Rubygems: SSL certificate verify failure

Same here

Hi! It looks like you're running into the issue discussed in http://guides.rubygems.org/ssl-certificate-update/.

Can you follow the steps mentioned at that link and see if that fixes it? Let me know if you need any help!

Having the same problem.
Just updated rubygems to 2.6.7 but without any luck.
Stil getting the error: Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=error: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

i had the same error,
copying the new cert as described here: http://guides.rubygems.org/ssl-certificate-update#manual-solution-to-ssl-issue solved it 4 me

@Levitas already did that, but still no luck.

The solution exposes in: http://guides.rubygems.org/ssl-certificate-update#manual-solution-to-ssl-issue is not working for me.

I have run the update script and also I have added the _GlobalSignRootCA.pem_ file to all my folders under _ssl_certs_ folder:

$ find /Users/fguillen/.rbenv/versions/2.0.0-p247/lib/ruby/site_ruby/2.0.0/ -name "*.pem"
/Users/fguillen/.rbenv/versions/2.0.0-p247/lib/ruby/site_ruby/2.0.0//rubygems/ssl_certs/GlobalSignRootCA.pem
/Users/fguillen/.rbenv/versions/2.0.0-p247/lib/ruby/site_ruby/2.0.0//rubygems/ssl_certs/index.rubygems.org/GlobalSignRootCA.pem
/Users/fguillen/.rbenv/versions/2.0.0-p247/lib/ruby/site_ruby/2.0.0//rubygems/ssl_certs/rubygems.global.ssl.fastly.net/DigiCertHighAssuranceEVRootCA.pem
/Users/fguillen/.rbenv/versions/2.0.0-p247/lib/ruby/site_ruby/2.0.0//rubygems/ssl_certs/rubygems.global.ssl.fastly.net/GlobalSignRootCA.pem
/Users/fguillen/.rbenv/versions/2.0.0-p247/lib/ruby/site_ruby/2.0.0//rubygems/ssl_certs/rubygems.org/AddTrustExternalCARoot.pem
/Users/fguillen/.rbenv/versions/2.0.0-p247/lib/ruby/site_ruby/2.0.0//rubygems/ssl_certs/rubygems.org/GlobalSignRootCA.pem

And still the error is there.

For more info:

$ gem -v
2.6.7
$ ruby -v
ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-darwin13.0.0]
$ rbenv -v
rbenv 1.0.0-21-g9fdce5d
$ bundle -v
Bundler version 1.12.5

And:

