55 Minutes

Welcome to the 55 Minutes blog.
55 Minutes is a web development consultancy in San Francisco building apps for design-led businesses and startups. On this blog we discuss the technology tools of our trade: Ruby on Rails, Django, Sass, OS X, and more.

Fixing HTTPS Certificate Errors in Wget and Ruby

I recently ran across SSL certificate errors when trying to fetch certain HTTPS URLs with Wget and Ruby. Here’s my quick fix.

Update Feb 23, 2012: The latest version of curl for MacPorts simplifies the Ruby solution for this issue. Refer to the bottom of this post.

Wget

Maybe you’ve seen this?

$ wget https://github.com/
ERROR: The certificate of `github.com' is not trusted.
ERROR: The certificate of `github.com' hasn't got a known issuer.

If you’re like me, you’ve installed Wget with MacPorts. This version of Wget apparently does not include the necessary root SSL certificates, nor does it know where to find the ones already on your Mac. Luckily the solution is easy.

Install curl-ca-bundle

sudo port install curl-ca-bundle

Add CA_CERTIFICATE to ~/.wgetrc

echo CA_CERTIFICATE=/opt/local/share/curl/curl-ca-bundle.crt >> ~/.wgetrc

Fixed! If you’re curious, I’ve added this .wgetrc to my dotfiles project as well.

Ruby

I ran into a similar problem in Ruby 1.9.3p0, which I compiled and installed via ruby-build. In this case, the error looks like this:

irb(main):001:0> require 'open-uri'
irb(main):002:0> open('https://github.com/')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Again, we can trace this back to MacPorts. My Ruby was complied against the MacPorts version of openssl, which can’t find the all-important certificates.

Install curl-ca-bundle as described above. Then:

Symlink the certificates

sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem

Update Feb 23, 2012: The latest version of curl-ca-bundle for MacPorts (7.24.0) creates this symlink for you automatically when you install the port. If you’ve created the link manually, you’ll need to delete it before MacPorts will allow you to upgrade to curl-ca-bundle @7.24.0.

comments powered by Disqus