RVM OpenSSL certificate verify failed issue

#Programming, #Ruby

If you use RVM then you may or may not know that when you install rubies on your system then on OSX (maybe other platforms? couldn’t find the docs) it can use a pre-compiled binary - saves you time, right? Maybe not.

TL;DR

Spend a little extra time to compile Ruby from source via RVM locally if you use homebrew so that it can detect if you have non-default locations for some dependencies.

$ rvm install 2.2.3 --disable-binary

It might save some pain later.

Why

Ran into this issue below that arose after updating OSX roughly in this order;

  1. Update to latest OSX (El Capitan)
  2. Reinstall homebrew to workaround SIP
  3. Reinstall RVM (as per above)
  4. Happily get back to work… for a short period of time

Boom!

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

All appeared to be fine until attempting using Ruby to connect to a remote API over HTTPS - got a strange OpenSSL error suggesting that a certificate in the chain was dodgy - could not beleive this third party would let this happen… No, they didn’t and the certificate and intermediates were fine, I verified this using a browser, so this was back to a Ruby problem.

The trust part of HTTPS requires certificate verifcation of not only the end hosts certificate but also of intermediate certificates such as those that sign it, therby verifying that the host is who it says it is. I could generate my own SSL certificate for google.com but it is useless without an authority verifying this.

Your browser has a cache of these certificate authorities and it is a fair assumption that any other SSL client implementation has a cache too - in this case the cache directory in which the installation of OpenSSL that the pre-compiled binary of the Ruby from RVM was linked to was not the version of OpenSSL I had installed from homebrew and in this case the directory was empty.

Fix

Turn it off and turn it on again. Uninstall and then install via compiling from source, not the binary. This

$ rvm uninstall 2.2.3
$ rvm install 2.2.3 --disable-binary