SSL 安装 rubygems 时出错，无法从“https://rubygems.org/”提取数据

Question

I am trying to do the Michael Hartl tutorial. When I attempt to install rails 3.2.14 in my gemset, I get the following issue:

$ gem install rails -v 3.2.14

ERROR: Could not find a valid gem 'rails' (= 3.2.14), here is why:

Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed ( https://s3.amazonaws.com/production.s3.rubygems.org/specs.4.8.gz )

After Googling around, I found that I could use a non-SSL source for rubygems so I ran:

sudo gem sources -a http://rubygems.org

Then, when I tried to install rails again, it was successful. However, I still got the issue above but as a warning:

WARNING: Unable to pull data from ' https://rubygems.org/ ': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed ( https://s3.amazonaws.com/production.s3.rubygems.org/specs.4.8.gz )

How can I remove this warning/error entirely?

I am using the following:

• rvm 1.22.15
• ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-darwin12.3.0]
• OSX 10.8.5

Answer 1

For RVM & OSX users

Make sure you use latest rvm:

rvm get stable

Then you can do two things:

1. Update certificates:

    rvm osx-ssl-certs update all

2. Update rubygems:

    rvm rubygems latest

---

For non RVM users

Find path for certificate:

cert_file=$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')

Generate certificate:

security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"

The whole code: https://github.com/wayneeseguin/rvm/blob/master/scripts/functions/osx-ssl-certs

---

For non OSX users

Make sure to update package ca-certificates . (on old systems it might not be available - do not use an old system which does not receive security updates any more)

Windows note

The Ruby Installer builds for windows are prepared by Luis Lavena and the path to certificates will be showing something like C:/Users/Luis/... check https://github.com/oneclick/rubyinstaller/issues/249 for more details and this answer https://stackoverflow.com/a/27298259/497756 for fix.

Answer 2

Latest findings...

https://gist.github.com/luislavena/f064211759ee0f806c88

Most importantly...download https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/rubygems.org/AddTrustExternalCARoot-2048.pem

Figure out where to stick it

C:\>gem which rubygems
C:/Ruby21/lib/ruby/2.1.0/rubygems.rb

Then just copy the .pem file in ../2.1.0/rubygems/ssl_certs/ and go on about your business.

Answer 3

For windows users

Goto link http://rubygems.org/pages/download

1. Download the latest zip file (In my case 2.4.5)
2. Unzip it
3. run "ruby setup.rb" in unzipped folder
4. now run gem install command

Answer 4

If you want to use the non-SSL source, try removing the HTTPS source first, and then adding the HTTP one:

sudo gem sources -r https://rubygems.org
sudo gem sources -a http://rubygems.org  

UPDATE:

As mpapis states, this should be used only as a temporary workaround. There could be some security concerns if you're accessing RubyGems through the non-SSL source.

Once the workaround is not needed anymore, you should restore the SSL-source:

sudo gem sources -r http://rubygems.org
sudo gem sources -a https://rubygems.org

Answer 5

On Windows you'll have to use HTTP source to update gem then change back to using HTTPS .

gem sources -r https://rubygems.org/
gem sources -a http://rubygems.org/
gem update --system
gem sources -r http://rubygems.org/
gem sources -a https://rubygems.org/

Edit: Warning I'm not sure if this is safe . Does anyone know if ruby packages are signed? The accepted answer looks like a better solution.

Answer 6

For Windows Users (and maybe others)

Rubygems.org has a guide that not only explains how to fix this problem, but also why so many people are having it: SSL Certificate Update The reason for the problem is rubygems.org switched to a more secure SSL certificate (SHA-2 which use 256bit encryption). The rubygems command line tool bundles the reference to the correct certificate. Therefore rubygems itself can't be updated using an older version of rubygems. Rubygems must first be updated manually.

