaving said…
Weird -- I'm on RVM, and I still get this error. And I really don't want to install macports.

Any advice?
jjinux said…
rvm made the problem go away for me, so I wouldn't recommend switching to MacPorts.

Here are the versions I'm using:

$ which ruby
/Users/jjinux/.rvm/rubies/ruby-1.9.2-p290/bin/ruby

$ gem list

*** LOCAL GEMS ***

abstract (1.0.0)
actionmailer (3.0.5)
actionpack (3.0.5)
activemodel (3.0.5)
activerecord (3.0.5)
activeresource (3.0.5)
activesupport (3.0.5)
addressable (2.2.6)
archive-tar-minitar (0.5.2)
arel (2.0.10)
autoparse (0.2.3)
builder (2.1.2)
bundler (1.0.22 ruby)
capybara (1.1.2)
childprocess (0.3.1)
coderay (1.0.5)
columnize (0.3.6)
countries (0.8.1)
crack (0.3.1)
currencies (0.4.0)
diff-lcs (1.1.3)
erubis (2.6.6)
extlib (0.9.15)
factory_girl (2.5.2)
factory_girl_rails (1.6.0)
faraday (0.7.6)
ffi (1.0.11)
google-api-client (0.4.0)
httpadapter (1.0.1)
i18n (0.6.0)
json (1.6.5)
jwt (0.1.4)
launchy (2.0.5)
linecache19 (0.5.12)
mail (2.2.19)
method_source (0.7.0)
mime-types (1.17.2)
multi_json (1.0.4)
multipart-post (1.1.4)
nokogiri (1.5.0)
polyglot (0.3.3)
pry (0.9.8.2)
rack (1.2.5)
rack-mount (0.6.14)
rack-test (0.5.7)
rails (3.0.5)
railties (3.0.5)
rake (0.9.2.2, 0.9.2)
rspec (2.8.0)
rspec-core (2.8.0)
rspec-expectations (2.8.0)
rspec-mocks (2.8.0)
rspec-rails (2.8.1)
ruby-debug-base19 (0.11.25)
ruby-debug19 (0.11.6)
ruby_core_source (0.1.5)
rubyzip (0.9.6.1)
selenium-webdriver (2.19.0)
signet (0.3.2)
slop (2.4.4)
sqlite3 (1.3.5)
thor (0.14.6)
treetop (1.4.10)
tzinfo (0.3.31)
webmock (1.7.10)
will_paginate (3.0.pre)
xpath (0.1.4)

Perhaps if you use the exact same versions, things will work out better for you.
phil pirj said…
Check out this 'certified' gem. It's targeted to solve this issue.

Popular posts from this blog

Drawing Sierpinski's Triangle in Minecraft Using Python

In his keynote at PyCon, Eben Upton, the Executive Director of the Rasberry Pi Foundation, mentioned that not only has Minecraft been ported to the Rasberry Pi, but you can even control it with Python. Since four of my kids are avid Minecraft fans, I figured this might be a good time to teach them to program using Python. So I started yesterday with the goal of programming something cool for Minecraft and then showing it off at the San Francisco Python Meetup in the evening.

The first problem that I faced was that I didn't have a Rasberry Pi. You can't hack Minecraft by just installing the Minecraft client. Speaking of which, I didn't have the Minecraft client installed either ;) My kids always play it on their Nexus 7s. I found an open source Minecraft server called Bukkit that "provides the means to extend the popular Minecraft multiplayer server." Then I found a plugin called RaspberryJuice that implements a subset of the Minecraft Pi modding API for Bukkit s…

Apple: iPad and Emacs

Someone asked my boss's buddy Art Medlar if he was going to buy an iPad. He said, "I figure as soon as it runs Emacs, that will be the sign to buy." I think he was just trying to be funny, but his statement is actually fairly profound.

It's well known that submitting iPhone and iPad applications for sale on Apple's store is a huge pain--even if they're free and open source. Apple is acting as a gatekeeper for what is and isn't allowed on your device. I heard that Apple would never allow a scripting language to be installed on your iPad because it would allow end users to run code that they hadn't verified. (I don't have a reference for this, but if you do, please post it below.) Emacs is mostly written in Emacs Lisp. Per Apple's policy, I don't think it'll ever be possible to run Emacs on the iPad.

Emacs was written by Richard Stallman, and it practically defines the Free Software movement (in a manner of speaking at least). Stal…

ERNOS: Erlang Networked Operating System

I've been reading Dreaming in Code lately, and I really like it. If you're not a dreamer, you may safely skip the rest of this post ;)

In Chapter 10, "Engineers and Artists", Alan Kay, John Backus, and Jaron Lanier really got me thinking. I've also been thinking a lot about Minix 3, Erlang, and the original Lisp machine. The ideas are beginning to synthesize into something cohesive--more than just the sum of their parts.

Now, I'm sure that many of these ideas have already been envisioned within Tunes.org, LLVM, Microsoft's Singularity project, or in some other place that I haven't managed to discover or fully read, but I'm going to blog them anyway.

Rather than wax philosophical, let me just dump out some ideas:Start with Minix 3. It's a new microkernel, and it's meant for real use, unlike the original Minix. "This new OS is extremely small, with the part that runs in kernel mode under 4000 lines of executable code." I bet it&…