Verify Failed

When working on your Track app or when installing gems, you might get this Ruby SSL error:

          SSL_connect returned=ane errno=0 country=SSLv3 read server certificate B: certificate verify failed                  

This mail explains what the error is and provides some possible solutions.

This error, every bit y'all tin can see on the message, has something to do with SSL and certificates. Start, permit's discuss why you lot demand to utilize SSL. When your app connects to a third-political party API or when the gem command connects to rubygems.org, yous need to utilise the HTTPS version due east.k. https://api.example.com or https://rubygems.org.

If you don't use the HTTPS version and use the not-secure HTTP version, the data you receive can be altered by anyone on the path from the user to your server. And you wouldn't know it was altered. If you asking a precious stone from http://rubygems.org from your laptop, and say you're using public WiFi, the WiFi provider can give you a modified precious stone.

In short, you should always employ HTTPS, which is secured using an SSL certificate.

Secure Sockets Layer or SSL is the security protocol that provides secure communication between two machines. In the cases above, between the machines of your app and the 3rd-party API or betwixt your machine and the rubygems.org machine.

How does SSL work? Car 1 initiates the connection and looks at the SSL certificate of machine two. This certificate contains numbers that machine 1 volition use to encrypt their communication. This is a elementary and incomplete description of the whole process. We'll not become into details on how the encryption or the SSL handshake works.

The encrypted communication makes certain that what yous transport to the server and vice versa isn't altered. Notwithstanding, the initial connection is done in clear text since it comes earlier encrypted communication is set. So, while you're sure that communication is secure, how do y'all know you're talking to the correct server?

SSL certificates are signed by a Certificate Potency. The signature tells you that the certificates are real. The Certificate Regime are too signed for the same reason. This can go on until you attain a root certificate. This setup creates a chain of trust. Equally long as you trust the root document, you tin trust the certificate of the website yous're communicating with.

The root certificates are installed on your motorcar and there's an implied trust that the existing certificates are valid.

When automobile 1 connects to machine 2, motorcar 1 has to verify that the certificate is real. If this verification fails, you'll get the error certificate verify failed .

When verification fails, it can mean one of two things. Either your machine doesn't take the correct root certificates or you're connecting to a URL that has a problem with the certificates.

If it'due south the latter, the best (if not but) option is to ask the 3rd-political party site to fix their certificates. The solutions mentioned below are for the first scenario where the trouble is on your automobile.

Scale performance. Non price. Try Engine Grand today and enjoy our corking support and huge scaling potential for 14 days.
Deploy your app for free with Engine Yard .

The Problem

The error certificate verify failed happens when a machine can't verify the certificate of the machine it's connecting to. What does this mean in exercise?

When developing Rails applications, this can happen when

• you run gem install or bundle install . Your machine needs to connect to the gem sources like https://rubygems.org
• your app connects to a 3rd-political party API like GitHub API
• you use a gem like ActiveMerchant to connect to payment sites like PayPal

Solutions

Update CA certificates

The correct solution depends on which code connects to an HTTPS URL. The first matter you can try is to update the root certificates on your machine.

If you're using Linux, you can use your package director to update the CA certificates.

          apt-get update ca-certificates yum update ca-certificates                  

On RVM on OSX, yous tin run

          rvm osx-ssl-certs update all                  

If you don't apply RVM, you lot can extract the certificates from Apple's Keychain yourself.

          cert_file='$( openssl version -d | awk -F''' '{print $two}' )/cert.pem' mkdir -p '${cert_file%/*}' security discover-certificate -a -p /Library/Keychains/Organisation.keychain > '$cert_file' security find-document -a -p /Organisation/Library/Keychains/SystemRootCertificates.keychain >> '$cert_file'                  

For more information, check out the SSL documentation.

Update Gems

In some cases, updating the system CA certificates doesn't piece of work because some gems specify their own CA certificates. ActiveMerchant provides its ain cacert.pem at https://github.com/activemerchant/active_merchant/tree/master/lib/certs. If your errors come from ActiveMerchant, try updating the gem to the latest version.

rubygems.org in 2014 had to update their SSL certificate. RubyGems besides provides CA certificates and a newer RubyGems version had to be manually installed to get it working again. You tin read more near this upshot in the Ruby-red Gems guides here. This is unlikely to happen again but if you're having issues with RubyGems, check your system certificates showtime then the RubyGems issues.

Bad Solutions

There are other solutions to this error but are not considered best practices.

Turn off verification

You can plow off verification when using net-http. However, this isn't recommended.

          http.verify_mode = OpenSSL::SSL::VERIFY_NONE                  

Utilize http version

When you encounter the certificate verify failed error when installing gems, some suggest using http://rubygems.org as the source instead of https://rubygems.org . This is bad as you're installing gems in clear text. Turning off verification is amend than using clear text because even without verification, you're however using encrypted communication. Only make no mistake, both of these solutions aren't recommended.

Set SSL_CERT_FILE

This isn't a bad solution if y'all know what you're doing. Nonetheless, at that place are a lot of solutions out there that suggest downloading CA certificates to your machine and setting the SSL_CERT_FILE environment variable to its location.

The problem with this approach is you don't know if yous can trust the CA certificates you're downloading. In some cases, the CA certificates are even downloaded in clear text. Double trouble if you ask me.

Summary

The Ruby-red OpenSSL error certificate verify failed means your code tin can't verify that the SSL document of the website or API y'all're connecting to is the real 1. It's important to solve this issue correctly to keep your advice secure.

If you are interested on security issues, make sure to check out this Engine Yard's blog section

davalosliturmlime.blogspot.com

Source: https://www.engineyard.com/blog/ruby-ssl-error-certificate-verify-failed/

Share this post