Connect: Ssl_Connect Returned=1 Errno=0 State=Sslv3 Read Server Certificate B: Certificate Verify Failed (Openssl::Ssl::Sslerror)

  • Home
  • Languages
  • Ruby
  • Connect: Ssl_Connect Returned=1 Errno=0 State=Sslv3 Read Server Certificate B: Certificate Verify Failed (Openssl::Ssl::Sslerror)

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

That sometimes happens if the default 'OpenSSL directory' is not set correctly with the native OpenSSL library. open-uri uses OpenSSL::X509::Store#set_default_paths in order to tell OpenSSL to look in the OpenSSL directory for the file that contains the trusted root certificates that OpenSSL trusts by default.

In your case, this lookup fails. You can make it succeed by setting an environment variable that overrides the default setting and tells OpenSSL to look in that directory instead: 

export SSL_CERT_FILE=/etc/pki/tls/cert.pem

That's the default location for the root CA bundle on my Fedora 16 64 bit, other popular locations are /etc/ssl/ca-bundle.crt etc. In your case, the OpenSSL library used by RVM is located in $rvm_path/usr, so you should look around there for a suitable candidate for the default root CA file. After the environment variable is set correctly, the call to open-uri will succeed.

To make the environment variable permanent, use the usual ways such as defining the export in .bashrc, /etc/profile or whatever fits best in your situation.

OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

if you using brew and rvm, use the following:

rvm remove 1.9.3
brew install openssl
rvm install 1.9.3 --with-openssl-dir=`brew --prefix openssl`

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed ONLY WHEN PROXYING

What is going on here is that Charles cannot provide you with a valid certificate for "https://www.ibm.com", because whatever certificate you set up Charles with (or if Charles creates its own certificate) it cannot be for the "www.ibm.com" name AND certified by a trusted certificate authority. That's why the connection fails if the client verifies the the certificate, and works if you skip verification with 

http.verify_mode = OpenSSL::SSL::VERIFY_NONE

It probably worked with the older version of ruby because "net/https" was adjusted to verify
certificates by default only recently.


Related Topics

Escaping Strings for Ruby Sqlite Insert

Ruby Readline Fails If Process Started with Arguments

Sinatra Not Persisting Session with Redirect on Chrome

How Can Multiple Trailing Slashes Can Be Removed from a Url in Ruby

How to Override a Variable in a Ruby Subclass Without Affecting The Superclass

Devise with Ruby on Rails - Force User to Change Password on First Login

Fresh Ruby Gem from Bundler - Cannot Load My Version.Rb File

String Concatenation Error

Thor Executable - Ignore Task Name

Are Rack-Based Web Servers Represent Fastcgi Protocol

Rails Parameters from Get/Post

Deleting a Specific Line in a Text File

How Do Erlang Actors Differ from Oop Objects

Where to Reopen a Class in Ror

How to Use Variable Arguments with Ruby's Optionparser

Ruby - Append Content at The End of The Existing S3 File Using Fog

How to Make Two Thor Tasks Share Options

Build Failed (Os X 10.15.1 Using Ruby-Build 20191124) When Installing Ruby-2.4.0 with Rbenv in Osx Catalina(10.15.1)


Leave a reply



Submit