277

I am trying to do the Michael Hartl tutorial. When I attempt to install rails 3.2.14 in my gemset, I get the following issue:

$ gem install rails -v 3.2.14

ERROR: Could not find a valid gem 'rails' (= 3.2.14), here is why:

Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/specs.4.8.gz)

After Googling around, I found that I could use a non-SSL source for rubygems so I ran:

sudo gem sources -a http://rubygems.org

Then, when I tried to install rails again, it was successful. However, I still got the issue above but as a warning:

WARNING: Unable to pull data from 'https://rubygems.org/': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/specs.4.8.gz)

How can I remove this warning/error entirely?

I am using the following:

  • rvm 1.22.15
  • ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-darwin12.3.0]
  • OSX 10.8.5
BryanH
  • 5,826
  • 3
  • 34
  • 47
tpw
  • 2,829
  • 3
  • 13
  • 8
  • It almost looks like a regression error. I noticed one of my students having the same problem today on OS X. Still working through the issue. There are other related questions (identical?) on SO from last year. – vgoff Oct 03 '13 at 03:38
  • This is a known bug in obsolete (`2.0.*`) versions of `rubygems`. Try to update to latest rubygems version: `gem update --system` and then re-run `gem install`. – Aleksei Matiushkin Oct 03 '13 at 04:12
  • If it's ok to update your ruby version, update it. This issue is fixed in newer ruby version. – Hong Feb 17 '15 at 02:31
  • After adding the http source, running `gem sources -r https://rubygems.org/` worked for me (as far as removing the warning). – BrainSlugs83 Feb 21 '15 at 01:25

26 Answers26

388

For RVM & OSX users

Make sure you use latest rvm:

rvm get stable

Then you can do two things:

  1. Update certificates:

    rvm osx-ssl-certs update all
    
  2. Update rubygems:

    rvm rubygems latest
    

For non RVM users

Find path for certificate:

cert_file=$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')

Generate certificate:

security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"

The whole code: https://github.com/wayneeseguin/rvm/blob/master/scripts/functions/osx-ssl-certs


For non OSX users

Make sure to update package ca-certificates. (on old systems it might not be available - do not use an old system which does not receive security updates any more)

Windows note

The Ruby Installer builds for windows are prepared by Luis Lavena and the path to certificates will be showing something like C:/Users/Luis/... check https://github.com/oneclick/rubyinstaller/issues/249 for more details and this answer https://stackoverflow.com/a/27298259/497756 for fix.

user2066657
  • 444
  • 1
  • 4
  • 23
mpapis
  • 52,729
  • 14
  • 121
  • 158
  • There's any other way to update the certs if you're not using RVM? – Eduardo Oct 08 '13 at 09:40
  • Running `rvm rubygems latest` resulted in an error complaining about missing checksums. However, things started working without that too... apparently you could force it with `--verify-downloads 1` if you needed to. Any ideas why that might be? It tried to retrieve version `rubygems-2.1.6` – Timo Oct 09 '13 at 07:37
  • rvm hardcodes the md5s for downloads in its code, I just added them to `head` version and will release `stable` soon. – mpapis Oct 09 '13 at 12:29
  • I also threw in a rvm get stable first. – Archit Baweja Oct 15 '13 at 18:53
  • And what of Windows users? – davemyron Jan 27 '14 at 22:52
  • for windows you can find the path that is used for certificates using `ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'` and then save certificates there ... I did not had to do this on windows so I do not know how to extract certificates from windows – mpapis Jan 28 '14 at 08:49
  • 2
    I run that on windows and get path that doesn't even exist on my computer "C:/Users/Luis/Code/openknapsack/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0k/ssl/cert.pem" There is no user named Luis either. What the hell? – isimmons Jul 07 '14 at 00:33
  • Details from "https://github.com/oneclick/rubyinstaller/issues/249" solved the issue for me when using "bundle install" in Windows 8. – Maki Jan 04 '15 at 07:09
  • I had to use 'rvm get stable --auto-dotfiles' 'rvm use ruby-2.1.2' before I could use 'rvm osx-ssl-certs update all' After all of that, I still had to change my rubygems source to be non-SSL with: 'sudo gem sources -r https://rubygems.org/' and 'sudo gem sources -a http://rubygems.org/' – jungledev Jan 11 '16 at 22:45
  • For Jruby users, don't use 'rvm osx-ssl-certs update all'. With Jruby, the JDK stores the certificates in a keystore, and if the update is attempted, it replaces the keystore with a text file. My full solution and environment is here http://aptezzo.com/2016/04/23/bundler-chaos-with-ssl-on-rails-assets-org/ – jpa57 Apr 24 '16 at 03:09
  • Windows note: not found – Ali Ismayilov Oct 06 '16 at 12:52
  • 5
    Any suggestions for Mac Mojave users? Running into `permission denied: /private/etc/ssl/cert.pem` – Chandrew Jan 10 '19 at 14:31
243

