google-api-ruby-client: Receive "certificate verify failed" when running client.authorization.fetch_access_token! on Mac

I’m on Mac OS X Yosemite 10.10.3

The full error message is:

Faraday::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
from ruby/2.2.0/net/http.rb:923:in `connect'

Things I’ve tried:

  1. Updating to the latest google-api-client (0.8.6)
  2. Updating OpenSSL using homebrew and force relinking it (stable 1.0.2a-1)
  3. Running rvm osx-ssl-certs update all
  4. Checking that rvm osx-ssl-certs status all says “Up to date” for all pem files (it does)
  5. Downloading a new pem file from curl.haxx.se/ca/cacert.pem and then using the ca_file option to reference that pem file
  6. Out of desperation, I tried running client.connection.ssl.verify = false but this still doesn’t work. Perhaps faraday is initialized prior to me running this, and so ignores it?

I’ve read a ton of stack overflows, searched forums, searched issues on the project. Everything I try still results in a “certificate verify failed” when running fetch_access_token!

This error does not occur when I use an existing oauth2 access_token and make an API request.

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Comments: 30 (2 by maintainers)

Most upvoted comments

@fletchrichman Same here it seems to be a Yosemite problem, solved by downloading this http://curl.haxx.se/ca/cacert.pem, and saving it replacing /usr/local/etc/openssl/cert.pem. I’ve added export SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem to my .bash_profile.

+53
dblommesteijn on Jan 8, 2016

I can confirm this issue. I’ve tried all of the above as well.

I’ve worked around this by explicitly loading openssl first (in my case before Bundler.require) and setting verify to none:

require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

This is not a good idea, but I haven’t found a real fix yet.

+23
spikex on Jun 8, 2015

I have this problem today and fix reinstalling ruby using rvm reinstall ruby-2.1.5 --with-openssl-dir=/usr/local

+11
zegomesjf on Jun 23, 2016

I am on yosemite, I had to do:

brew update
brew remove openssl
brew install openssl
brew link openssl
rvm reinstall 2.3.1 --disable-binary

http://railsapps.github.io/openssl-certificate-verify-failed.html, looks like outdated to me because, curl-ca-bundle is no more availabe as brew formula neither did raggi/ale worked for me.

+4
przbadu on Nov 1, 2016

gem install rake -v '10.5.0' before bundle install works for me! Thanks!

+4
bobzhen on Mar 2, 2016

Yeah, don’t do that 😃

Just pushed a new version of signet (0.6.1) which hopefully fixes this. Other workarounds:

  • Set the environment variable SSL_CERT_FILE to the path of the PEM file
  • Override the faraday connection with the one from the api client. Something like the following should work
api_client = Google::APIClient.new
# ...
api_client.authorization.fetch_access_token!(:connection => api_client.connection)
+3
sqrrrl on Jun 8, 2015

@dblommesteijn Replacing cert.pem file solution works on OS X El Capitan 10.11.6 as well

+2
xhuang97 on Aug 2, 2017

I’m also having this problem on Windows.

Update: Solved by updating RubyGems (from 2.5.1 to 2.6.7)

+1
Ashkin on Oct 13, 2016

Had this issue too, had all the same issues as @spikex and had to download the cert file from lib/cacerts.pem and replace my local one. apparently this is the only valid cert file, not the ones from brew or rvm.

+1
fletchrichman on Dec 30, 2015
Read more comments on GitHub
← google-api-ruby-client: invalid_grant error
google-auth-library-nodejs: Auth error: ETIMEDOUT →