rubygems SSL Issue

I was having the same problem on ruby 2.1.5 and 2.3.0 with gem 2.6.7.

Updating open_ssl fixed the issue for me.

Also suddenly started getting this. Tried wget on https://rubygems.org and got this:

$ wget https://rubygems.org/
--2016-10-10 11:24:42--  https://rubygems.org/
Resolving rubygems.org... 151.101.128.70, 151.101.64.70, 151.101.0.70, ...
Connecting to rubygems.org|151.101.128.70|:443... connected.
ERROR: cannot verify rubygems.org's certificate, issued by 'CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE':
  Issued certificate has expired.
To connect to rubygems.org insecurely, use `--no-check-certificate'.

Try updating RubyGems, the latest version has newer certificates bundled

@segiddins updated ruby gems using rvm rubygem update functionality (https://rvm.io/rubies/rubygems) and also manually from source. Problem persists. I use RVM to manage my rubies so it may be possible something is not being updated as it should.

But then again why would terminal wget command throw a certificate error as well? That's not even ruby related.

Tried with a co-worker. His wget works fine and we're on the same network. It's something with my machine. I'm on OSX Yosemite.

I updated my openssl and that fixed wget. Ruby gems still has problem.

This is not a rubygems problem. Updating openssl is definitely the first part of the solution, but then it's a mess of reinstalling rubies and updating rubygems. The default rubygems that RVM installs don't seem to behave well.

I'm ok with closing this ticket. Unless it's helpful to keep it around for others.

Updating openssl and manually updating rubygems on all my rubies addressed the problem. Seems like the issue is related to OSX Yosemite specifically?

$ wget https://api.rubygems.org/specs.4.8.gz
--2016-10-12 14:17:48--  https://api.rubygems.org/specs.4.8.gz
Resolving api.rubygems.org... 151.101.64.70, 151.101.128.70, 151.101.192.70, ...
Connecting to api.rubygems.org|151.101.64.70|:443... connected.
ERROR: cannot verify api.rubygems.org's certificate, issued by '/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2':
  Issued certificate has expired.
To connect to api.rubygems.org insecurely, use `--no-check-certificate'.

Clearly the rubygems cert has expired, i think this needs to be urgently updated

@davidsiaw what certificate are you seeing?

