If you’re using the MacPorts version of OpenSSL, and have a Ruby installed either by MacPorts or RVM, you’ve probably clashed with the dreaded “SSLv3 read server certificate B: certificate verify failed” message
(Or you’ve forced the verification check off, which is not a good idea )
Quick fix:
port install curl curl-ca-bundle
ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem
(using sudo as needed)
There is loads and loads of advice to fix the message, which also tends to revolve around finding/installing the correct base certificates. However, part of the problem is that Ruby’s Net module’s default certificate bundle can only be overridden if you’re creating the Net object yourself, which leaves most external libraries out.
The ultimate solution is that whichever OpenSSL you’re using needs to have a PEM file of an appropriate set of root certificates in its base configuration directory. Neither MacPorts nor Apple ships a standalone PEM file: Apple has them inside the Keychain in OSX 10.5+ , while MacPorts doesn’t include them with their OpenSSL port (to be fair, they have a pretty good reason )
( What’s the difference between CRT, DER, and PEM you ask? Here’s a good explanation )
Fortunately, the Curl project separated out its certificates awhile ago, and MacPorts ships them as the “curl-ca-bundle” port (“port install curl curl-ca-bundle” if you don’t already have them).
Since we’d rather let the curl-ca-bundle maintainers keep the bundle up to date, we’ll make a symbolic link instead of copying the file:
ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem
(again, using sudo as needed)
Note that this is a separate problem from having general OpenSSL support in Ruby—if you can “require ‘openssl’” successfully or see a top-level ‘OpenSSL’ object in irb, your Ruby is already set and you don’t need to worry about any RUBYOPT tricks.