$ openssl s_client -showcerts -connect rubygems.org:https
CONNECTED(00000003)
depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=l.ssl.fastly.net
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
MIIO+DCCDeCgAwIBAgIMG6aLp/anW8dmY0WsMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTYwOTI3MTUzOTEyWhcNMTgwMzEzMTQwNDA2WjBsMQswCQYDVQQGEwJV
UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEV
MBMGA1UECgwMRmFzdGx5LCBJbmMuMRkwFwYDVQQDDBBsLnNzbC5mYXN0bHkubmV0
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy8dy9W+1kNgDfZZaVm9O
uB6aAcLysbODKUvHt7IvPEJjLZYMP5SLCB5+eo93Vb1Vl3I/lU+qdBIP1Yzi9Oh8
XB+DBA7YmgzyeuWvT07YBOJOfXrbQK9tx+dmcZQtU3oka0uqOUDeT8fEqccufwxA
0RoVPGEKCZjDr4NALIBL4ckKxWeibvwnX1rN1fqyMMiW36ML3A9gdSA50YIy7vh9
CDvaSt/hBn/pUt2xkhhwtdi/zr6BrpjsMSgB/0qT03GukZ7fsxLI7KwayspUlhLU
bY99pKiXrf6NNuTIHt57IuD3a1TnBnHkOs9uQny31o3ShPOnxo4hB0xjd+bbz2Gs
uQIDAQABo4ILnjCCC5owDgYDVR0PAQH/BAQDAgWgMIGgBggrBgEFBQcBAQSBkzCB
kDBNBggrBgEFBQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNl
cnQvZ3Nvcmdhbml6YXRpb252YWxzaGEyZzJyMS5jcnQwPwYIKwYBBQUHMAGGM2h0
dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc29yZ2FuaXphdGlvbnZhbHNoYTJn
MjBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUFBwIBFiZodHRwczov
L3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgIwCQYDVR0T
BAIwADBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29t
L2dzL2dzb3JnYW5pemF0aW9udmFsc2hhMmcyLmNybDCCCdYGA1UdEQSCCc0wggnJ
ghBsLnNzbC5mYXN0bHkubmV0ghAqLjFzdGRpYnNjZG4uY29tggoqLmFtYW4uY29t
ghgqLmFuc3dlcnNpbmdlbmVzaXMuY28udWuCFiouYW5zd2Vyc2luZ2VuZXNpcy5v
cmeCFCouYXBpLmxpdmVzdHJlYW0uY29tghIqLmFya2VuY291bnRlci5jb22CFCou
YXR0cmlidXRpb24ucmVwb3J0gg0qLmJlc3RlZ2cuY29tghMqLmJ1eWl0ZGlyZWN0
LmNvLnVrghEqLmNvbnRlbnRib2R5LmNvbYIUKi5jcmVhdGlvbm11c2V1bS5vcmeC
GyouY3VyYXRpb25zLmJhemFhcnZvaWNlLmNvbYIOKi5kbHNhZGFwdC5jb22CFSou
ZG9sbGFyc2hhdmVjbHViLmNvbYIaKi5leGNpdGVvbmxpbmVzZXJ2aWNlcy5jb22C
ECouZmFzdGx5bGFicy5jb22CDyouZmlsZXBpY2tlci5pb4IVKi5maWxlcy50cnls
YXRlbHkuY29tghIqLmZpbGVzdGFja2FwaS5jb22CESouZm9kLXNhbmRib3guY29t
ghEqLmZvZC1zdGFnaW5nLmNvbYIKKi5mb2Q0LmNvbYIMKi5mdWxsMzAuY29tgg4q
LmZ1bmRwYWFzLmNvbYIPKi5mdW5rZXI1MzAuY29tghAqLmZ1bm55b3JkaWUuY29t
gg8qLmdhbWViYXR0ZS5jb22CCCouaGZhLmlvghEqLmphY2t0aHJlYWRzLmNvbYIM
Ki5rbm5sYWIuY29tggwqLmxldGVtcHMuY2iCDyoubG9vdGNyYXRlLmNvbYIPKi5t
eWJlc3RlZ2cuY29tggkqLm5mbC5jb22CCyoucGF0Y2guY29tggwqLnBlYmJsZS5j
b22CECoucG90dGVybW9yZS5jb22CECoucHJpbWVzcG9ydC5jb22CGCoucHJvdGVj