$ openssl s_client -connect api.rubygems.org:443
CONNECTED(00000003)
depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=l.ssl.fastly.net
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIO+DCCDeCgAwIBAgIMG6aLp/anW8dmY0WsMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTYwOTI3MTUzOTEyWhcNMTgwMzEzMTQwNDA2WjBsMQswCQYDVQQGEwJV
UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEV
MBMGA1UECgwMRmFzdGx5LCBJbmMuMRkwFwYDVQQDDBBsLnNzbC5mYXN0bHkubmV0
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy8dy9W+1kNgDfZZaVm9O
uB6aAcLysbODKUvHt7IvPEJjLZYMP5SLCB5+eo93Vb1Vl3I/lU+qdBIP1Yzi9Oh8
XB+DBA7YmgzyeuWvT07YBOJOfXrbQK9tx+dmcZQtU3oka0uqOUDeT8fEqccufwxA
0RoVPGEKCZjDr4NALIBL4ckKxWeibvwnX1rN1fqyMMiW36ML3A9gdSA50YIy7vh9
CDvaSt/hBn/pUt2xkhhwtdi/zr6BrpjsMSgB/0qT03GukZ7fsxLI7KwayspUlhLU
bY99pKiXrf6NNuTIHt57IuD3a1TnBnHkOs9uQny31o3ShPOnxo4hB0xjd+bbz2Gs
uQIDAQABo4ILnjCCC5owDgYDVR0PAQH/BAQDAgWgMIGgBggrBgEFBQcBAQSBkzCB
kDBNBggrBgEFBQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNl
cnQvZ3Nvcmdhbml6YXRpb252YWxzaGEyZzJyMS5jcnQwPwYIKwYBBQUHMAGGM2h0
dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc29yZ2FuaXphdGlvbnZhbHNoYTJn
MjBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUFBwIBFiZodHRwczov
L3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgIwCQYDVR0T
BAIwADBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29t
L2dzL2dzb3JnYW5pemF0aW9udmFsc2hhMmcyLmNybDCCCdYGA1UdEQSCCc0wggnJ
ghBsLnNzbC5mYXN0bHkubmV0ghAqLjFzdGRpYnNjZG4uY29tggoqLmFtYW4uY29t
ghgqLmFuc3dlcnNpbmdlbmVzaXMuY28udWuCFiouYW5zd2Vyc2luZ2VuZXNpcy5v
cmeCFCouYXBpLmxpdmVzdHJlYW0uY29tghIqLmFya2VuY291bnRlci5jb22CFCou
YXR0cmlidXRpb24ucmVwb3J0gg0qLmJlc3RlZ2cuY29tghMqLmJ1eWl0ZGlyZWN0
LmNvLnVrghEqLmNvbnRlbnRib2R5LmNvbYIUKi5jcmVhdGlvbm11c2V1bS5vcmeC
GyouY3VyYXRpb25zLmJhemFhcnZvaWNlLmNvbYIOKi5kbHNhZGFwdC5jb22CFSou
ZG9sbGFyc2hhdmVjbHViLmNvbYIaKi5leGNpdGVvbmxpbmVzZXJ2aWNlcy5jb22C
ECouZmFzdGx5bGFicy5jb22CDyouZmlsZXBpY2tlci5pb4IVKi5maWxlcy50cnls
YXRlbHkuY29tghIqLmZpbGVzdGFja2FwaS5jb22CESouZm9kLXNhbmRib3guY29t
ghEqLmZvZC1zdGFnaW5nLmNvbYIKKi5mb2Q0LmNvbYIMKi5mdWxsMzAuY29tgg4q
LmZ1bmRwYWFzLmNvbYIPKi5mdW5rZXI1MzAuY29tghAqLmZ1bm55b3JkaWUuY29t
gg8qLmdhbWViYXR0ZS5jb22CCCouaGZhLmlvghEqLmphY2t0aHJlYWRzLmNvbYIM
Ki5rbm5sYWIuY29tggwqLmxldGVtcHMuY2iCDyoubG9vdGNyYXRlLmNvbYIPKi5t
eWJlc3RlZ2cuY29tggkqLm5mbC5jb22CCyoucGF0Y2guY29tggwqLnBlYmJsZS5j
b22CECoucG90dGVybW9yZS5jb22CECoucHJpbWVzcG9ydC5jb22CGCoucHJvdGVj
dGVkLWNoZWNrb3V0Lm5ldIILKi5yY2hlcnkuc2WCDioucnVieWdlbXMub3Jngg8q
LnJ3bGl2ZWNtcy5jb22CFyouc2FmYXJpYm9va3NvbmxpbmUuY29tghIqLnNtYXJ0
c3BhcnJvdy5jb22CESouc3Bva2VubGF5ZXIuY29tgg0qLnRhYy1jZG4ubmV0gg8q
LnRoZXJlZHBpbi5jb22CDyoudGhyaWxsaXN0LmNvbYIPKi50b3RhbHdpbmUuY29t
gg8qLnRyYXZpcy1jaS5jb22CDyoudHJhdmlzLWNpLm9yZ4ISKi50cmVhc3VyZWRh
dGEuY29tggwqLnR1cm5lci5jb22CDyoudW5pdGVkd2F5Lm9yZ4IOKi51bml2ZXJz
ZS5jb22CCyoudW5wa2cuY29tggwqLnVwYm9sdC5jb22CFioudXBsb2FkLjYwMGhv
cnNlcy5jb22CCSoudXJ4LmNvbYIKKi52ZXZvLmNvbYIbKi52aWRlb2NyZWF0b3Iu
