SSL certificate woes with Ruby 1.9 and OS X

I have written about Ruby and OpenSSL woes before, but I recently got bit by the issues again and the solution I had outlined earlier didn’t work.

My simple testcase

require 'net/https'
https = Net::HTTP.new('www.google.com', 443)
https.use_ssl = true
https.request_get('/')

failed with a

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

No biggie, by now the solution has been widely documented - Just install a CA certificate bundle:

$ port install curl-ca-bundle

and tell Ruby to grab the certificates from where you installed them:

https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'

Sure enough, that makes the simple test case work.

But what if we cannot hardcode ca_file paths - for example if the request is being made by a third party library? Turns out, if we set the SSL_CERT_FILE environment variable, things work without us modifying core Ruby classes:

export SSL_CERT_FILE=/opt/local/share/curl/curl-ca-bundle.crt

Winning!