dGVkLWNoZWNrb3V0Lm5ldIILKi5yY2hlcnkuc2WCDioucnVieWdlbXMub3Jngg8q
LnJ3bGl2ZWNtcy5jb22CFyouc2FmYXJpYm9va3NvbmxpbmUuY29tghIqLnNtYXJ0
c3BhcnJvdy5jb22CESouc3Bva2VubGF5ZXIuY29tgg0qLnRhYy1jZG4ubmV0gg8q
LnRoZXJlZHBpbi5jb22CDyoudGhyaWxsaXN0LmNvbYIPKi50b3RhbHdpbmUuY29t
gg8qLnRyYXZpcy1jaS5jb22CDyoudHJhdmlzLWNpLm9yZ4ISKi50cmVhc3VyZWRh
dGEuY29tggwqLnR1cm5lci5jb22CDyoudW5pdGVkd2F5Lm9yZ4IOKi51bml2ZXJz
ZS5jb22CCyoudW5wa2cuY29tggwqLnVwYm9sdC5jb22CFioudXBsb2FkLjYwMGhv
cnNlcy5jb22CCSoudXJ4LmNvbYIKKi52ZXZvLmNvbYIbKi52aWRlb2NyZWF0b3Iu
eWFob28tbmV0LmpwghYqLndob2xlZm9vZHNtYXJrZXQuY29tghMqLnliaS5pZGNm
Y2xvdWQubmV0ghEqLnlvbmRlcm11c2ljLmNvbYIQYS4xc3RkaWJzY2RuLmNvbYIN
YWZyb3N0cmVhbS50doIPYXBpLmRvbWFpbnIuY29tgg1hcGkubnltYWcuY29tghdh
cHAuYmV0dGVyaW1wYWN0Y2RuLmNvbYIaYXNzZXRzLmZsLm1hcmthdmlwLWNkbi5j
b22CEmF0dHJpYnV0aW9uLnJlcG9ydIIZY2RuLWZhc3RseS50b3Jwcm9qZWN0Lm9y
Z4IYY2RuLmZpbGVzdGFja2NvbnRlbnQuY29tghZjZG4uaGlnaHRhaWxzcGFjZXMu
Y29tggxjZG4ua2V2eS5jb22CC2RvbWFpbnIuY29tghBkb25vcnNjaG9vc2Uub3Jn
gh5lbWJlZC1wcmVwcm9kLnRpY2tldG1hc3Rlci5jb22CGGVtYmVkLm9wdGltaXpl
cGxheWVyLmNvbYIWZW1iZWQudGlja2V0bWFzdGVyLmNvbYIOZmFzdGx5bGFicy5j
b22CD2ZsLmVhdDI0Y2RuLmNvbYIKZnVsbDMwLmNvbYIMZnVuZHBhYXMuY29tgg1m
dW5rZXI1MzAuY29tggtnZXRtb3ZpLmNvbYIZZ2l2aW5ndHVlc2RheS5naXZlZ2Fi
LmNvbYIGaGZhLmlvgg5pLnVwd29ydGh5LmNvbYIaaW1hZ2VzLmZsLm1hcmthdmlw
LWNkbi5jb22CD2phY2t0aHJlYWRzLmNvbYIKa25ubGFiLmNvbYINbG9vdGNyYXRl
LmNvbYITbWVkaWEuYmFyZm9vdC5jby5ueoIVbWVkaWEucmlnaHRtb3ZlLmNvLnVr
gg1tZXJyeWphbmUuY29tgiBtaWdodHktZmxvd2Vycy00MjAubWVycnlqYW5lLmNv
bYIgbmV4dGdlbi1hc3NldHMuZWRtdW5kcy1tZWRpYS5jb22CC25vZW1iZWQuY29t
gglueW1hZy5jb22CCyoubnltYWcuY29tgglwYXRjaC5jb22CCnBlYmJsZS5jb22C
D3BpeGVsLm55bWFnLmNvbYIOcHJpbWVzcG9ydC5jb22CInByb3F1ZXN0LnRlY2gu
c2FmYXJpYm9va3NvbmxpbmUuZGWCDHJ1YnlnZW1zLm9yZ4IVc2FmYXJpYm9va3Nv
bmxpbmUuY29tghFzdGF0aWMudmVzZGlhLmNvbYIOdGhlZ3VhcmRpYW4udHaCECou
dGhlZ3VhcmRpYW4udHaCDXRocmlsbGlzdC5jb22CDXRvdGFsd2luZS5jb22CCXVu
cGtnLmNvbYIKdXBib2x0LmNvbYIHdXJ4LmNvbYIZdmlkZW9jcmVhdG9yLnlhaG9v
LW5ldC5qcIIad2VsY29tZS1kZXYuYmFua3NpbXBsZS5jb22CEHdpa2ktdGVtcC5j
YS5jb22CDXd3dy5ibGlucS5jb22CDHd3dy5idWxxLmNvbYIid3d3LmNyaXN0aWFu
b3JvbmFsZG9mcmFncmFuY2VzLmNvbYIZd3d3LmZyZWVnaXZpbmd0dWVzZGF5Lm9y
Z4IRd3d3LmZyZWVsb3R0by5jb22CDnd3dy5pb2RpbmUuY29tghd3d3cubGFwdG9w
c2RpcmVjdC5jby51a4IOd3d3LmxldGVtcHMuY2iCEXd3dy5tZXJyeWphbmUuY29t
giR3d3cubWlnaHR5LWZsb3dlcnMtNDIwLm1lcnJ5amFuZS5jb22CGHd3dy5taWxs
c3RyZWFtbG90NDYuaW5mb4ISd3d3LnBvdHRlcm1vcmUuY29tghN3d3cudHJhaW5v
cmVnb24ub3JnMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4E