eWFob28tbmV0LmpwghYqLndob2xlZm9vZHNtYXJrZXQuY29tghMqLnliaS5pZGNm
Y2xvdWQubmV0ghEqLnlvbmRlcm11c2ljLmNvbYIQYS4xc3RkaWJzY2RuLmNvbYIN
YWZyb3N0cmVhbS50doIPYXBpLmRvbWFpbnIuY29tgg1hcGkubnltYWcuY29tghdh
cHAuYmV0dGVyaW1wYWN0Y2RuLmNvbYIaYXNzZXRzLmZsLm1hcmthdmlwLWNkbi5j
b22CEmF0dHJpYnV0aW9uLnJlcG9ydIIZY2RuLWZhc3RseS50b3Jwcm9qZWN0Lm9y
Z4IYY2RuLmZpbGVzdGFja2NvbnRlbnQuY29tghZjZG4uaGlnaHRhaWxzcGFjZXMu
Y29tggxjZG4ua2V2eS5jb22CC2RvbWFpbnIuY29tghBkb25vcnNjaG9vc2Uub3Jn
gh5lbWJlZC1wcmVwcm9kLnRpY2tldG1hc3Rlci5jb22CGGVtYmVkLm9wdGltaXpl
cGxheWVyLmNvbYIWZW1iZWQudGlja2V0bWFzdGVyLmNvbYIOZmFzdGx5bGFicy5j
b22CD2ZsLmVhdDI0Y2RuLmNvbYIKZnVsbDMwLmNvbYIMZnVuZHBhYXMuY29tgg1m
dW5rZXI1MzAuY29tggtnZXRtb3ZpLmNvbYIZZ2l2aW5ndHVlc2RheS5naXZlZ2Fi
LmNvbYIGaGZhLmlvgg5pLnVwd29ydGh5LmNvbYIaaW1hZ2VzLmZsLm1hcmthdmlw
LWNkbi5jb22CD2phY2t0aHJlYWRzLmNvbYIKa25ubGFiLmNvbYINbG9vdGNyYXRl
LmNvbYITbWVkaWEuYmFyZm9vdC5jby5ueoIVbWVkaWEucmlnaHRtb3ZlLmNvLnVr
gg1tZXJyeWphbmUuY29tgiBtaWdodHktZmxvd2Vycy00MjAubWVycnlqYW5lLmNv
bYIgbmV4dGdlbi1hc3NldHMuZWRtdW5kcy1tZWRpYS5jb22CC25vZW1iZWQuY29t
gglueW1hZy5jb22CCyoubnltYWcuY29tgglwYXRjaC5jb22CCnBlYmJsZS5jb22C
D3BpeGVsLm55bWFnLmNvbYIOcHJpbWVzcG9ydC5jb22CInByb3F1ZXN0LnRlY2gu
c2FmYXJpYm9va3NvbmxpbmUuZGWCDHJ1YnlnZW1zLm9yZ4IVc2FmYXJpYm9va3Nv
bmxpbmUuY29tghFzdGF0aWMudmVzZGlhLmNvbYIOdGhlZ3VhcmRpYW4udHaCECou
dGhlZ3VhcmRpYW4udHaCDXRocmlsbGlzdC5jb22CDXRvdGFsd2luZS5jb22CCXVu
cGtnLmNvbYIKdXBib2x0LmNvbYIHdXJ4LmNvbYIZdmlkZW9jcmVhdG9yLnlhaG9v
LW5ldC5qcIIad2VsY29tZS1kZXYuYmFua3NpbXBsZS5jb22CEHdpa2ktdGVtcC5j
YS5jb22CDXd3dy5ibGlucS5jb22CDHd3dy5idWxxLmNvbYIid3d3LmNyaXN0aWFu
b3JvbmFsZG9mcmFncmFuY2VzLmNvbYIZd3d3LmZyZWVnaXZpbmd0dWVzZGF5Lm9y
Z4IRd3d3LmZyZWVsb3R0by5jb22CDnd3dy5pb2RpbmUuY29tghd3d3cubGFwdG9w
c2RpcmVjdC5jby51a4IOd3d3LmxldGVtcHMuY2iCEXd3dy5tZXJyeWphbmUuY29t
giR3d3cubWlnaHR5LWZsb3dlcnMtNDIwLm1lcnJ5amFuZS5jb22CGHd3dy5taWxs
c3RyZWFtbG90NDYuaW5mb4ISd3d3LnBvdHRlcm1vcmUuY29tghN3d3cudHJhaW5v
cmVnb24ub3JnMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4E
FgQUTHFGQ1nlkC7VvfLKxB7tHQmnm/QwHwYDVR0jBBgwFoAUlt5h8b0cFilTHMDM
fTuDAEDmGnwwDQYJKoZIhvcNAQELBQADggEBABd3UEDPXae+PtNKv3HA1qr/DsoG
W8e24GSQE1W2K8nxbeJp19OOeeW97kht8iIoSkId/yKz6tbj3WaztZZIpcHBLOIa
wmXycV6zX8Vzm5BL6AEzszdhdQBO+7xutw+v2riZ9VlFbp+lOWFAJKay0kK7wCMe
0kXP7BAyQ4L8LB4dLykpp2JzHMb6xC5+9M+CKnncIEsfR0Q1TZMb5A9AMR6BDPv1
7/MiRQvwoubMJpt2BrIii/oP71e41ocIUFoFTRejZkHzHrVqFhUwWhKhqlDgjZPR
ku/vM/yWKYW6G5FIMfSOgtV5kHIVZBSs3LVnKbfLva1mndS+QVyET3EFkXw=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=l.ssl.fastly.net
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 5141 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: ACE371DBDDD974A9B3C772EF85EA302750AFE3885D5197ACA6B7AC3CAF840D20
    Session-ID-ctx: 
    Master-Key: 98A9B4C9DBD6E9D259A2D19872A9B6684D13BEF9CD10D6C077CD69F97A7FD86C5BD465183719D30D9693617DE99D6DA9
    Key-Arg   : None
    Start Time: 1476253915
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