Latest findings...

https://gist.github.com/luislavena/f064211759ee0f806c88

Most importantly...download https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/rubygems.org/AddTrustExternalCARoot-2048.pem

Figure out where to stick it

C:\>gem which rubygems
C:/Ruby21/lib/ruby/2.1.0/rubygems.rb

Then just copy the .pem file in ../2.1.0/rubygems/ssl_certs/ and go on about your business.

mark.monteiro
  • 2,609
  • 2
  • 33
  • 38
beauXjames
  • 8,222
  • 3
  • 49
  • 66
  • 8
    Make sure to save with the `.pem` extension, not `.pem.txt`! – Dan Dascalescu Dec 15 '14 at 22:18
  • 3
    What if it doesn't work? I did as your answers says, but I still get the error! 1) I got file `AddTrustExternalCARoot-2048.pem`, 2) I placed the file to `C:\Ruby193\lib\ruby\1.9.1\rubygems\ssl_certs`, 3) I run `gem install susy` and get the same error `Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed` – Green Dec 25 '14 at 12:17
  • try updating your Ruby install...this gist doesn't guarantee backwards compatibility with your version – beauXjames Dec 29 '14 at 17:05
  • 1
    Some notes about the luis lavena link you gave. You might want to install rubygems from a gem file instead of the zip files he mentions. I haven't found a command to install from an unpacked gem or zip file. Gem here - https://rubygems.org/pages/download. The command is - `gem install --local C:\Downloads\rubygems-update-2.4.5.gem` – Erran Morad Jan 10 '15 at 00:22
  • On Windows 8.1 I have used the section in the help called "Installing using update packages" and worked flawlessly. https://gist.github.com/luislavena/f064211759ee0f806c88#installing-using-update-packages-new – j4v1 Feb 26 '15 at 20:37
  • 10
    the download link is not valid anymore. For those of you who are still facing this problem, refer to Dheerendra's answer for a solution – Llama.new Oct 09 '16 at 12:32
  • 1
    https://bundler.io/v2.0/guides/rubygems_tls_ssl_troubleshooting_guide.html#updating-ca-certificates was able to download GlobalSignRootCA.pem and worked for me. Additional ref. https://bundler.io/v2.0/guides/rubygems_tls_ssl_troubleshooting_guide.html#the-solutions – Bhaveshkumar Oct 07 '20 at 12:50
184

For windows users

Goto link http://rubygems.org/pages/download

  1. Download the latest zip file (In my case 2.4.5)
  2. Unzip it
  3. run "ruby setup.rb" in unzipped folder
  4. now run gem install command
Dheerendra Kulkarni
  • 2,728
  • 1
  • 16
  • 18
55

If you want to use the non-SSL source, try removing the HTTPS source first, and then adding the HTTP one:

sudo gem sources -r https://rubygems.org
sudo gem sources -a http://rubygems.org  

UPDATE:

As mpapis states, this should be used only as a temporary workaround. There could be some security concerns if you're accessing RubyGems through the non-SSL source.