FgQUTHFGQ1nlkC7VvfLKxB7tHQmnm/QwHwYDVR0jBBgwFoAUlt5h8b0cFilTHMDM
fTuDAEDmGnwwDQYJKoZIhvcNAQELBQADggEBABd3UEDPXae+PtNKv3HA1qr/DsoG
W8e24GSQE1W2K8nxbeJp19OOeeW97kht8iIoSkId/yKz6tbj3WaztZZIpcHBLOIa
wmXycV6zX8Vzm5BL6AEzszdhdQBO+7xutw+v2riZ9VlFbp+lOWFAJKay0kK7wCMe
0kXP7BAyQ4L8LB4dLykpp2JzHMb6xC5+9M+CKnncIEsfR0Q1TZMb5A9AMR6BDPv1
7/MiRQvwoubMJpt2BrIii/oP71e41ocIUFoFTRejZkHzHrVqFhUwWhKhqlDgjZPR
ku/vM/yWKYW6G5FIMfSOgtV5kHIVZBSs3LVnKbfLva1mndS+QVyET3EFkXw=
-----END CERTIFICATE-----
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
MDBaFw0yNDAyMjAxMDAwMDBaMGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMTwwOgYDVQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBW
YWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDHDmw/I5N/zHClnSDDDlM/fsBOwphJykfVI+8DNIV0yKMCLkZc
C33JiJ1Pi/D4nGyMVTXbv/Kz6vvjVudKRtkTIso21ZvBqOOWQ5PyDLzm+ebomchj
SHh/VzZpGhkdWtHUfcKc1H/hgBKueuqI6lfYygoKOhJJomIZeg0k9zfrtHOSewUj
mxK1zusp36QUArkBpdSmnENkiN74fv7j9R7l/tyjqORmMdlMJekYuYlZCa7pnRxt
Nw9KHjUgKOKv1CGLAcRFrW4rY6uSa2EKTSDtc7p8zv4WtdufgPDWi2zZCHlKT3hl
2pK8vjX5s8T5J4BO/5ZS5gIg4Qdz6V0rvbLxAgMBAAGjggElMIIBITAOBgNVHQ8B
Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlt5h8b0cFilT
HMDMfTuDAEDmGnwwRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0
dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCow
KKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYB
BQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNv
bS9yb290cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZI
hvcNAQELBQADggEBAEYq7l69rgFgNzERhnF0tkZJyBAW/i9iIxerH4f4gu3K3w4s
32R1juUYcqeMOovJrKV3UPfvnqTgoI8UV6MqX+x+bRDmuo2wCId2Dkyy2VG7EQLy
XN0cvfNVlg/UBsD84iOKJHDTu/B5GqdhcIOKrwbFINihY9Bsrk8y1658GEV1BSl3
30JAZGSGvip2CTFvHST0mdCF/vIhCPnG9vHQWe3WVjwIKANnuvD58ZAWR65n5ryA
SOlCdjSXVWkkDoPWoC209fN5ikkodBpBocLTJIg1MGCUF7ThBCIxPTsvFwayuJ2G
K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=l.ssl.fastly.net
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 5141 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 4C93CC0B996A8CB18F77CAADFDF8EA0A0EB326E96200C7445E83113D169626A7
    Session-ID-ctx: 
    Master-Key: C9C8C994735387415086B2809DB4DF272E0359AC7FE2F7BD378E5DEB323CBEB53058D85F4F9FAC6471BCA344F7E2BE07
    Key-Arg   : None
    Start Time: 1477492650
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Getting the exact same issue, even after following the steps in manual , update script, adding .pem file.