Certificate info:

$ pbpaste | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1b:a6:8b:a7:f6:a7:5b:c7:66:63:45:ac
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
        Validity
            Not Before: Sep 27 15:39:12 2016 GMT
            Not After : Mar 13 14:04:06 2018 GMT
        Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=l.ssl.fastly.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cb:c7:72:f5:6f:b5:90:d8:03:7d:96:5a:56:6f:
                    4e:b8:1e:9a:01:c2:f2:b1:b3:83:29:4b:c7:b7:b2:
                    2f:3c:42:63:2d:96:0c:3f:94:8b:08:1e:7e:7a:8f:
                    77:55:bd:55:97:72:3f:95:4f:aa:74:12:0f:d5:8c:
                    e2:f4:e8:7c:5c:1f:83:04:0e:d8:9a:0c:f2:7a:e5:
                    af:4f:4e:d8:04:e2:4e:7d:7a:db:40:af:6d:c7:e7:
                    66:71:94:2d:53:7a:24:6b:4b:aa:39:40:de:4f:c7:
                    c4:a9:c7:2e:7f:0c:40:d1:1a:15:3c:61:0a:09:98:
                    c3:af:83:40:2c:80:4b:e1:c9:0a:c5:67:a2:6e:fc:
                    27:5f:5a:cd:d5:fa:b2:30:c8:96:df:a3:0b:dc:0f:
                    60:75:20:39:d1:82:32:ee:f8:7d:08:3b:da:4a:df:
                    e1:06:7f:e9:52:dd:b1:92:18:70:b5:d8:bf:ce:be:
                    81:ae:98:ec:31:28:01:ff:4a:93:d3:71:ae:91:9e:
                    df:b3:12:c8:ec:ac:1a:ca:ca:54:96:12:d4:6d:8f:
                    7d:a4:a8:97:ad:fe:8d:36:e4:c8:1e:de:7b:22:e0:
                    f7:6b:54:e7:06:71:e4:3a:cf:6e:42:7c:b7:d6:8d:
                    d2:84:f3:a7:c6:8e:21:07:4c:63:77:e6:db:cf:61:
                    ac:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            Authority Information Access: 
                CA Issuers - URI:http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt
                OCSP - URI:http://ocsp2.globalsign.com/gsorganizationvalsha2g2

