We recently renewed the SSL certificate of our site, and the following occurs on Mac OS El Capitan 10.11.3:
# => "<HTML>...</HTML>"
# The site whose certificate got renewed
# => OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
brew upgrade openssl
rvm osx-ssl-certs update all
rvm install ruby-2.3.1 --disable-binary --with-openssl-dir="$(brew --prefix openssl)"
COMODO RSA Certification Authority
COMODO Certification Authority
openssl s_client -connect www.mysite.com:443
verify error:num=20:unable to get local issuer certificate
openssl s_client -connect www.mysite.com:443 -CAfile comodo.pem
cat system_root.pem comodo.pem > cert.pem
I would try to double-check the trusted certificate store if it contains the
COMODO_RSA_Certification_Authority.pem certificate. In my (Linux) setup, the site works OK but when I temporarily remove the certificate of the COMODO cert authority from the cert store, I get exactly the same error as you (while in browsers it still works as they have their own cert stores).
BTW, the same error is also recognizable using
curl as it also appears to use the same trusted cert store as ruby, so you might first ensure that the site works under curl.
In linux, the cert store is located usually in
/etc/ssl/certs whereas under OSX it should probably be
/System/Library/OpenSSL (see this article for other options).
You should see something like the following in the cert store directory:
root@apsara:/etc/ssl/certs$ ls -l | grep COMODO_RSA_Certification_Authority.pem lrwxrwxrwx 1 root root 73 úno 28 10:24 COMODO_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt lrwxrwxrwx 1 root root 38 úno 28 10:24 d4c339cb.0 -> COMODO_RSA_Certification_Authority.pem lrwxrwxrwx 1 root root 38 úno 28 10:24 d6325660.0 -> COMODO_RSA_Certification_Authority.pem
The following is a snipped of some attributes of this root CA certificate:
$ openssl x509 -in COMODO_RSA_Certification_Authority.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d Signature Algorithm: sha384WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Validity Not Before: Jan 19 00:00:00 2010 GMT Not After : Jan 18 23:59:59 2038 GMT Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha384WithRSAEncryption ...
More info: while looking into it, it turns out that there are actually two distinct certification chains for certs by the Comodo CA. One, the older one, is the one with the root CA listed above. The newer validation chain uses "External CA root" certificates in the chain. This forum post explains further, with specific instructions for OSX for marking those certs as trusted.