certificate verify failed (unable to get certificate CRL)

Published by Moncef Belyamani on

Are you all of a sudden getting an OpenSSL error in your Ruby project due to “certificate verify failed (unable to get certificate CRL)” similar to the one below?

Failure/Error: res = Net::HTTP.get_response(uri)

OpenSSL::SSL::SSLError:
  SSL_connect returned=1 errno=0 peeraddr=99.88.77.66:443 state=error: certificate verify failed (unable to get certificate CRL)

The good news is that there is an easy fix for this. Read on to see how I figured it out.

As part of running my Ruby on Mac business, I wrote a script to make it easy to fetch license files when customers lose theirs. I’ve been running this script without issues for a long time and I haven’t changed it. However, when I ran it today, I got the “certificate verify failed (unable to get certificate CRL)” error.

My first thought was that maybe there was something wrong with my site’s SSL certificate, but a quick visit to my site ruled that out. I also have site monitoring that alerts me if my site is down, and I didn’t see any alerts.

Given that it was related to OpenSSL, I figured it was probably because the Homebrew version of OpenSSL got updated when I updated my system a few days ago. I do this regularly by using the rom script command that Ruby on Mac Ultimate provides. When I ran brew info openssl, I saw that version 3.6.0 was installed 3 days ago.

Then, I do what I always do when I don’t immediately know what the error means: I copied and pasted it into DuckDuckGo. The first result was this GitHub issue in the repo for the openssl Ruby gem (which is different from OpenSSL itself). From there, I learned that the OpenSSL team made a change in 3.6.0 that was probably not intentional, and broke how Ruby uses OpenSSL.

Luckily, Kazuki Yamaguchi, one of the maintainers of the Ruby language, fixed this last week and pushed new versions of the openssl gem: 3.1.2, 3.2.2, and 3.3.1. Given that my script was using the latest version of Ruby, I figured I needed version 3.3.1 of the openssl gem.

An easy way to confirm that is by visiting the very helpful stdgems.org website, which tells you which versions of gems are included by default in specific Ruby versions. For example, here is the stdgems.org page for the openssl gem. It says that for Ruby versions between 3.4.0 and 3.4.7, the version of openssl that gets installed by default is 3.3.0.

In order for my script to use version 3.3.1 of the openssl gem, all I had to do was add the following line to my Gemfile:

gem "openssl", "~> 3.3.1"

and then run bundle. And that fixed it!

If your project is using Ruby version 3.3.x, you’ll want to add openssl 3.2.2 to your Gemfile. And for Ruby version 3.2.x, you’ll need openssl 3.1.2.

I hope this helps!