Fix for OpenSSL::SSL::SSLError on RestForce / Faraday

Fix for OpenSSL::SSL::SSLError on RestForce / Faraday. Hopefully this will save you some time if you see this RestForce error

Today I want to share how I fixed an OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed error that we were having on one of our Rails applications.

There are several different articles on the web with people providing their solutions to this super annoying error, each solution came with a slew of people commenting “it worked” or “didn’t fix it”. I want to present the very specific things I needed to do in the hope that if other solutions have failed this one works!

The Setup

This is the setup we had when we spotted this issue, this isn’t to say that if yours is different then the eventual solution won’t work but I can’t claim this to be a general solution that will fix everything for everyone.

  • We noticed this when our RestForce gem wasn’t sending data to SalesForce anymore
  • On one Ubuntu instance it worked, on another it didn’t
  • It worked locally (Mac OS X)
  • On the server that it didn’t work on, wget and curl were throwing similar errors

The Issue

It didn’t look like OpenSSL was using the correct SSL certificates when trying to establish the authenticity of websites.

Even though this was being called form RestForce, it uses Faraday, which uses Ruby’s Net::HTTP. Since it was Net::HTTP throwing the error I was pretty sure the solution had to be fairly low level.

The (eventual) Solution

I say eventual because I followed several red herrings.

I had to run the following things on the server;

  • openssl version -a to find out the OPENSSLDIR being used by the system
  • ls /usr/lib/ssl/certs to verify it was empty (that location being the result of OPENSSLDIR)
  • Updating the ca-certificates with sudo apt-get install ca-certificates (in my case this wasn’t needed, but a good step)
  • Updating the certificate location with sudo update-ca-certificates
  • Hashing the certificates for OpenSSL with sudo c_rehash

Special Thanks


Recent posts View all

Freelancing

Why we have ads

We run ads on the site, this article talks about how we try and make them not terrible and why we monetise in the first place

Accessibility

Writing accessible hashtags

Write accessible hashtags by camel casing them. Because ThisReadsBetter thanthisdoes.