I'll see if I can get someone more knowledgeable with this kind of thing to take a look. Sorry y'all are having trouble!

I've encountered this on two separate systems in the last two days. I have no idea how I solved it the first time, because I hadn't found this thread yet. I know it was painful. But tonight, the manual solution @Levitas linked to did the trick: http://guides.rubygems.org/ssl-certificate-update/#manual-solution-to-ssl-issue

I don't want to take over the thread but I'm in the same boat as @fguillen. I just installed Ruby 2.3.1 and Rubygems 2.6.7. When I tried to install a gem I had the SSL certificate verify failure. I also went through the manual steps but I still have the SSL certificate verify problem.

I noticed fguillen is using rbenv. I'm using RVM 1.27.0 on OSX 10.10.5. If I can do anything to help diagnose this I'm willing to help.

I'm using RVM and was having similar issues. Followed the steps here: http://guides.rubygems.org/ssl-certificate-update/#manual-solution-to-ssl-issue and it didn't help.

Then I tried the instructions here http://railsapps.github.io/openssl-certificate-verify-failed.html for using rvm to update certificates, and that resolved my issue (rvm osx-ssl-certs status all to see your current status and then rvm osx-ssl-certs update all to update).

Okay, so it looks like that in some cases this has to do with using various Ruby version managers. Thanks for the information, @jbwhite.

Can anyone who's still having this issue and is using RVM please try running rvm osx-ssl-certs update all and let me know if that fixes it?

If you're still having this problem, and _aren't_ using RVM, please let me know if you are using a version manager (rbenv, chruby, etc) and, if so, which one it is.

Thanks!

I’m using RVM on OSX and for Sierra and El Capitan, the rvm osx-ssl-certs update all worked.

In Yosemite however, it does not resolve the issue:

[519]% rvm osx-ssl-certs update all
Updating certificates for /usr/local/etc/openssl/cert.pem: Already up to date.
Updating certificates for /etc/openssl/cert.pem: Already up to date.

[520]% gem install jira
ERROR: Could not find a valid gem 'jira' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

That is with the latest (1.27.0) rvm running on Yosemite OSX 10.10.5

Hmm, okay. Thank you!

@duckinator, I use the rvm osx-ssl-certs update all command fairly frequently, although I do not use the cron task to do it automatically. I had already used that command before throwing my "me too" into the thread. That does not seem to have helped me.

I do have a Linux test server that also uses RVM and I am not having the problem on that server. I do have a mac running El Capitan and will check to see if it has the same problem.

I have also noticed that bundler does seem to work correctly despite the problems I'm experiencing with the SSL certificate verification.

Had this issue with PowerRuby (Ruby for IBM i) and the manual install didn't fix it. Upgrading rubygems fixed it. Here's what I did:

mkdir -p /ruby/gemsets/rubygems
export GEM_HOME=/ruby/gemsets/rubygems
export GEM_HOME=/ruby/gemsets/rubygems
cd ~/
curl --insecure -O https://rubygems.org/downloads/rubygems-update-2.6.7.gem
gem install --local ./rubygems-update-2.6.7.gem
/ruby/gemsets/rubygems/bin/update_rubygems --no-ri --no-rdoc

RubyGems 2.6.8 is the latest and has improved SSL error messages.

I was following the directions here. I don't see a "fork" option on the site for me to update the guide. Is that something somebody on the core team could do if it's recommended to use 2.6.8?

Here's what 2.6.8 is now telling me:
ERROR: SSL verification error at depth 2: certificate has expired (10)
ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR: SSL verification error at depth 2: certificate has expired (10)
ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR: SSL verification error at depth 2: certificate has expired (10)
ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR: Could not find a valid gem 'rails' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=error: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
ERROR: SSL verification error at depth 2: certificate has expired (10)
ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z

@ryanpool you have the expired GlobalSign Certificate somewhere in your CA certificate list. You need to remove it.

I'm not sure who is still shipping that certificate since it was regenerated with the one that ships with RubyGems nine years ago.

@ryanpool also, if you could figure out where you downloaded this CA bundle from we can file an issue to get it removed.

@drbrain I have a potential fix. I've been using homebrew as my package manager for some time. I had several older versions of openssl installed with homebrew. Here are the exact steps I followed that seems to have fixed this for me.

1. rvm implode
2. brew uninstall openssl --force
3. reinstall rvm
4. install ruby 2.3.1 (at this point RVM reinstalled openssl 1.0.2j via homebrew)
5. Gems now install successfully.

The only thing I can figure is that RVM was using a CA bundle from a much older openssl version that I should have removed long ago.

Edited to add: if you have multiple versions of openssl like I did you must use --force to remove them all.

@ryanpool's fix worked for me. Before that, I tried running rvm osx-ssl-certs update all as suggested, updating openssl from 0.9.8 to 1.0.2j, and updating OSX from 10.10.5 to 10.12.1, none of which seemed to make a difference.

