Ruby on Windows - gem install ssl problems

When installing Ruby for Windows via chocolatey or using the Windows Installer chances are that you will face problems with ssl / certificate validation upon trying to install gems.

Example problem

In my case, I tried to install bundler using gem install bundler and instantly got the following error:

ERROR: Could not find a valid gem 'bundler' (>= 0), here is why:
	   Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read 
	   server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

Initially, suspecting a problem with the openssl version installed, I ran

ruby -ropenssl -e 'p OpenSSL::OPENSSL_VERSION'
# -> "OpenSSL 1.0.1l 15 Jan 2015"

just to see that the openssl version seemed reasonably up to date. Since openssl did not appear to be the problem I started googling and found out the following:

The Problem

The problem is explained in detail on rubygems.org, but in short the trusted certificates that are used to verfiy connections to rubygems.org in order to download gems are bundled with the gem command line tool. That means, whenever the certificate on rubygems.org is updated, your gem tool can no longer verify the validity of the new certificate since it doesn’t yet know it. Consequently, you’ll need to update the gem tool to know about the most recent certificate.

Solutions

Use HTTP instead of HTTPS

This is the quickest but dirtiest solution to the problem. Instead of trying to access https://rubygems.org (which is the default behaviour when running gem install), we’ll instead access http://rubygems.org so no certificate validation will take place.

To override the remote source (defaulting to https://rubygems.org), use the --source command line option when installing a gem.

E.g. you can run gem install --source http://rubygems.org to bypass https.

Please note that this quick fix is absolutely not recommended, since you’re bypassing all encryption and will send and receive the data unencrypted.

Apart from being insecure the above option also induces the problem of requiring you to always explicitely tell the install command to use the non-https source.

Update your rubygems

Looking for a more permanent solution, I stumbled upon the help site on rubygems.org.

There you’ll get a detailed explanation on why the error occurs and how it can be fixed. Spoiler: You’ll have to update your local installation of rubygems. Detailed insstructions on how to perform the update are given here.

As soon as you’ve updated your gem installation, you’ll be able to use gem commands as usual.