Ruby and OpenSSL certificates
Fixing the Ruby 1.9 “certificate verify failed” error.
I recently upgraded to Mountain Lion and reinstalled Ruby 1.9.3 with RVM. Today I needed some SSL connections to interface with a payment gateway in a Rails application and this error showed up:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The OpenSSL library can’t verify the Certificate Authority (CA) the certificate from the responding server is signed against and breaks. Certificates are verified using a chain of trust. The certificate should be verified by his parent, which, in his turn should be verified by his parent until you reach a root certificate.
A lot of resources on the web seem to take the easy route: not verifying certificates with OpenSSL::SSL::VERIFY_NONE. While this works, it’s insecure. Why use SSL if you don’t intend to use its advantages? Not verifying a certificate means you simply trust the remote server is whom he claims to be, not who he really is. That might be acceptable for your personal website but not for a payment gateway. James Golick wrote a nice article explaining his fight against SSL::VERIFY_NONE.
The Certificate Authority (CA) bundle
You’ll need a CA bundle. The cURL website maintains a version of the Mozilla CA bundle in PEM format. Grab one of their certificates.
Once dowloaded you can tell Net::HTTP to use this certificate:
Or, my prefered way, you can use an environment variable and not have hardcoded paths:
Or, install it in your RVM directory: Fix OpenSSL Error on Mountain Lion (and RVM).