2

m getting an SSL error when making an HTTPS request in a Rails controller (Ruby 3.1.6):

OpenSSL::SSL::SSLError in PurchaseAttemptsController#create
SSL_connect returned=1 errno=0 peeraddr=3.175.45.47:443 
state=error: certificate verify failed (unable to get certificate CRL)

I also tested using openssl s_client and it fails with the same error:

Verify return code: 3 (unable to get certificate CRL)

Environment:

macOS: 15.6
System LibreSSL: 3.3.6
Homebrew OpenSSL: 3.6.0
Ruby: 3.1.6 (installed via asdf)
Ruby OpenSSL::OPENSSL_VERSION: OpenSSL 3.6.0
OpenSSL::X509::DEFAULT_CERT_FILE: /opt/homebrew/etc/openssl@3/cert.pem
OpenSSL::X509::DEFAULT_CERT_DIR: /opt/homebrew/etc/openssl@3/certs
Ruby build flags include: --with-openssl-dir=/opt/homebrew/opt/openssl@3

What I already tried:

  • Recompiled Ruby with --with-openssl-dir targeting Homebrew OpenSSL.

  • Installed updated certificates via brew install ca-certificates + security add-trusted-cert.

  • Exported SSL_CERT_FILE and SSL_CERT_DIR to point to Homebrew certs.

  • Manually tested CRL with openssl verify -crl_check (fails due to CRL not reachable from my network).

  • Tried using custom OpenSSL::X509::Store in Ruby (still enforces CRL validation).

  • No custom CRL config in openssl.cnf, using default provider.

Questions:

  1. Why is Ruby/OpenSSL enforcing CRL verification if the certificate doesn’t explicitly require it?

  2. Is there a way to disable CRL checking in Ruby/OpenSSL without setting verify_mode: OpenSSL::SSL::VERIFY_NONE?

  3. Could this be caused by mixing system LibreSSL with Homebrew OpenSSL?

  4. Does openssl.cnf enable CRL verification implicitly?

This seems more like an OpenSSL/Ruby build or config issue than a Rails problem.

Any guidance would be appreciated.

Improve this question
1
  • Accoding to this (github.com/rails/rails/issues/55886) at least a few people "solved" the issue by adding openssl as a explicit dependency in the Gemfile. There are other suggestions as well. Commented Nov 21 at 14:57

2 Answers 2

Reset to default
2

This is a known issue when using Ruby with OpenSSL 3.6.0. According to the last comment on the issue this was fixed with Ruby 3.4.7 by building it against OpenSSL 3.5.4 instead of OpenSSL 3.6.0.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

I added openssl to the Gemfile , and things started to work again.

https://rubygems.org/gems/openssl

Improve this answer

1 Comment

thank you, struggled all afternoon, this fixed it, specifically gem 'openssl', '~> 3.3.2'

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.