After upgrading to Ruby 2.0 many Ruby users, including me, have been experiencing strange OpenSSL related errors of the form:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I’ve found two reasons why this was happening: one which was Rubygems related and one that wasn’t Ruby’s fault at all.

Amazon recently changed their SSL certificates for S3 and CloudFront, where all Gems are hosted. When upgrading to Ruby 2.0 on Mac OS X, the verison of OpenSSL that ships with Mavericks seems to be missing some of these root certificates, leading to the failed verification. For most people, updating Rubygems to the latest version will fix this issue[1][2][3]. If updating Rubygems doesn’t fix the issue, I would recommend following the steps found here http://railsapps.github.io/openssl-certificate-verify-failed.html.

Updating Rubygems, however, did not solve this problems for one of our customers. Hosted on Ubuntu 12.04 servers, one external service the application uses was still consistently failing certificate verification. After lots of of spelunking, searching, and testing, I realized the problem wasn’t Ruby’s fault but Ubuntu’s! Turns out Ubuntu 12.04 stopped including a certain Verisign Root certificate from 2009. This certificate, though marked as deprecated, is still in use by a number of services. This omission has been filed as a bug on Ubuntu’s tracker though there is no fix mentioned yet. From the comments there, all versions of Ubuntu since 12.04 seem to be affected by this. This problem is manually fixable by following the steps outlined in Sean Boran’s comment

Fix: Verisign's 2009 ROOT certificate is missing, so download it an install it. 1) Copy the Root CA from Symantec: <https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1556> 2) Save to a file like verisign2009.crt in "/usr/local/share/ca-certificates/" $ sudo vi /usr/local/share/ca-certificates/verisign2009.crt 3) Update the certificate stor $ sudo update-ca-certificates Now all of the above https site work fine, at least on 12.04. The procedure is same for any custom CA certs that one needs to add. /usr/local/share/ca-certificates/ is normally empty.

For those using Chef, place the Verisign certificate in the files/default directory of the appropriate cookbook and add the following recipe rules:

cookbook_file("/usr/local/share/ca-certificates/verisign2009.crt") do
  owner "root"
  group "root"
  mode  "0644"

  notifies :run, "execute[update-ca-certs]", :immediately
end

execute("update-ca-certs") do
  user    "root"
  command "update-ca-certificates"
  action :nothing
end

[1] Rubygems Issue #665

[2] Rubygems Commit adding new Verisign Certs

[3] Rubygems commit adding DigiCert cert for Cloudfront