First find out what rubygems you have:

rubygems –v

Depending on whether you have a 1.8.x, 2.0.x or 2.2.x, you will need to download an update gem, named “rubygems-update-XYZgem”, where XYZ is the version you need. Running 1.8.x: download: https://github.com/rubygems/rubygems/releases/tag/v1.8.30 Running 2.0.x: download: https://github.com/rubygems/rubygems/releases/tag/v2.0.15 Running 2.2.x: download: https://github.com/rubygems/rubygems/releases/tag/v2.2.3

Install update gem:

gem install –-local full_path_to_the_gem_file

Run update gem:

update_rubygems --no-ri --no-rdoc

Check that rubygems was updated:

rubygems –v

Uninstall update gem:

gem uninstall rubygems-update -x

At this point, you may be OK. But it is possible that you do not have the latest public key file for the new certificate. To do this:

Download the latest certificate, (currently AddTrustExternalCARoot-2048.pem) from https://rubygems.org/pages/download . All of the certs are also located at: https://github.com/rubygems/rubygems/tree/master/lib/rubygems/ssl_certs

Find out where to put it:

gem which rubygems

Put this file in the “rubygems\\ssl_certs” directory at this location.

As per rubygems commit , the certificates are moved to more specific directories. Thus, currently the certificate(AddTrustExternalCARoot-2048.pem) is expected to be on the following path lib/rubygems/ssl_certs/rubygems.org/AddTrustExternalCARoot-2048.pem

Answer 7

Try to use the source website for the gems, ie rubygems.org. Use http instead of https. This method does not involve any work such as installing certs and all that.

Example -

gem install typhoeus --source http://rubygems.org

This works, but there is one caveat though.

The gem is installed, but the documentation is not because of cert errors. Here is the error I get

Parsing documentation for typhoeus-0.7.0 WARNING: Unable to pull 
data from 'https://rubygems.org/': SSL_connect returned=1 errno=0 
state=SSLv3 read server certificate B: certificate verify failed 
(https://rubygems.org/latest_specs.4.8.gz)

Answer 8

运行gem update --system为我工作

Answer 9

Make sure your system clock is correct

This exact error happened to me today on an Ubuntu virtual machine running on VirtualBox. I tried most of the solutions shown above before I noticed that I had resumed from a very old suspended state, and my clock was off by many days.

Updating the clock immediately fixed my issue. Here's the command I used in my case:

sudo service ntp stop && sudo ntpdate pool.ntp.org && sudo service ntp start

Answer 10

只需使用自制软件卸载并重新安装 openssl 即可为我解决此问题。

brew uninstall --force openssl

brew install openssl

Answer 11

For Fedora users

Update the cert.pem to newest file that provide by cURL: http://curl.haxx.se/ca/cacert.pem

curl -o `ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE' |tr -d \"` http://curl.haxx.se/ca/cacert.pem

Answer 12

If you are using windows, open https://rubygems.org/ with internet explorer.

Click on security information and import the certificate. The bottom line is your certification chain is outdated and you need to add this new certificate. Remember that this is not a security violation as long as you can validate the certificate as trusted.

Answer 13

可以使用 HTTP 而不是 HTTPS 自动下载 gems 的方法/单行：

printf -- '---\n:sources:\n- http://rubygems.org\n' | tee ~/.gemrc

Answer 14

In my case, the Ubuntu CA certificates were out of date. I fixed it by running:

 sudo update-ca-certificates

Answer 15

The particular case of RubyGems (the command line tool) is that it requires to bundle inside of its code the trust certificates, which allow RubyGems to establish a connection with the servers even when base operating system is unable to verify the identity of them.

Up until a few months ago, this certificate was provided by one CA, but newer certificate is provided by a different one.

Because of this, existing installations of RubyGems would have to been updated before the switch of the certificate and give enough time for the change to spread (and people to update)

Anyone can find his solution by following the simple steps given in the link below

https://gist.github.com/luislavena/f064211759ee0f806c88

Answer 16

Try

gem update --system

Hope it solves the problem.

Answer 17

I had same problem while trying to install cucumber gem. However I noticed that bundler gem already installed with ruby 2.0. I created a Gemfile.rb in the project folder with required gems and followed this steps

1. Navigate to project folder
2. Type bundle install

All the required gems installed.

Answer 18

For Illumos / Solaris using OpenCSW pkgutil:

Install CSWcacertificates prior to 'gem install'

pkgutil -yi CSWcacertificates

If you're using a ruby kit that's not from OpenCSW, your ruby version may expect to find the certificate file in another place. In this case, I simply symlinked OpenCSW's /etc/opt/csw/ssl/cert.pem to the expected place.

