albe albe - 1 month ago 7
Ruby Question

Cannot install any ruby gems on Mac OS - SSL_connect error

My environment is Mac OS 10.10.5, ruby version 2.2.4 (or 2.2.2 or 2.2.0) gem (after upgrade) is 2.6.7, rvm version 1.27.0.

This has several duplicates even in the last few days but this is more information than I can put in a comment.

When installing any gems on any version of ruby I get the following:

$ gem install bundler
ERROR: Could not find a valid gem 'bundler' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)


There is a lot of information about this available, especially for problems on Windows. See http://guides.rubygems.org/ssl-certificate-update/ for the proposed solution. I follow this but I continue to get the same error.

The problem seems to be in getting the file GlobalSignRootCA.pem in the appropriate place which is not entirely clear. The above link explains how to find the appropriate ssl_certs directory, of which there are 2 in my system, but neither work.

I forget where I learned the following:

$ ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_DIR'
/etc/openssl/certs
$ ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'
/etc/openssl/cert.pem


which might have given a hint but appending the .pem file to the latter or copying to the former have no effect.

When I re-install openssl (homebrew), it helpfully tells me:

A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
/usr/local/etc/openssl/certs

and run
/usr/local/opt/openssl/bin/c_rehash


but this also does not solve the problem.

From another SO question:

rvm osx-ssl-certs update all


doesn't work. Nor does:

security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"


Does anyone know how to get a sense of what rubygems expects here? Where does it want this file or is this even the file it wants? Should I import the .pem file into the OSX keychain? How does one do that?

Or is there a way to get the gem file and install it locally? rubygems does this helpfully for rubygems itself but not for the individual gems from what I can tell.

-- workaround

Okay - the answer to the question of where to get the gem: go to
https://rubygems.org/gems/[package name]
and select a version and go to download - currently under links on the right hand side. Download the file and
gem install --local [downloaded gem file]
. Plus all the dependencies.

To automate:

# start by adding insecure source for --explain - thanks to @tnum
gem source -a http://rubygems.org/
while read x
do
wget https://rubygems.org/downloads/$x.gem
gem install --local $x.gem
rm $x.gem
done < <(gem install --explain [package name] | grep "^ ")
# remove insecure source
gem source -r http://rubygems.org/


Some of the lack of security could be mitigated by a better grep regex but it is still insecure. Note that
wget https://
works so the ssl problem is definitely with rubygems.

Answer

I had the same issue and used the following 'work around'- cd into your rails app directory and run the following

gem source -a http://rubygems.org/ 

This will use the insecure http connection rather than the secure https when you run the 'gem install...' command. It's not ideal but it is a short term work around.

You may also need to change the source line in your gemfile from

source 'https://rubygems.org'

to

source 'http://rubygems.org'