User Tools

Site Tools


Translations of this page:


Tag Cloud


2024.01.18 SSL Error in Rails


 OpenSSL::SSL::SSLError in RecruitsController#update SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) 

This also results in “unable to get local issuer certificate”.

openssl s_client -showcerts -host -port 443
Verification error: unable to get local issuer certificate


Path of root certificate used by ruby

Ruby was using /usr/local/ssl/cert.pem.


require 'openssl'
 ruby ssl_path.rb "/usr/local/ssl/cert.pem" 

One-liner to execute:

ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE"

However, the target path does not have the root certificate.

 # ll /usr/local/ssl/cert.pem ls: cannot access '/usr/local/ssl/cert.pem': No such file or directory 

So, we need to create a symlink:

 # ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /usr/local/ssl/cert.pem
ll /usr/local/ssl/cert.pem
lrwxrwxrwx. 1 root root 49 Jan 18 15:13 /usr/local/ssl/cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Unable to update the root certificate.

 # yum update ca-certificates Last metadata expiration check: 0:29:05 ago on Thu Jan 18 14:57:01 2024. Dependencies resolved. ========================================================================================================================= Package Architecture Version Repository Size ========================================================================================================================= Upgrading: ca-certificates noarch 2023.2.60_v7.0.306-90.1.el9_2 baseos 835 k
Transaction Summary
Upgrade  1 Package

Total download size: 835 k
Is this ok [y/N]: y
Downloading Packages:
[===                                     ] ---  B/s |   0  B     --:-- ETA
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Error downloading packages:
Curl error (77): Problem with the SSL CA cert (path? access rights?) for [error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt]

This can be resolved by running the following command:

 # yum --setopt='sslverify=false' update ca-certificates 
en/50_dialy/2024/01/18.txt · Last modified: 2024/05/10 11:58 by matsui