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.4146.1.20
                  CPS: https://www.globalsign.com/repository/
                Policy: 2.23.140.1.2.2

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 CRL Distribution Points: 
                URI:http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl

            X509v3 Subject Alternative Name: 
                DNS:l.ssl.fastly.net, DNS:*.1stdibscdn.com, DNS:*.aman.com, DNS:*.answersingenesis.co.uk, DNS:*.answersingenesis.org, DNS:*.api.livestream.com, DNS:*.arkencounter.com, DNS:*.attribution.report, DNS:*.bestegg.com, DNS:*.buyitdirect.co.uk, DNS:*.contentbody.com, DNS:*.creationmuseum.org, DNS:*.curations.bazaarvoice.com, DNS:*.dlsadapt.com, DNS:*.dollarshaveclub.com, DNS:*.exciteonlineservices.com, DNS:*.fastlylabs.com, DNS:*.filepicker.io, DNS:*.files.trylately.com, DNS:*.filestackapi.com, DNS:*.fod-sandbox.com, DNS:*.fod-staging.com, DNS:*.fod4.com, DNS:*.full30.com, DNS:*.fundpaas.com, DNS:*.funker530.com, DNS:*.funnyordie.com, DNS:*.gamebatte.com, DNS:*.hfa.io, DNS:*.jackthreads.com, DNS:*.knnlab.com, DNS:*.letemps.ch, DNS:*.lootcrate.com, DNS:*.mybestegg.com, DNS:*.nfl.com, DNS:*.patch.com, DNS:*.pebble.com, DNS:*.pottermore.com, DNS:*.primesport.com, DNS:*.protected-checkout.net, DNS:*.rchery.se, DNS:*.rubygems.org, DNS:*.rwlivecms.com, DNS:*.safaribooksonline.com, DNS:*.smartsparrow.com, DNS:*.spokenlayer.com, DNS:*.tac-cdn.net, DNS:*.theredpin.com, DNS:*.thrillist.com, DNS:*.totalwine.com, DNS:*.travis-ci.com, DNS:*.travis-ci.org, DNS:*.treasuredata.com, DNS:*.turner.com, DNS:*.unitedway.org, DNS:*.universe.com, DNS:*.unpkg.com, DNS:*.upbolt.com, DNS:*.upload.600horses.com, DNS:*.urx.com, DNS:*.vevo.com, DNS:*.videocreator.yahoo-net.jp, DNS:*.wholefoodsmarket.com, DNS:*.ybi.idcfcloud.net, DNS:*.yondermusic.com, DNS:a.1stdibscdn.com, DNS:afrostream.tv, DNS:api.domainr.com, DNS:api.nymag.com, DNS:app.betterimpactcdn.com, DNS:assets.fl.markavip-cdn.com, DNS:attribution.report, DNS:cdn-fastly.torproject.org, DNS:cdn.filestackcontent.com, DNS:cdn.hightailspaces.com, DNS:cdn.kevy.com, DNS:domainr.com, DNS:donorschoose.org, DNS:embed-preprod.ticketmaster.com, DNS:embed.optimizeplayer.com, DNS:embed.ticketmaster.com, DNS:fastlylabs.com, DNS:fl.eat24cdn.com, DNS:full30.com, DNS:fundpaas.com, DNS:funker530.com, DNS:getmovi.com, DNS:givingtuesday.givegab.com, DNS:hfa.io, DNS:i.upworthy.com, DNS:images.fl.markavip-cdn.com, DNS:jackthreads.com, DNS:knnlab.com, DNS:lootcrate.com, DNS:media.barfoot.co.nz, DNS:media.rightmove.co.uk, DNS:merryjane.com, DNS:mighty-flowers-420.merryjane.com, DNS:nextgen-assets.edmunds-media.com, DNS:noembed.com, DNS:nymag.com, DNS:*.nymag.com, DNS:patch.com, DNS:pebble.com, DNS:pixel.nymag.com, DNS:primesport.com, DNS:proquest.tech.safaribooksonline.de, DNS:rubygems.org, DNS:safaribooksonline.com, DNS:static.vesdia.com, DNS:theguardian.tv, DNS:*.theguardian.tv, DNS:thrillist.com, DNS:totalwine.com, DNS:unpkg.com, DNS:upbolt.com, DNS:urx.com, DNS:videocreator.yahoo-net.jp, DNS:welcome-dev.banksimple.com, DNS:wiki-temp.ca.com, DNS:www.blinq.com, DNS:www.bulq.com, DNS:www.cristianoronaldofragrances.com, DNS:www.freegivingtuesday.org, DNS:www.freelotto.com, DNS:www.iodine.com, DNS:www.laptopsdirect.co.uk, DNS:www.letemps.ch, DNS:www.merryjane.com, DNS:www.mighty-flowers-420.merryjane.com, DNS:www.millstreamlot46.info, DNS:www.pottermore.com, DNS:www.trainoregon.org
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                4C:71:46:43:59:E5:90:2E:D5:BD:F2:CA:C4:1E:ED:1D:09:A7:9B:F4
            X509v3 Authority Key Identifier: 
                keyid:96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C