Once the workaround is not needed anymore, you should restore the SSL-source:

sudo gem sources -r http://rubygems.org
sudo gem sources -a https://rubygems.org
Eduardo
  • 2,704
  • 18
  • 17
  • not down voting as this soles this immediate problem, but it leaves your ruby with old certificates which is still bad – mpapis Oct 04 '13 at 16:44
  • 5
    FYI, I had to do `sudo gem sources -r https://rubygems.org/` and `sudo gem sources -r http://rubygems.org/`. Notice the trailing `/`. – Ross Rogers Nov 10 '13 at 17:35
  • Yeah, it is possible. I think it depends on the way the source was added in the first place. I mean, if the source was added with the trailing `/`, it also should be removed with the trailing `/`. – Eduardo Nov 12 '13 at 09:59
18

On Windows you'll have to use HTTP source to update gem then change back to using HTTPS.

gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/
gem update --system
gem sources -r http://rubygems.org/
gem sources -a https://rubygems.org/

Edit: Warning I'm not sure if this is safe. Does anyone know if ruby packages are signed? The accepted answer looks like a better solution.

kayleeFrye_onDeck
  • 6,648
  • 5
  • 69
  • 80
actual_kangaroo
  • 5,971
  • 2
  • 31
  • 45
  • Thanks for sharing; temporarily changing the https to http worked but I needed to directly change the gemfile. – Noha Kareem Oct 20 '16 at 21:45
  • 2
    In my case I needed a trailing / with the https url. – Alwyn Schoeman Feb 07 '17 at 15:33
  • 1
    As an update to this answer, it's a good idea before you start to do ```gem sources -l``` to see your sources before and after updating system. If update fails, specify a version number right after the --system. See https://rubygems.org/gems/rubygems-update/versions or ask co-worker for what ```gem -v``` reports. – Gary S. Weaver Jun 28 '19 at 14:33
11

For Windows Users (and maybe others)

Rubygems.org has a guide that not only explains how to fix this problem, but also why so many people are having it: SSL Certificate Update The reason for the problem is rubygems.org switched to a more secure SSL certificate (SHA-2 which use 256bit encryption). The rubygems command line tool bundles the reference to the correct certificate. Therefore rubygems itself can’t be updated using an older version of rubygems. Rubygems must first be updated manually.

First find out what rubygems you have:

rubygems –v

Depending on whether you have a 1.8.x, 2.0.x or 2.2.x, you will need to download an update gem, named “rubygems-update-X.Y.Z.gem”, where X.Y.Z is the version you need. Running 1.8.x: download: https://github.com/rubygems/rubygems/releases/tag/v1.8.30 Running 2.0.x: download: https://github.com/rubygems/rubygems/releases/tag/v2.0.15 Running 2.2.x: download: https://github.com/rubygems/rubygems/releases/tag/v2.2.3

Install update gem:

gem install –-local full_path_to_the_gem_file

Run update gem:

update_rubygems --no-ri --no-rdoc

Check that rubygems was updated:

rubygems –v

Uninstall update gem:

gem uninstall rubygems-update -x

At this point, you may be OK. But it is possible that you do not have the latest public key file for the new certificate. To do this:

Download the latest certificate, (currently AddTrustExternalCARoot-2048.pem) from https://rubygems.org/pages/download. All of the certs are also located at: https://github.com/rubygems/rubygems/tree/master/lib/rubygems/ssl_certs

Find out where to put it:

gem which rubygems

Put this file in the “rubygems\ssl_certs” directory at this location.

As per rubygems commit, the certificates are moved to more specific directories. Thus, currently the certificate(AddTrustExternalCARoot-2048.pem) is expected to be on the following path lib/rubygems/ssl_certs/rubygems.org/AddTrustExternalCARoot-2048.pem

John Pankowicz
  • 4,203
  • 2
  • 29
  • 47
  • 3
    https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/AddTrustExternalCARoot-2048.pem no longer exists – Phil O Nov 18 '16 at 13:29
9

Try to use the source website for the gems, i.e rubygems.org. Use http instead of https. This method does not involve any work such as installing certs and all that.

