OpenSSL Errors and Rails – Certificate Verify Failed

Update:11/09/2012
有同鞋求摘要如下：
遇到类似错误，在使用或调用SSL的API时候， RVM怎么用呢

引用

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B

解决方案：

$ rvm remove 1.9.3 (or whatever version of ruby you are using)
$ rvm pkg install openssl
$ rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr

#If you are using rvm and Homebrew, try;

$ rvm remove 1.9.3
$ brew install openssl
$ rvm install 1.9.3 --with-openssl-dir=`brew --prefix openssl`

#You may have to link your certs directory with /etc/ssl/certs:

$ rmdir $rvm_path/usr/ssl/certs
$ ln -s /etc/ssl/certs $rvm_path/usr/ssl

还没解决问题的，继续读吧，我的问题解决了
OpenSSL Errors and Rails – Certificate Verify Failed – Gem::RemoteFetcher::FetchError


Are you getting an error “OpenSSL certificate verify failed” with Ruby?

Or an error “Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0”?

Here are suggestions.

This is a note for developers using the starter apps from the Rails Apps repository. Many others have found it helpful as well.
Error

You may have received an error message if you’ve tried to create a new Rails application.

For example, you may have entered:

$ rails new myapp

or created a new Rails application using an application template:

$ rails new myapp -m https://raw.github.com/RailsApps/rails-composer/master/composer.rb

and seen the following error message:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

or

Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B

The error is not likely to occur when simply using gem install. (Does it? Leave a comment below.)

Here is an explanation and suggested solutions.
What is Happening

When creating a new Rails application, the Ruby language interpreter uses OpenSSL to connect to https://rubygems.org/. The Gemfile installed by the rails new command specifies https://rubygems.org/ as the source for gems and requires an SSL connection.

In the case of a new application generated from an application template hosted on GitHub, the Ruby language interpreter uses OpenSSL to connect to GitHub. GitHub requires all connections to be made using SSL.

The error message indicates the connection failed because OpenSSL was unable to verify the server certificate.

Prior to 20 April 2012, the error likely resulted when the certificate file on your computer was out of date, missing, or couldn’t be found.

On 20 April 2012, Ruby 1.9.3-p194 was released incorporating RubyGems 1.8.23 which included two security fixes:

    verification of server SSL certs is required when RubyGems connects to an https server
    RubyGems no longer allows redirects from https to http servers

This is the commit to RubyGems that implemented the security fixes: Insecure connection to SSL repository. Following the release, an issue was reported for an SSL_connect failure when running ‘rails new’.

Following the release of RubyGems 1.8.23, the RubyGems team identified a problem with misconfiguration of SSL certificates on the https://rubygems.org/ server. The RubyGems team fixed the SSL certificates on 24 April 2012.

RubyGems 1.8.23 was supposed to install a .pem file containing current SSL certificates but didn’t do so, according to this isse: 1.8.23 actually does not install pem file. This commit Install the .pem files properly fixed the problem and was released on 27 April 2012 with RubyGems 1.8.24 (RubyGems changelog). The 1.8.24 release also eliminated a problematic dependency on OpenSSL for http connections.

At the current time (after 1 May 2012), if you are seeing an error when you create a new Rails application, it is likely that you need to update OpenSSL or certificate files on your computer. Users of older versions of Mac OS X and Ubuntu operating systems are likely to see these errors. Upgrading your OS will resolve the issues. Alternatively, you can update OpenSSL as described below.

Check RubyGems issues on GitHub and look for recent updates to the issue SSL_connect failure when running ‘rails new’. You may find more information on Stack Overflow, especially this discussion: Bundle install fails with SSL certificate verification error. And please read the comments below.
Diagnosis

What’s your operating system version?

$ uname -srv

You may need to upgrade if older than Mac OS X 10.7.3 (Lion) or Ubuntu 12.04 (Precise Pangolin).

Be sure you are using Ruby 1.9.3-p194 or newer:

$ ruby -v
ruby 1.9.3p194

Be sure you are using RubyGems 1.8.24 or newer:

$ gem -v
1.8.24

Update RubyGems if necessary:

$ gem update --system

Check your OpenSSL version:

$ openssl version

You should see OpenSSL 1.0.1 or newer. If not, try updating OpenSSL (see below).

A curl -I command should show that the rubygems.org file host is available and responding:

$ curl -I https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem
HTTP/1.0 200 OK
...

Try executing remote_fetcher directly to download a gem from the rubygems.org file host:

$ ruby -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'
Fetching: rake-0.9.2.2.gem (100%)

If you’ve updated OpenSSL or upgraded your OS, and you’re still getting the error “SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure”, run the diagnostic below and add your report to the issue SSL_connect failure when running ‘rails new’. Please supply details: OS version, Ruby version, RubyGems version, OpenSSL version, error message.

