Cannot make HTTPS connections on Windows (works on OSX and Linux)

[duncanmak]

On Mac and Linux, this works out of the box:

ruby -rnet/http -e 'Net::HTTP.get(URI("https://google.com"));'

On Windows, however, this error shows up:

C:\Users\builder>ruby -rnet/http -e 'Net::HTTP.get(URI("https://google.com"));'
C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=
1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (Open
SSL::SSL::SSLError)
        from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
        from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:73:in `timeout'
        from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect'
        from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
        from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:852:in `start'
        from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:583:in `start'
        from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:478:in `get_response'
        from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:455:in `get'
        from -e:1:in `<main>'

We have tried RubyInstaller 2.2.4-x64 as well as older releases, and we see the same error regardless.

The error is similar to the one in the issue involving RubyGems discussed here a year ago, but that has since been fixed (See #261). I can verify that gem install <gem> works on WIndows for me without problems.

Outside of gem, however, I still see a similar error when I try to open SSL connections, i.e. the snippet above.

Is there a reason why the one-liner for GETan HTTPS resource fails in the default installation on Windows?

cc @msylvia, @Azolo

[dmajkic]

Download newset certs (cacert.pem) from here:

https://curl.haxx.se/docs/caextract.html

Set enviroment variable to the full path location of the downloaded file. Eg:

set SSL_CERT_FILE=C:\somewhere\cacert.pem

To make it permanent, set SSL_CERT_FILE in "Advanced System Settings"

[duncanmak]

@dmajkic I've seen those instructions before. My issue is, why do we need to do that ourselves? Is there a reason why the default installation is faulty?

[dmajkic]

@duncanmak Ruby is using OpenSSL for securing sockets. It's a third party solution, and Ruby expects that OpenSSL part is working. That is the "download certificates and set enviroment variable" part.

That step is to setup OpenSSL to work on Windows. Not Ruby.

On Linux, where OpenSSL is system managed solution, this maintenance is done by system itself (cert locations, apt updating to newer version of root certs). On Windows - you must maintain it manually.

[Azolo]

@duncanmak Unfortunately @dmajkic is correct.

This has been discussed before on how to handle this automatically, but the decision was basically, A) Don't override Environment Variables that would allow this to work because it might cause conflicts with other versions of OpenSSL, B) Don't patch it because it would change the behavior of the library.

So, the result is to handle it ourselves. =/ That being said many libraries ship with CA certificates, including rubygems.

If there is a particular problem you're trying to solve we would be glad to help but I don't have a built-in solution for the current inconvenience.

[ioandev]

Didn't work for me.

[augustosamame]

Didn't work for me either

[dmajkic]

Consider moving to oneclick/rubyinstaller2 which is in active development and addressees this issue.

[augustosamame]

@dmajkic unfortunately rubyinstaller2 is too modern for my Windows Server 2008 R2 installation. My setup: Ruby version: ruby 2.2.6p396 (2016-11-15 revision 56800) [x64-mingw32] Rails version: Rails 5.0.6 Windows version: Windows Server 2008 R2 Enterprise SP1

[MSP-Greg]

@augustosamame

Do you know if it's an issue with RubyInstaller2 or Ruby 2.4? Would Ruby 2.3.x work?

[augustosamame]

will check and report back

[vais]

@augustosamame

unfortunately rubyinstaller2 is too modern for my Windows Server 2008 R2 installation

rubyinstaller2 works just fine on my Windows Server 2008 R2 installations. What problem did you experience?