    Signature Algorithm: sha256WithRSAEncryption
        17:77:50:40:cf:5d:a7:be:3e:d3:4a:bf:71:c0:d6:aa:ff:0e:
        ca:06:5b:c7:b6:e0:64:90:13:55:b6:2b:c9:f1:6d:e2:69:d7:
        d3:8e:79:e5:bd:ee:48:6d:f2:22:28:4a:42:1d:ff:22:b3:ea:
        d6:e3:dd:66:b3:b5:96:48:a5:c1:c1:2c:e2:1a:c2:65:f2:71:
        5e:b3:5f:c5:73:9b:90:4b:e8:01:33:b3:37:61:75:00:4e:fb:
        bc:6e:b7:0f:af:da:b8:99:f5:59:45:6e:9f:a5:39:61:40:24:
        a6:b2:d2:42:bb:c0:23:1e:d2:45:cf:ec:10:32:43:82:fc:2c:
        1e:1d:2f:29:29:a7:62:73:1c:c6:fa:c4:2e:7e:f4:cf:82:2a:
        79:dc:20:4b:1f:47:44:35:4d:93:1b:e4:0f:40:31:1e:81:0c:
        fb:f5:ef:f3:22:45:0b:f0:a2:e6:cc:26:9b:76:06:b2:22:8b:
        fa:0f:ef:57:b8:d6:87:08:50:5a:05:4d:17:a3:66:41:f3:1e:
        b5:6a:16:15:30:5a:12:a1:aa:50:e0:8d:93:d1:92:ef:ef:33:
        fc:96:29:85:ba:1b:91:48:31:f4:8e:82:d5:79:90:72:15:64:
        14:ac:dc:b5:67:29:b7:cb:bd:ad:66:9d:d4:be:41:5c:84:4f:
        71:05:91:7c

REMOVED PREVIOUS COMMENT.

Above command was giving me certificate expired again.

I removed all brew related openssl. Then installed the latest openssl from source. Now the command works fine.

I finally fixed it completely. Turns out the culprit was the pre-built binaries RVM uses. They must have outdated certificates.

Final process is:
update openssl
uninstall your rubies and re-install rubies FROM SOURCE.
if using rvm you use the --disable-binary flag.

If you can reproduce this such that you get an expired certificate can you please extract the certificate? If we know where it comes from we may be able to address this via our CDN provider

My first experience with Ruby on Windows just now was installing Ruby 2.3.1 via RubyInstaller and having gem install fail to work:

C:\Ruby23-x64>gem install rails
ERROR:  Could not find a valid gem 'rails' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

This is a _really_ bad first-time experience.

Copying https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/index.rubygems.org/GlobalSignRootCA.pem into C:\Ruby23-x64\lib\ruby\2.3.0\rubygems\ssl_certs solved the issue for me.

I had the same issue -- I used RVM to re-install the version of ruby that wasn't working with the --disable-binary flag and everything worked fine: rvm reinstall ruby-2.1.2 --disable-binary.

I have tried all of the solutions from all over without any fixes.