Thanks for the updates @ryanpool and @chrisjstott!

I haven't worked with OS X, so I don't know how safe it is to just force-uninstall all old versions of openssl.

Can someone who knows OS X better tell me if there's a risk there of something relying on one of the removed versions?

If not, would there be any other reason to avoid adding that information to the guide?

I've managed to solve the problem on my OS X 10.10.5.

I've followed this Post: https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
and updated rubygems to 2.6.8 . (https://rubygems.org/downloads/rubygems-update-2.6.8.gem)
( Before that there was a conflict with node-openssl because i didn't install it through homebrew but i'm not sure if it was a part of the reason too. )

So basically you need to (re)install RVM without ruby:
\curl -sSL https://get.rvm.io | bash -s stable
and then install ruby whithout binaries:
rvm install 2.2.3 --disable-binary (2.2.3 in my case)

@ryanpool's fix worked for me as well on 10.10.5 - thanks for this thread!

I had the same symptoms and it turns out @paulgeisler answer was instrumental in realizing (through this post and mislav's awesome ssl-tools) that I had a binary ruby linked against wrong things on my system (thanks!).

IMHO it would be great if the help page here: http://guides.rubygems.org/ssl-certificate-update/ highlights this possibility, because it may be a widespread issue for RVM users on OSX. Let me know if I can help in achieving that.

Hi all.
I had the same issue couple weeks ago with gems installation.
I use rvm 1.27.0, Homebrew 1.1.1, OSX 10.10.5.
Here the solution:

• run ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' for your current ruby
  if your output is /etc/openssl/cert.pem then your ruby uses this version of openssl which contains old certs (also you can check openssl version via
  ruby -ropenssl -e'puts OpenSSL::OPENSSL_VERSION’).
• install / update you openssl via brew: brew install openssl. It puts under /usr/local/etc/openssl.
• install ruby via rvm and specify new openssl directory:
  rvm reinstall 2.2.2 --with-openssl-dir=/usr/local/etc/openssl
  This should help...

I don't know how to unlink previous version of openssl. Will be appreciate for some help on this.
Thank you guys .

I had a similar issue today, and the problem in my case seems to be with rvm installation process interacting with macports. On macports, the default setup for the openssl cert file is that it comes from the package curl-ca-bundle; openssl's cert.pem is a symlink to a file in the macports curl installation. rvm install apparently overwrites the openssl cert.pem file and therefore the target of this link with something that is out of date (asking for root password to do it even), leading to the following error with rubygems 2.6.8 (seen when manually installed):

ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=error: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

After running sudo port uninstall curl-ca-bundle and sudo port install curl-ca-bundle in succession gem install now works again. This fix works before the manual upgrade of rubygems as well, so installing ruby from rvm, running the above two port commands, and then doing gem update --install works to getting current rubygems. After this fix on a clean rvm ruby install I can replicate the above ssl error by doing sudo port uninstall curl-ca-bundle and then rvm osx-ssl-certs update all.

Two side-notes that complicated debugging:

• The official docs for dealing with SSL errors reference rubygems 2.6.7, not 2.6.8 (http://guides.rubygems.org/ssl-certificate-update).
• The instructions for manually installing a certificate at the above link had no impact on any version of anything I tried it on, with or without the macports cert package, with any version of rubygems.

(I put this in probably what is the wrong issue first, sorry.)

@ryanpool The method worked after I tried all of the other solutions.

Suggested solutions including updating certs, various brew commands, osx's ca bundle update, and many other solutions did not work for me. (I do not use macports, but I would've definitely given @rawlins' solution a chance if I could).

Imploding RVM was my last resort (I was afraid of dependency issues with having to reinstall various obscure gems). But it all worked; not only is everything working, it also cleared out a few gb of (precious undersized mac) SSD space.

@updatus I couldn't touch brew's ssl installation, since that was somehow linked against my anaconda installation... Though I suspect that it would also work.

This is all teaching me to be better about package management.

@jbbarth if you could either write a comment here summarizing the solutions, or add it to the guide yourself (more info below), that'd be fantastic. I haven't used OS X in like a decade, so I'm having trouble understanding the solutions mentioned here and how they work.