Example -

gem install typhoeus --source http://rubygems.org

This works, but there is one caveat though.

The gem is installed, but the documentation is not because of cert errors. Here is the error I get

Parsing documentation for typhoeus-0.7.0 WARNING: Unable to pull 
data from 'https://rubygems.org/': SSL_connect returned=1 errno=0 
state=SSLv3 read server certificate B: certificate verify failed 
(https://rubygems.org/latest_specs.4.8.gz)
Erran Morad
  • 4,563
  • 10
  • 43
  • 72
7

Running gem update --system worked for me

user3408293
  • 1,377
  • 6
  • 18
  • 26
  • 6
    This worked for me, as well, on Windows. I had to temporarily switch to classic HTTP, then update, then switch back to SSL. – Tom Mayfield Dec 03 '14 at 18:44
  • 1
    ERROR. `SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)` – Green Dec 25 '14 at 12:19
  • gem sources --remove https://rubygems.org/ gem sources -a http://rubygems.org gem update --system – Stefan Steiger Nov 24 '16 at 21:44
5

Make sure your system clock is correct

This exact error happened to me today on an Ubuntu virtual machine running on VirtualBox. I tried most of the solutions shown above before I noticed that I had resumed from a very old suspended state, and my clock was off by many days.

Updating the clock immediately fixed my issue. Here's the command I used in my case:

sudo service ntp stop && sudo ntpdate pool.ntp.org && sudo service ntp start

dbrewer
  • 676
  • 7
  • 3
4

Simply uninstalling and reinstalling openssl with homebrew solved this issue for me.

brew uninstall --force openssl

brew install openssl

ntj
  • 41
  • 3
  • 1
    With newer versions of homebrew you may need to run the command like so: `brew uninstall --ignore-dependencies openssl` (which is the equivalent of the old `force` flag) – Batkins Jan 10 '17 at 23:53
3

For Fedora users

Update the cert.pem to newest file that provide by cURL: http://curl.haxx.se/ca/cacert.pem

curl -o `ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE' |tr -d \"` http://curl.haxx.se/ca/cacert.pem
ENDOH takanao
  • 939
  • 8
  • 10
3

If you are using windows, open https://rubygems.org/ with internet explorer.

Click on security information and import the certificate. The bottom line is your certification chain is outdated and you need to add this new certificate. Remember that this is not a security violation as long as you can validate the certificate as trusted.

Paulo Fidalgo
  • 21,709
  • 7
  • 99
  • 115
3

Approach/one-liner that can be automated to download gems using HTTP instead of HTTPS:

printf -- '---\n:sources:\n- http://rubygems.org\n' | tee ~/.gemrc
laimison
  • 1,409
  • 3
  • 17
  • 39
2

In my case, the Ubuntu CA certificates were out of date. I fixed it by running:

 sudo update-ca-certificates
maniek
  • 7,087
  • 2
  • 20
  • 43
2

Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to C:\RailsInstaller\cacert.pem.

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem

1

The particular case of RubyGems (the command line tool) is that it requires to bundle inside of its code the trust certificates, which allow RubyGems to establish a connection with the servers even when base operating system is unable to verify the identity of them.

Up until a few months ago, this certificate was provided by one CA, but newer certificate is provided by a different one.

Because of this, existing installations of RubyGems would have to been updated before the switch of the certificate and give enough time for the change to spread (and people to update)

Anyone can find his solution by following the simple steps given in the link below

https://gist.github.com/luislavena/f064211759ee0f806c88

Mani
  • 2,391
  • 5
  • 37
  • 81
1

Try

gem update --system

Hope it solves the problem.

puneet18
  • 4,341
  • 2
  • 21
  • 27
  • 1
    `ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError) SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)` – Jonathan Jul 21 '18 at 18:41
1

For Windows, I followed https://gist.github.com/fnichol/867550. I had to manually download the "cacert.pem" file. (go to https://curl.se/docs/caextract.html.) Put it in any folder it won't be deleted from or with.

Make sure you add it to your systems Environment variables!!!

