Openssl Trouble with Ruby 1.9.3

OpenSSL trouble with Ruby 1.9.3

I had the same problem connecting to an authorization gateway. In the end I was able to connect by forcing sslv3

http = Net::HTTP.new(uri.host, uri.port)

http.use_ssl = true if @is_https
http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @is_https
http.ssl_version = :SSLv3

Certificate verify failed OpenSSL error when using Ruby 1.9.3

There are lots of moving parts involved in the correct answer. Depends on your OS, Ruby version, OpenSSL version, Rubygems version. I ended up writing an article after researching it. My article explains the reasons for the error, offers steps for further diagnosis, shows several workarounds, and suggests possible solutions. This will be helpful:

OpenSSL Errors and Rails – Certificate Verify Failed

There are also links to the relevant commits and issues on GitHub.

On ruby-1.9.3 getting OpenSSL::SSL::SSLError from net-https (Mac OSX 10.6)

I just directly modify the http.rb source(L:669) for MacOS:

def use_ssl=(flag)
  flag = flag ? true : false
  if started? and @use_ssl != flag
    raise IOError, "use_ssl value changed, but session already started"
  end
  if flag && !@ca_file //added by riceball
    @ca_file = '/opt/local/share/curl/curl-ca-bundle.crt' 
  end

must install first

 port install curl-ca-bundle

Trouble with OpenSSL on RHEL 6.3 and all Ruby installers

After far too many hours of research, and learning far more about Linux than I ever cared to, I have narrowed the problem to basic peculiarities of RHEL and OpenSSL and an incorrect assumption made by Ruby (extconf.rb) during installation. The following sites gave me some good clues as to what to look at but I found nothing that put it all together like what I needed.

• http://www.openssl.org/support/faq.html#BUILD8
• http://wiki.openssl.org/index.php/Compilation_and_Installation#Fedora_and_Red_Hat
• http://sachachua.com/blog/2011/04/setting-up-ruby-on-rails-on-a-redhat-enterprise-linux-rackspace-cloud-server/
• https://web.archive.org/web/20130430124941/https://rvm.io/packages/openssl/

...and not much thanks to a whole bunch of red herrings involving Ruby patches and EC2M. Also, RVM needs to correct their optimism that they have accounted for this with autolibs and should reinstate their previous openssl page.

Basic solution rules

Rule 1

The install of OpenSSL (1.0.1e) created and maintained by yum in /usr/bin cannot be used to compile Ruby's OpenSSL extension correctly -- at least, not on my machine at this time with the latest versions of Ruby (1.9.3-p484, 2.0.0, 2.1.0). RHEL 6.3. I can only surmise that this is due to peculiarities in RedHat's compilation of OpenSSL as hinted at in the OpenSSL FAQ.

Rule 2

I found two old versions (0.9.8) of OpenSSL in /usr/local (in bin + openssl, and ssl/bin) and updating/replacing these got me a bit closer to a solution. For whatever reason, every manual install of OpenSSL 1.0.1f in /usr/local (regardless of bin,openssl,ssl directory arrangement) insisted on putting the libraries in /usr/local/lib64 instead of /usr/local/lib (unless I hacked the Makefile, of course). Ruby's expconf.rb script, however, assumes the OpenSSL libraries will always be in a lib directory. Chasing down this single annoyance (and clash with OpenSSL) was the hardest part of all this. Therefore, to make using an install of OpenSSL in /usr/local work, you must do two things: (1) install Ruby with the --with-openssl-dir switch, and (2) recompile Ruby's OpenSSL extension while also modifying the Makefile to point to lib64 instead of lib. Thus, run something like the following string of commands as root:

ruby-install ruby 1.9.3-p545 -- --with-openssl-dir=/usr/local
cd /usr/local/src/ruby-1.9.3-p545/ext/openssl
ruby extconf.rb

Edit openssl's Makefile to replace something like this:

  libpath = . $(libdir) /usr/local/lib
  LIBPATH =  -L. -L$(libdir) -Wl,-R$(libdir) -L/usr/local/lib -Wl,-R/usr/local/lib

with something like this:

  libpath = . $(libdir) /usr/local/lib64
  LIBPATH =  -L. -L$(libdir) -Wl,-R$(libdir) -L/usr/local/lib64 -Wl,-R/usr/local/lib64

Save, and back to the command line:

make
make install

The new Ruby install should now work with OpenSSL properly. As a quick check, I restart my sudo session and then (assuming using chruby):

chruby 1.9
ruby -ropenssl -e "puts OpenSSL::VERSION"

Rule 3

Installing OpenSSL anywhere besides /usr puts the libraries in the expected lib instead of lib64. (Don't ask me why... dunno.) This may be the more maintainable solution as it lets you avoid hacking up the Makefile. This is also the solution RVM uses when running rvm pkg install openssl. Thus, to install both OpenSSL and Ruby (in /opt), you may run commands something like these (I run as sudo bash):

Install OpenSSL:

cd /opt/local
wget http://www.openssl.org/source/openssl-1.0.1f.tar.gz
tar -xzf openssl-1.0.1f.tar.gz
cd openssl-1.0.1f
./config --prefix=/opt/local shared no-asm zlib > openssl_config.log
make > openssl_make.log
make install > openssl_install.log

(The shared switch is required for Ruby to install without error, the no-asm switch helps get rid of a Make warning but does not appear to be required, and zlib and other switches are optional.)

Optional, update openssl certs:

cd /opt/local/ssl
wget http://curl.haxx.se/ca/cacert.pem
mv cacert.pem cert.pem
cd /opt

Back to Ruby:

ruby-install ruby 1.9.3-p545 -- --with-openssl-dir=/opt/local

The new Ruby install should now work with OpenSSL properly. As a quick check, I restart my sudo session and then (assuming using chruby):

chruby 1.9
ruby -ropenssl -e "puts OpenSSL::VERSION"

troubles with RVM and OpenSSL

Try this:

rvm get head
rvm pkg remove
rvm requirements run  # if brew gives you warnings about formulas to install, run "brew install" for each before moving on.

rvm reinstall [the version you need (i.e: 2.0.0)]

---

Related Topics