We don't include root certificates and openssl doesn't pick up the system-installed ones. Diagnostic is
$ ./default/bin/openssl s_client -connect www.rubygems.org:443
[...]
Verify return code: 20 (unable to get local issuer certificate)
instead of
Verify return code: 0 (ok)
A workaround is to set SSL_CERT_FILE=/etc/pki/tls/cert.pem (on fedora). The right fix is probably to configure openssl.cnf properly.
The question is how; The root certs are in an os-specific place on Linux, and on OSX its even worse (afaik there is no .pem format). The easiest solution would be to include our own certs, afaik thats what homebrew does (available at https://curl.haxx.se/docs/caextract.html)
We don't include root certificates and openssl doesn't pick up the system-installed ones. Diagnostic is
instead of
A workaround is to set
SSL_CERT_FILE=/etc/pki/tls/cert.pem
(on fedora). The right fix is probably to configureopenssl.cnf
properly.The question is how; The root certs are in an os-specific place on Linux, and on OSX its even worse (afaik there is no .pem format). The easiest solution would be to include our own certs, afaik thats what homebrew does (available at https://curl.haxx.se/docs/caextract.html)