SSL guide is incomplete

[duckinator]

The SSL guide appears to only work if you're not using a version manager for Ruby (RVM, rbenv, etc).

I'm still collecting information about and helping resolve this in https://github.com/rubygems/rubygems/issues/1758.

However, some relevant links from that thread:

• https://railsapps.github.io/openssl-certificate-verify-failed.html
• https://gist.github.com/fnichol/867550
• https://rvm.io/support/fixing-broken-ssl-certificates

EDIT: The gist has insecure instructions.

[drbrain]

The gist has an insecure set of instructions since that uses HTTP to download the CA certificates. We can't tell people to use these instructions since they don't establish a complete chain of trust.

[duckinator]

Ah, good catch.

I'm not sure what the RVM one is doing: https://github.com/rvm/rvm/blob/master/scripts/osx-ssl-certs

[drbrain]

Looks like RVM extracts its CA cert list from the OS X keychain:

https://github.com/rvm/rvm/blob/master/scripts/functions/osx-ssl-certs#L43-L47

Unfortunately this list includes CA certificates you've marked as untrusted. There should be a way around this.

[duckinator]

hmm, that's no good at all. I imagine there'd be a flag you could pass or something, but I don't have access to a macOS system to try to find it.

[indirect]

Don't forget this blog post and its associated script (which have saved me from SSL errors I did not understand many times over at this point): http://mislav.net/2013/07/ruby-openssl/

[indirect]

Also, please note that haxx.se now provides the Curl CA bundle via HTTPS: https://curl.haxx.se/ca/cacert.pem

[drbrain]

It's hard to get the Curl CA bundle via HTTPS if you don't already have the CA certificate to verify the server certificate

[indirect]

I am assuming the existence of a browser (eg Firefox, Chrome) with its own set of trusted certs, so a user can fetch cacert.pem securely and then manually use it to validate future Ruby SSL connections.

[drbrain]

Yes, or bundle the CA certificate inside the script doing the fetching (like RubyGems)