certificate verify failed (unable to get certificate CRL)

Published by Moncef Belyamani on
Updated on

Are you all of a sudden getting an OpenSSL error in your Ruby project due to “certificate verify failed (unable to get certificate CRL)” similar to the one below?

Failure/Error: res = Net::HTTP.get_response(uri)

OpenSSL::SSL::SSLError:
  SSL_connect returned=1 errno=0 peeraddr=99.88.77.66:443 state=error: certificate verify failed (unable to get certificate CRL)

The good news is that there is an easy fix for this. Read on to see how I figured it out.

As part of running my Ruby on Mac business, I wrote a script to make it easy to fetch license files when customers lose theirs. I’ve been running this script without issues for a long time and I haven’t changed it. However, when I ran it today, I got the “certificate verify failed (unable to get certificate CRL)” error.

My first thought was that maybe there was something wrong with my site’s SSL certificate, but a quick visit to my site ruled that out. I also have site monitoring that alerts me if my site is down, and I didn’t see any alerts.

Given that it was related to OpenSSL, I figured it was probably because the Homebrew version of OpenSSL got updated when I updated my system a few days ago. I do this regularly by using the rom script command that Ruby on Mac Ultimate provides. When I ran brew info openssl, I saw that version 3.6.0 was installed 3 days ago.

Then, I do what I always do when I don’t immediately know what the error means: I copied and pasted it into DuckDuckGo. The first result was this GitHub issue in the repo for the openssl Ruby gem (which is different from OpenSSL itself). From there, I learned that the OpenSSL team made a change in 3.6.0 that was probably not intentional, and broke how Ruby uses OpenSSL.

Luckily, Kazuki Yamaguchi, one of the maintainers of the Ruby language, fixed this last week and pushed new versions of the openssl gem: 3.1.2, 3.2.2, and 3.3.1. Given that my script was using the latest version of Ruby, I figured I needed version 3.3.1 of the openssl gem.

An easy way to confirm that is by visiting the very helpful stdgems.org website, which tells you which versions of gems are included by default in specific Ruby versions. For example, here is the stdgems.org page for the openssl gem. It says that for Ruby versions between 3.4.0 and 3.4.7, the version of openssl that gets installed by default is 3.3.0.

In order for my script to use version 3.3.1 of the openssl gem, all I had to do was add the following line to my Gemfile:

gem "openssl", "~> 3.3.1"

and then run bundle. And that fixed it!

If your project is using Ruby version 3.3.x, you’ll want to add openssl 3.2.2 or later to your Gemfile, unless you are using 3.3.10, which already comes with openssl 3.2.2. And for Ruby version 3.2.x, you’ll need openssl 3.1.2 or later.

Note that when Ruby 3.4.8 and 3.2.10 are released, they will come with the fixed versions of openssl, so you won’t need to worry about this anymore.

If this a personal and local project, you might not necessarily need to add the openssl gem to your project. You could install the latest openssl version globally for your Ruby version, like this:

gem install openssl

In general, it’s better to be explicit about the required version in the project, for a few reasons:

  • If you’re working on a project with other people, it ensures everyone is using the same version.
  • It allows your project to run wherever you’re deploying it, especially if you don’t have control over which version of OpenSSL is installed on the server.

I hope this helps!