Fixing “Could not verify the SSL certificate”

We have received reports that a limited number of customers were experiencing SSL certificate errors when using Gemfury with RubyGems or Bundler. This was happening quite unpredictably and we have been having trouble tracking down the environment and steps to reproduce this following error:

Could not verify the SSL certificate for https://gem.fury.io/…

Given that we are still hearing about this problem, we are posting this article to summarize the steps that have helped to remedy this issue.

Quick Fix

To address this problem, we recommend the following steps:

  • Make sure your Ruby is up-to-date. If it’s older than Ruby 2.0.0-p195 or Ruby 1.9.3-p392, you should upgrade.
  • Make sure your RubyGems is up-to-date. If it’s older than 2.0.3, you should upgrade.
  • Make sure your OpenSSL is up-to-date. If it’s older than 1.0.1, you should upgrade.
  • Update your SSL certifiates

Updating SSL certificates

To update your SSL certificates, you can use the following RVM convenience method:

$ rvm osx-ssl-certs status all
$ rvm osx-ssl-certs update all

If you’re not using RVM, run the following to update the certificates on Linux. You may need to uninstall the ca-certificates package to get a clean install.

# Replace <package-manager> with yum, apt-get or zypper
$ <package-manager> install ca-certificates

If you’re on OSX, the following script should do the trick:

cert_file=$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' 2>/dev/null)
mkdir -p "${cert_file%/*}"
security find-certificate -a -p /Library/Keychains/System.keychain > "$cert_file"
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> "$cert_file"

You may also have to manually point your OpenSSL to the right certificate by adding this to your ~/.profile:

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

Verify your certificates

To quickly verify that your root certificate store accepts Gemfury’s repo certificate, you can run the following request:

ruby -rnet/http -e "Net::HTTP.get URI('https://gem.fury.io')"

If you see no exceptions returned, then it’s working.

Let’s figure this out together

If you’re still having problems after performing these steps, we are here to help you troubleshoot your configuration. Please run the following and include the output in your email:

$ uname -a
$ ruby -v
$ gem -v
$ ruby -ropenssl -e "puts OpenSSL::OPENSSL_VERSION"

And if you’re having trouble with a Bundler command:

$ DEBUG=true bundle <command>

References

This issue has been around, and we are glad that these experts found the solution:

We also thank our most persistent customers who have encountered this problem and helped us track down and find these solutions.