I did this (in Windows 10) via the control panel (select User Accounts) where there is an option to "Change my environment variables". Create a new variable and set the value as the path and filename!

var name    SSL_CERT_FILE

var value   C:\{your_dir}\cacert.pem

This will ensure it remains visible/useable every time you need it (i.e., every command window you open)!

dirktay
  • 55
  • 4
0

I had same problem while trying to install cucumber gem. However I noticed that bundler gem already installed with ruby 2.0. I created a Gemfile.rb in the project folder with required gems and followed this steps

  1. Navigate to project folder
  2. Type bundle install

All the required gems installed.

0

For Illumos / Solaris using OpenCSW pkgutil:

Install CSWcacertificates prior to 'gem install'

pkgutil -yi CSWcacertificates

If you're using a ruby kit that's not from OpenCSW, your ruby version may expect to find the certificate file in another place. In this case, I simply symlinked OpenCSW's /etc/opt/csw/ssl/cert.pem to the expected place.

Check where ruby expects to find it :

export cf=`ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'` && echo $cf

Then, if there's a discrepancy, link it:

ln -s /etc/opt/csw/ssl/cert.pem $cf && file $cf
Jacob
  • 1
  • 2
0

Or may be prevented by firewall like me. Try this:

sudo gem install --http-proxy http://localhost:port cocoapods -V

Victor Choy
  • 4,006
  • 28
  • 35
0

For Windows user:

After installing Ruby 2.2.3 (+ rubygems 2.5.1) successfully on a test machine with access to the internet, I had this SSL error when I installed bundler on a production machine, within the network.

As I had network access limitations, and there was no way to change the settings for SSL access, and based on the error messages, I performed the steps below to be able to finish the installation of the bundler (this may sound crazy, but it worked...).

Through a machine with unrestricted access to the internet, downloaded the following files:

I added these files on an intranet server, keeping the folder structure of the links above:

  • $INTRANET_HOME

spec.4.8.gz e latest_specs.4.8.gz

  • $INTRANET_HOME\quick\Marshal.4.8

bundler-1.11.2.gemspec.rz

  • $INTRANET_HOME\gems

bundler-1.11.2.gem

Then I added my intranet to access gem source:

gem sources -a http://mydomain.com.br

I have run with the success the "gem install bundler" after installation, all it took was remove my intranet of the gem:

gem sources -r http://mydomain.com.br

I hope that is useful in any similar situation....

Rogério Arantes
  • 712
  • 1
  • 8
  • 29
0

Make sure of that you have installed ruby with --disable-binary option, if not, uninstall it and reinstall it with the option.

more info here

Feuda
  • 2,335
  • 30
  • 28
0

As a Windows 10 user, I followed Dheerendra's answer, and it worked for me one day. The next day, I experienced the issue again, and his fix didn't work. For me, the fix was to update bundler with:

gem update bundler

I believe my version of bundler was more than a few months old.

Community
  • 1
  • 1
Alexander
  • 3,959
  • 2
  • 31
  • 58
0

The answer is no longer valid. Since I have encountered the issue with older Windows ruby right now. I'll post the answer:

When I wanted to install an activesupport gem:

gem in activesupport --version 5.1.6

ERROR:  Could not find a valid gem 'activesupport' (= 5.1.6), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B
: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

The following steps need to copy only the certificates from newer windows ruby. Take the latest ruby (or at least ruby 2.4.0) and do the following:

copy certificates from these directories (adjust to your needs):
C:\prg_sdk\rubies\Ruby-2.4\lib\ruby\2.4.0\rubygems\ssl_certs\rubygems.org
C:\prg_sdk\rubies\Ruby-2.4\lib\ruby\2.4.0\rubygems\ssl_certs\index.rubygems.org

to destination (again adjust to what you need):
C:\prg_sdk\rubies\Ruby231-p112-x64\lib\ruby\2.3.0\rubygems\ssl_certs

tukan
  • 17,050
  • 1
  • 20
  • 48
0

go to rubygems and download the latest version works for me. I'm using windows.

jacky chen
  • 46
  • 2