certificate verify failed (unable to get certificate CRL)

Published by Moncef Belyamani on
Updated on

Are you all of a sudden getting an OpenSSL error in your Ruby project due to “certificate verify failed (unable to get certificate CRL)” similar to the one below?

Failure/Error: res = Net::HTTP.get_response(uri)

OpenSSL::SSL::SSLError:
  SSL_connect returned=1 errno=0 peeraddr=99.88.77.66:443 state=error: certificate verify failed (unable to get certificate CRL)

As of December 2025, if you’re using Ruby 3.4 or 3.3, the fix is easy as updating the Ruby version in your project to the latest patch release (the 3rd digit). For example, if you’re using Ruby 3.4.x, that means updating your project to Ruby 3.4.8. If you’re using Ruby 3.3.x, update to 3.3.10.

For Ruby 3.2.x, which is reaching end of life on March 31, 2026, you will need to add version 3.1.2 or later of the openssl gem to your project’s Gemfile, by running this command from the root of your project:

bundle add openssl --version "~> 3.1.2"

That’s all you have to do. If you don’t know how to update the Ruby version in your project, or why it’s important to do so regularly, read my guide about How and Why to Upgrade the Ruby Version in Your Project.

If you’re interested in how I found the solution when the problem first happened, keep reading.

As part of running my Ruby on Mac business, I wrote a script to make it easy to fetch license files when customers lose theirs. I’ve been running this script without issues for a long time and I haven’t changed it. However, when I ran it today, I got the “certificate verify failed (unable to get certificate CRL)” error.

My first thought was that maybe there was something wrong with my site’s SSL certificate, but a quick visit to my site ruled that out. I also have site monitoring that alerts me if my site is down, and I didn’t see any alerts.

Given that it was related to OpenSSL, I figured it was probably because the Homebrew version of OpenSSL got updated when I updated my system a few days ago. I do this regularly by using the rom script command that Ruby on Mac Ultimate provides. When I ran brew info openssl, I saw that version 3.6.0 was installed 3 days ago.

Then, I do what I always do when I don’t immediately know what the error means: I copied and pasted it into DuckDuckGo. The first result was this GitHub issue in the repo for the openssl Ruby gem (which is different from OpenSSL itself). From there, I learned that the OpenSSL team made a change in 3.6.0 that was probably not intentional, and broke how Ruby uses OpenSSL.

Luckily, Kazuki Yamaguchi, one of the maintainers of the Ruby language, fixed this last week and pushed new versions of the openssl gem: 3.1.2, 3.2.2, and 3.3.1. Given that my script was using the latest version of Ruby (3.4.7 at the time), I figured I needed version 3.3.1 of the openssl gem.

An easy way to confirm that is by visiting the very helpful stdgems.org website, which tells you which versions of gems are included by default in specific Ruby versions. For example, here is the stdgems.org page for the openssl gem. It says that for Ruby versions between 3.4.0 and 3.4.7, the version of openssl that gets installed by default is 3.3.0.

In order for my script to use version 3.3.1 of the openssl gem, all I had to do was add the following line to my Gemfile:

gem "openssl", "~> 3.3.1"

and then run bundle. And that fixed it!

Note that Bundler has a handy feature to make the two steps above easier. Just run this command, which will add the gem to your Gemfile, and install it at the same time:

bundle add openssl --version "~> 3.3.1"

Also note that if your project is using Ruby 3.4, Ruby 3.4.8 (which was released after this article was first published) already comes with openssl 3.3.1. So, instead of adding the openssl gem to your project, just update your project’s Ruby version to 3.4.8.

Similarly, if your project is using Ruby version 3.3.x, update to 3.3.10, which already comes with openssl 3.2.2. But for Ruby version 3.2.x, you’ll need to add openssl 3.1.2 or later because there isn’t yet a version of Ruby 3.2.x that includes openssl 3.1.2 or later.

I hope this helps!