Ruby SSL certificate verification errors

On a client project, we had recently installed capistrano-campfire to get notifications in our Campfire chatroom whenever a deployment takes place.

Unfortunately I kept getting

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

when I tried deploying. There’s nothing quite like starting the year with SSL issues…

According to this article the problem

… comes from the fact that the new Ruby 1.9 installation doesn’t find the certification authority certificates (CA Certs) used to verify the authenticity of secured web servers.

I my case, I was using Ruby 1.8 (well, REE) on OS X Snow Leopard, but the problem - and solution - was the same nevertheless.

The cURL way

The super easy solution is found on Stack Overflow (as always):

sudo curl http://curl.haxx.se/ca/cacert.pem -o /opt/local/etc/openssl/cert.pem

This installs Mozillas CS Root Certificates Bundle at /opt/local/etc/openssl/cert.pem, where the certificates can be found by Rubys HTTP library without any extra configuration.

Using MacPorts

As an alternative to the above, you can use MacPorts to get the bundles (as mentioned in this article):

$ sudo port install curl-ca-bundle

This installs the certificates bundle in /opt/local/etc/openssl/cert.pem.

You can then configure Ruby to use them:

https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'

or if that isn’t feasible, simply link them up from the default location:

$ sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem