0

I'm attempting to save something to my DB but the default flow requires a successful call to geocode lat/lng before saving, which is when this error is thrown.

The error I get is:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I googled it and found what seemed to be a similar issue with RubyGems. I followed the instructions to manually change the ssl by downloading a new one and copying it into the ssl_certs directory to no avail.

My environment:

OpenSSL 0.9.8zh 14 Jan 2016
RVM 1.29.1
Ruby 2.2.2p95
Rails 4.2.7
jww
  • 97,681
  • 90
  • 411
  • 885
Mike Fleming
  • 2,593
  • 4
  • 14
  • 24
  • Also see [Homebrew refusing to link OpenSSL](http://stackoverflow.com/q/38670295), [Update OpenSSL on OS X with Homebrew](http://stackoverflow.com/q/15185661), [How to install latest version of openssl Mac OS X El Capitan](http://stackoverflow.com/q/35129977), [How to upgrade OpenSSL in OS X?](http://apple.stackexchange.com/q/126830), [Openssl installation using HomeBrew fails](http://superuser.com/q/486389), etc. – jww Mar 15 '17 at 21:42
  • @jww I've tried what most of them recommend, but can't seem to get past attempting to link openssl. Did I miss something? – Mike Fleming Mar 15 '17 at 22:04
  • Please post the URL you are using to connect to the server, and post the output of `openssl s_client -connect : -tls1 -servername | openssl x509 -text -noout`. Do so by adding it to your question by clicking *Edit* (and don't post it as a comment). Otherwise, we can't reproduce it and there's not enough information to help troubleshoot it. – jww Mar 16 '17 at 11:23
  • I don't know how you created your certificate, but ***`CN=example.com`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) – jww Mar 16 '17 at 11:24

2 Answers2

0

Try running

gem update --system

Also make sure your openssl is linked 

 brew link openssl
David Gross
  • 1,863
  • 10
  • 14
  • That last command generates the following error: `Warning: Refusing to link: openssl Linking keg-only openssl means you may end up linking against the insecure, deprecated system OpenSSL while using the headers from Homebrew's openssl. Instead, pass the full include/library paths to your compiler e.g.: -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib` Which I can't seem to get past. – Mike Fleming Mar 15 '17 at 21:55
0

I was able to resolve my issue with what I consider to be a bit of a hack, but it may work for you. I just disabled SSL verification in the controller that throws the error with the following line of code:

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

From what I can tell, there's an issue with what certs Ruby and RVM use and it differs between versions. Every fix I tried involved downloading new certs and manually placing them in the Ruby or OpenSSL directories but that didn't work. Here are some of the resources I consulted during this adventure:

Mike Fleming
  • 2,593
  • 4
  • 14
  • 24