• updating openssl (via homebrew with symlink to /usr/local/bin/openssl)
• removing all of rvm, reinstalling with --disable-binary
• copying the GlobalSIgnRootCA.pem to .rvm/rubies/ruby-2.2.3/lib/ruby/2.2.0/rubygems/ssl_certs

Anything else I can try?

@mat813 I also had issues with homebrew openssl. If you haven't already, try using homebrew to completely remove all versions of openssl brew uninstall --force openssl, then try reinstalling.

Make sure you clear out all relevant ruby folders from rvm. rvm uninstall does leave some things behind. Look in .rvm/rubies/ and .rvm/gems/ then reinstall the ruby using --disable-binary

If that doesn't fix it, then the final step (which is what I did) is to replace the osx system openssl by compiling from source. There are some instructions here: http://mac-dev-env.patrickbougie.com/openssl/ Afterwards again, clean out rvm and reinstall. After that it should definitely work. You don't need to copy the PEM certificate.

@brukatv Genius! For whatever reason, the force uninstall and reinstall of homebrew openssl did the trick!

I also completely removed .rvm and fresh installed that. Didn't touch the PEM this time.

Hmm, the plot thickens. 15 minutes later, the issue resurfaces, and I can no longer install any gems.

EDIT: fearfully went down the building openssl manually route and appears to be working again...

DOUBLE EDIT: stopped working again! insane.

@matthewlein no idea if it's related, but it might be that it's grabbing the default openssl version of OSX, you can try adding the right paths to:

export LD_LIBRARY_PATH="$HOME/.local/lib:$LD_LIBRARY_PATH"
export LDFLAGS="-L$HOME/.local/lib $LDFLAGS"
export PKG_CONFIG_PATH="$HOME/.local/lib:$PKG_CONFIG_PATH"
export CPPFLAGS="-I/usr/local/whatever/include $CPPFLAGS"

Please this is not a snippet to just use, it's a snippet you have to apply but by using the correct paths, just make sure lib points to the openssl lib so it takes precedence over the system one. CPPFLAGS might not be needed at all

I have no idea whats going on anymore, my head is spinning from trying so many things, but I'm finally at a stable point again (also hit a ruby 2.2.3 bug maybe? 2.3.1 working now). The one thing that might help someone is that rvm seems to install openssl. I noticed Installing required packages: openssl....

So each time you want to install ruby with the --disable-binary flag, you should do brew uninstall --force openssl first to clear out the previously installed openssl. Smells like a path issue, but thats beyond me.

I followed both sets of instructions on http://guides.rubygems.org/ssl-certificate-update/ (rubygems-update and manual SSL), and reinstalled my rvm ruby with --disable-binary. Nothing helped. brew upgrade openssl said I was up to date.

It turned out Homebrew itself had fallen out of date, and stopped knowing it was out of date. I found the fix on https://github.com/Homebrew/brew/:

If Homebrew was updated on Aug 10-11th 2016 and brew update always says Already up-to-date. you need to run:

cd "$(brew --repo)" && git fetch && git reset --hard origin/master && brew update

I did this, then brew upgrade openssl, and now I can install gems again on OS X Yosemite.

This doesn't seem like a rubygems issue, I just wanted to document that this is another thing that can contribute to the same error.

No @eostrom you have been hit by a different bug. One was the one that didn't allow brew to update itself. Fixed it, updated openssl it fixes your openssl. The other bug still exists and it was the one where prebuilt rubies were using old ssl version and it's still there, my openssl was up to date and I can _strictly reproduce_ the issue even now, I just need to download a prebuilt binary and it won't run, whereas recompiling make it works properly.

Adding these lines in the install-puppet.sh has solved my problem

/opt/puppetlabs/puppet/bin/gem install deep_merge -v 1.0.1 --no-ri --no-rdoc --source http://rubygems.org/
/opt/puppetlabs/puppet/bin/gem install activesupport -v 4.2.6 --no-ri --no-rdoc --source http://rubygems.org/
/opt/puppetlabs/puppet/bin/gem install vine -v 0.2 --no-ri --no-rdoc --source http://rubygems.org/