The guide is at: http://guides.rubygems.org/ssl-certificate-update/
The guides repo is: https://github.com/rubygems/guides
The specific file for the ssl cert update guide is: https://github.com/rubygems/guides/blob/gh-pages/ssl-certificate-update.md

I can proofread it and such, if necessary, afterwards.

(sorry about the month-late response.)

None of the above worked for me.
What I found was the following:

( short version )

• For some reason in the dim dark past I created an env variable, SSL_CERT_FILE, set to /usr/local/etc/openssl/certs/cert.pem. This was probably for tls issues with Homebrew.
• The fix options for this rubygems tls failure were to either unset this var, or append the updated GlobalSign .pems to the end of this cert.pem file.

( long version )

• I followed instructions for updating rubygems
• Then acquired the latest GlobalSign certs ( roughly following )
  
  
  
  • But since R1 is still sha1 I downloaded R3 in addition to R1
  
  
• Following rbenv docs, I placed the new .pems into the ~/.rbenv/versions/2.3.1/lib/ruby/2.3.0/rubygems/ssl_certs directory.

The result?
Disappointment.
:(

So it was clear that the certs in the rbenv path were being ignored.
I then checked the macOS keychain and the GlobalSign certs were all there.
Some orthogonal discussions on this referenced updating the curl-ca-bundle. This is what led me to investigating the Homebrew certs path.

TBC, appending the sha256 R3 mentioned above still does not fix the rubygems issue. Rubygems connection only succeeded after appending the sha1 R1 pem to the homebrew cert.pem.

FWIW my platform is:

• macOS Sierra 10.12.3(beta)
• rbenv ( 1.1.0 ) for ruby mgt
  
  
  
  • ruby 2.3.1 for shell and global
  
  

Now I can get back to playing with test-kitchen / kitchen-ansible, etc...

Just tried setting up Jekyll and ran into this issue. Followed the steps for manually installing/updating Ruby Gems, followed the steps to upgrade Homebrew OpenSSL, still no luck.

ERROR: SSL verification error at depth 2: certificate has expired (10) ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z ERROR: SSL verification error at depth 2: certificate has expired (10) ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z ERROR: SSL verification error at depth 2: certificate has expired (10) ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z ERROR: Could not find a valid gem 'jekyll' (>= 0), here is why: Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz) ERROR: SSL verification error at depth 2: certificate has expired (10) ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z ERROR: SSL verification error at depth 2: certificate has expired (10) ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z ERROR: SSL verification error at depth 2: certificate has expired (10) ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z ERROR: SSL verification error at depth 2: certificate has expired (10) ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z ERROR: Could not find a valid gem 'bundler' (>= 0), here is why: Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz) ERROR: SSL verification error at depth 2: certificate has expired (10) ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z

Just encountered this issue on a macos 10.10 machine I'm currently working on, not a usual mac user so I'm very confused.

ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR:  Could not find a valid gem 'bundler' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=error: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
ERROR:  SSL verification error at depth 2: certificate has expired (10)
ERROR:  Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z

Thanks so much to everyone for sharing your experiences. I've tried the guide, I've tried @paulgeisler's solution and many more I've found. No luck. Still getting this error: ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError)
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz). Using rvm 1.28.0 and ruby 2.2.1. Certs already updated. Hopefully we can all compare notes and come up with a 2017-ish way to deal with this issue.

Having this problem inside mhart/alpine-node:5.6.0 docker container

I finally found a straightforward fix that may apply to others regarding the error:

ERROR: SSL verification error at depth 2: certificate has expired (10)
ERROR: Certificate /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA expired at 2014-01-28T12:00:00Z
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError)
SSL_connect returned=1 errno=0 state=error: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

I'm on a mac, and had installed a few ruby versions using rvm. My fix was to
1) run "rvm uninstall" on each version of ruby shown in the output of "rvm list"
2) rm -rf ~/.rubies
3) rvm install 2.2.2

Then I never saw this error again when installing gems.

thanks @ryanpool!!

rvm osx-ssl-certs update all

Worked for me.

So, I resolved this problem with simple line:
export SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem

I'm closing this, if anyone is having issues relating to SSL please open a new issue with the details of your problem.