% ruby -d -rrubygems/remote_fetcher -e 'p Gem::RemoteFetcher.new.fetch_http(URI.parse("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")).bytesize'
% ruby -rrbconfig -e 'p Dir.glob(File.join(RbConfig::CONFIG["sitelibdir"], "rubygems/ssl_certs/*"))'
% ruby -rhttpclient -e 'h = HTTPClient.new; h.ssl_config.verify_callback = proc { |ok, ctx|; p ctx.current_cert; ok }; h.get("https://d2chzxaqi4y7f8.cloudfront.net/gems/rake-0.9.2.2.gem")'

You can try several workarounds to isolate the error conditions. Please don’t rely on a workaround for anything other than a temporary solution. Attempt the suggested resolutions (below) and file an issue report if they don’t work.
Workaround #1

Try changing your Gemfile to use an http connection for your gem source. Instead of source 'https://rubygems.org' use:

source 'http://rubygems.org'

This workaround is not an option if you are running rails new because the Gemfile is produced automatically from a template in the Rails library.
Workaround #2

Use the --skip-bundle when you generate a new Rails application:

rails new myapp --skip-bundle

This workaround is not an option if you are using an application template to generate a new Rails application as most application templates will run commands that require a successful bundle install.
Workaround #3

Try toggling off the requirement to verify the SSL security certificate.

Create or modify the file called .gemrc in your home path and add the line:

:ssl_verify_mode: 0

For Mac OS and Linux, “home path” means ~/.gemrc. You can also create /etc/gemrc if you prefer. For Windows XP, “home path” means C:\Documents and Settings\All Users\Application Data\gemrc. For Windows 7, C:\ProgramData\gemrc. (Suggested by Andrew Fallows in a Stack Overflow discussion).

This is only a workaround. It opens a possible security vulnerability (discussed here).

Be sure to try possible solutions suggested below. Please leave a comment if they work (or don’t).
Solutions for rvm

If you are using Wayne Seguin’s rvm, the Ruby Version Manager, there is an option to install Ruby with an OpenSSL package. You may not need to upgrade your OS. Try:

$ rvm remove 1.9.3 (or whatever version of ruby you are using)
$ rvm pkg install openssl
$ rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr

If you are using rvm and Homebrew, try;

$ rvm remove 1.9.3
$ brew install openssl
$ rvm install 1.9.3 --with-openssl-dir=`brew --prefix openssl`

You may have to link your certs directory with /etc/ssl/certs:

$ rmdir $rvm_path/usr/ssl/certs
$ ln -s /etc/ssl/certs $rvm_path/usr/ssl

Doesn’t work for you? Please add to the comments below.
Solutions for Mac OS

Mac OS 10.7 (Lion) has a current version of OpenSSL and certificate files and you are not likely to see an error (please leave a comment if you do). If you can update to Mac OS X 10.7.3, please do so.

Mac OS 10.6.8 and earlier versions are likely to have outdated versions of OpenSSL or certificate files.

Try updating your OpenSSL library using MacPorts. You’ll need to install MacPorts first.

$ sudo port sync; sudo port selfupdate; sudo port install openssl
...
$ openssl version
OpenSSL 1.0.1a 19 Apr 2012

If you don’t want to install MacPorts, you can compile OpenSSL from source:

curl -L -O http://www.openssl.org/source/openssl-1.0.1b.tar.gz.asc
curl -L -O http://www.openssl.org/source/openssl-1.0.1b.tar.gz
gpg --verify openssl-1.0.1b.tar.gz.asc
tar xvzf openssl-1.0.1b.tar.gz
cd openssl-1.0.1b
perl ./Configure shared zlib --prefix=/opt/local darwin64-x86_64-cc
make
make test
sudo make install

Alternatively, some developers have suggested to download an updated certificate file. This assumes you are using MacPorts and have a directory /opt/local/etc/openssl:

$ cd /opt/local/etc/openssl
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
$ sudo mv cacert.pem cert.pem

If you find that the problem is not resolved by updating OpenSSL, please leave a comment below.

Doesn’t work for you? Please add to the comments below.
Solution for Windows

Fletcher Nichol shows how to download a cacert.pem file and set an environment variable to install the certificate authorities needed by the OpenSSL library.

You can also try hacking the open-uri source: How to Use an Application Template from Github when You’re Developing in Rails on Windows

Any advice to offer? Please add to the comments below.
Solution for Ubuntu

Ubuntu’s custom build of OpenSSL failed with the SSL server configuration used for the Cloudfront service (Amazon Web Services) used for RubyGems file hosting.

For Ubuntu 12.04, the openssl 1.0.1-4ubuntu5 package fixes the problem. The problem should be resolved when you install the update.

Newer versions of Ubuntu should not have the problem.

Any advice to offer? Please add to the comments below.