Fix for OpenSSL::SSL::SSLError on RestForce / Faraday

Today I want to share how I fixed an OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed error that we were having on one of our Rails applications.

There are several different articles on the web with people providing their solutions to this super annoying error, each solution came with a slew of people commenting “it worked” or “didn’t fix it”. I want to present the very specific things I needed to do in the hope that if other solutions have failed this one works!

The Setup

This is the setup we had when we spotted this issue, this isn’t to say that if yours is different then the eventual solution won’t work but I can’t claim this to be a general solution that will fix everything for everyone.

• We noticed this when our RestForce gem wasn’t sending data to SalesForce anymore
• On one Ubuntu instance it worked, on another it didn’t
• It worked locally (Mac OS X)
• On the server that it didn’t work on, wget and curl were throwing similar errors

The Issue

It didn’t look like OpenSSL was using the correct SSL certificates when trying to establish the authenticity of websites.

Even though this was being called form RestForce, it uses Faraday, which uses Ruby’s Net::HTTP. Since it was Net::HTTP throwing the error I was pretty sure the solution had to be fairly low level.

The (eventual) Solution

I say eventual because I followed several red herrings.

I had to run the following things on the server;

• openssl version -a to find out the OPENSSLDIR being used by the system
• ls /usr/lib/ssl/certs to verify it was empty (that location being the result of OPENSSLDIR)
• Updating the ca-certificates with sudo apt-get install ca-certificates (in my case this wasn’t needed, but a good step)
• Updating the certificate location with sudo update-ca-certificates
• Hashing the certificates for OpenSSL with sudo c_rehash

Special Thanks

• This blog post really helped me understand the issue and the doctor script was useful (not least because it showed me that my wget was being weird too!)
• Paul Synnott helped me with an issue I had during certificate creation