UPDATE 2014-12-21: RubyGems 1.8.30, 2.0.15 and 2.2.3 have been released. They require a manual installation step on Windows, please see the instructions below.
Hello,
If you reached this page, means you've hit this SSL error when trying to pull updates from RubyGems:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
This error is produced by changes in rubygems.org infrastructure, please keep reading to better understand it.
If you're one of those too long, didn't read just skip to the guide on how to workaround it.
For those who are not familiar with SSL and certificates, there are many parts that make secure serving of content possible.
SSL certificates are used on the website, which are obtained from a certificate authority (CA) and generated from a private key, along with its respective signature.
Normally, up until a few months ago, private key signatures used SHA-1 as way to provide a digest (or checksum) of the private key without distributing the key itself (remember, needs to remain private).
SHA-1 is now considered weak and lot of web servers and sites have been upgrading to SHA-2 (specifically SHA256 or higher), in order to prepare for the browsers' expected changes.
The RubyGems command line tool is requires the trust certificates bundled inside of its code, which allows RubyGems to establish a connection with the servers even when base operating system are unable to verify the identity of them.
Up until a few months ago, this certificate was provided by one CA but newer certificates are provided by a different one.
Because of this, existing installations of gems from before the switch of the certificate have to be updated and enough time given for the change to spread.
Things getting out of sync with these types of updates is nomral and to coordinate such and effort, with the size and usage of rubygems.org is almost impossible.
I've described this on Issue #1050
We also discuseed this on IRC, and patches and backports were provided to all major branches of RubyGems: 1.8, 2.0, 2.2 and 2.4.
You can find the commits associated with these changes here:
The problem is, only the RubyGems 2.4.4 patches and backport got released, leaving Ruby versions 1.8, 2.0 and 2.2 in a broken state.
This is a huge problem for Windows users, since RubyGems 2.4 is broken on Windows.
Please understand this could happen to anyone. Releasing multiple versions of any software in a short span of time is highly complicated.
Even if we have official releases of any of the versions that correct the issue, it will not be possible install those via RubyGems.
Once official releases are out, installation might be simpler. In the meantime, please proceed using the following instructions:
Now that RubyGems 1.8.x, 2.0.x and 2.2.x have been released, you can manually update to those versions.
First, download the proper version of RubyGems for your installation (eg.
if running version 1.8.28, download 1.8.30).
Note: To find the version of RubyGems you're using, please run gem --version in
the command line.
You can find download links at GitHub under Releases.
Now, locate rubygems-update-X.Y.Z.gem where X.Y.Z is the matching
version for the version of RubyGems you need to update:
Please download the file in a directory that you can later point to (eg. the
root of your harddrive C:\)
Now, using the Command Prompt:
C:\>gem install --local C:\rubygems-update-1.8.30.gem
C:\>update_rubygems --no-ri --no-rdoc
After this, gem --version should report the new update version.
You can now safely uninstall the rubygems-update gem:
C:\>gem uninstall rubygems-update -x
Removing update_rubygems
Successfully uninstalled rubygems-update-2.2.3
Now, you want to manually fix the issue with your installation.
The steps are simple::
- Step 1: Obtain the new trust certificate
- Step 2: Locate RubyGems certificate directory in your installation
- Step 3: Copy new trust certificate
We need to download AddTrustExternalCARoot-2048.pem.
Use the above link and place/save this file somewhere accessible with the .pem extension
IMPORTANT: File must have .pem as extension. Browsers like Chrome will
try to save it as plain text file. Ensure you change the filename to have
.pem in it after you have downloaded it.
In order for us copy this file, we need to know where to put it.
Depending on where you installed Ruby, the directory will be different.
Take for example the default installation of Ruby 2.1.5, placed in C:\Ruby21
Open a Command Prompt and type in:
C:\>gem which rubygems
C:/Ruby21/lib/ruby/2.1.0/rubygems.rb
Now, let's locate that directory. From within the same window, enter the path part up to the file extension, but using backslashes instead:
C:\>start C:\Ruby21\lib\ruby\2.1.0\rubygems
This will open a Explorer window inside the directory we indicated.
Now, locate ssl_certs directory and copy the .pem file we obtained from
previous step inside.
It will be listed with other files like GeoTrustGlobalCA.pem.
You should be able to install Ruby gems without issues now.