My company uses a proxy for all internet traffic for security reasons, but unfortunately this breaks SSL with Ruby.
When I try gem install rake
or any other gem
command, I get the following error:
ERROR: SSL verification error at depth 0: unable to get local issuer certificate (20)
ERROR: You must add /C=US/ST=New York/L=New York City/O=My Company, Inc./OU=Corporate/CN=mycompany.com to your local trusted store
RubyGems connection to rubygems.org: failed ❌ (certificate verification)
How do I resolve this?
This error message means you are being routed through a domain whose SSL certificate is missing from your local certificate file. This happens commonly with web filters/proxies and can be fixed by adding the missing certificates.
The CN
field towards the end of the error message tells you the address of the server, in my example mycompany.com
. Open a web browser and go to this address. If you see a lock icon to the left of the URL, this means your browser found the SSL certificate (If not, you will have to find the missing certificate some other way).
To get the certificate hash:
Will look something like this:
-----BEGIN CERTIFICATE-----
MIIESzCCAzOgAwIBAgIJAKNiDFgr+nN4MA0GCSqGSIb3DQEBCwUAMIG7MQswCQYD
VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
[lots more stuff...]
Z05JMrKlVndAmcLUoycD2hGqY9I1/9atfV23MkNslR+LBo7nMbjUj+lk/1rchww=
-----END CERTIFICATE-----
In a terminal, run:
ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE'
You'll get a path:
"C:/Ruby32-x64/bin/etc/ssl/cert.pem"
Open this file in a text editor and add the certificate to the end. You can optionally add a comment to the new entry. Leave a newline above and below the entry and save the file:
MYCOMPANY.com <- Comment line (optional)
====================
-----BEGIN CERTIFICATE-----
[paste certificate hash here]
-----END CERTIFICATE-----
In PowerShell:
$env:SSL_CERT_FILE="C:\Ruby32-x64\bin\etc\ssl\cert.pem"
In Command Prompt:
set SSL_CERT_FILE=C:\Ruby32-x64\bin\etc\ssl\cert.pem
Save and run Ruby's SSL check script. You should see something like this:
Here's your Ruby and OpenSSL environment:
Ruby: 3.2.2p53 (2023-03-30 revision e51014f9c05aa65cbf203442d37fef7c12390015) [x64-mingw-ucrt]
RubyGems: 3.4.10
Bundler: 2.4.10
Compiled with: OpenSSL 3.1.0 14 Mar 2023
Loaded version: OpenSSL 3.1.0 14 Mar 2023
SSL_CERT_FILE: C:/Ruby32-x64/bin/etc/ssl/cert.pem
SSL_CERT_DIR: C:/Ruby32-x64/bin/etc/ssl/certs
With that out of the way, let's see if you can connect to rubygems.org...
Bundler connection to rubygems.org: success ✅
RubyGems connection to rubygems.org: success ✅
Ruby net/http connection to rubygems.org: success ✅
Hooray! This Ruby can connect to rubygems.org. You are all set to use Bundler and RubyGems. 👌