Check where ruby expects to find it :

export cf=`ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'` && echo $cf

Then, if there's a discrepancy, link it:

ln -s /etc/opt/csw/ssl/cert.pem $cf && file $cf

Answer 19

Or may be prevented by firewall like me. Try this:

sudo gem install --http-proxy http://localhost:port cocoapods -V

Answer 20

For Windows user:

After installing Ruby 2.2.3 (+ rubygems 2.5.1) successfully on a test machine with access to the internet, I had this SSL error when I installed bundler on a production machine, within the network.

As I had network access limitations, and there was no way to change the settings for SSL access, and based on the error messages, I performed the steps below to be able to finish the installation of the bundler (this may sound crazy, but it worked...).

Through a machine with unrestricted access to the internet, downloaded the following files:

• spec.4.8.gz ( http://rubygems.global.ssl.fastly.net/spec.4.8.gz )
• latest_specs.4.8.gz ( http://rubygems.global.ssl.fastly.net/latest_specs.4.8.gz )
• bundler-1.11.2.gemspec.rz ( http://rubygems.global.ssl.fastly.net/quick/Marshal.4.8/bundler-1.11.2.gemspec.rz )
• bundler-1.11.2.gem ( http://rubygems.global.ssl.fastly.net/gems/bundler-1.11.2.gem )

I added these files on an intranet server, keeping the folder structure of the links above:

• $INTRANET_HOME

spec.4.8.gz e latest_specs.4.8.gz

• $INTRANET_HOME\\quick\\Marshal.4.8

bundler-1.11.2.gemspec.rz

• $INTRANET_HOME\\gems

bundler-1.11.2.gem

Then I added my intranet to access gem source:

gem sources -a http://mydomain.com.br

I have run with the success the "gem install bundler" after installation, all it took was remove my intranet of the gem:

gem sources -r http://mydomain.com.br

I hope that is useful in any similar situation....

Answer 21

Make sure of that you have installed ruby with --disable-binary option, if not, uninstall it and reinstall it with the option.

more info here

Answer 22

As a Windows 10 user, I followed Dheerendra's answer , and it worked for me one day. The next day, I experienced the issue again, and his fix didn't work. For me, the fix was to update bundler with:

gem update bundler

I believe my version of bundler was more than a few months old.

Answer 23

The answer is no longer valid. Since I have encountered the issue with older Windows ruby right now I'll post the answer.

When I wanted to install an activesupport gem:

gem in activesupport --version 5.1.6

ERROR:  Could not find a valid gem 'activesupport' (= 5.1.6), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B
: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

The following steps need to copy only the certificates from newer windows ruby. Take the latest ruby (or at least ruby 2.4.0 ) and do the following:

copy certificates from these directories (adjust to your needs):
C:\\prg_sdk\\rubies\\Ruby-2.4\\lib\\ruby\\2.4.0\\rubygems\\ssl_certs\\rubygems.org
C:\\prg_sdk\\rubies\\Ruby-2.4\\lib\\ruby\\2.4.0\\rubygems\\ssl_certs\\index.rubygems.org

to destination (again adjust to what you need):
C:\\prg_sdk\\rubies\\Ruby231-p112-x64\\lib\\ruby\\2.3.0\\rubygems\\ssl_certs

Answer 24

Download the cacert.pem file from http://curl.haxx.se/ca/cacert.pem . Save this file to C:\\RailsInstaller\\cacert.pem.

Now make ruby aware of your certificate authority bundle by setting SSL_CERT_FILE. To set this in your current command prompt session, type:

set SSL_CERT_FILE=C:\\RailsInstaller\\cacert.pem

Answer 25

For Windows, I followed https://gist.github.com/fnichol/867550 . I had to manually download the "cacert.pem" file. (go to https://curl.se/docs/caextract.html .) Put it in any folder it won't be deleted from or with.

Make sure you add it to your systems Environment variables!!!

I did this (in Windows 10) via the control panel (select User Accounts) where there is an option to "Change my environment variables". Create a new variable and set the value as the path and filename!

var name    SSL_CERT_FILE

var value   C:\{your_dir}\cacert.pem

This will ensure it remains visible/useable every time you need it (ie, every command window you open)!

Answer 26

go to rubygems and download the latest version works for me. I'm using windows.