Bundler SSL failures using rails-assets.org

I recently discovered a cool way to use Bower assets in rails applications from these guys.   I want to give a great shout out to  who provide an example application you can clone that is a good learning example on how use Restangular with Rails.

That was the good news.  I have an OSX development machine running 10.10 that I did that work on and it worked great.   My laptop running 10.11 however, would fail to bundle the assets from rails-assets.org.   It was complaining about SSL certificates and I had no idea how to deal with that.  My configuration is rvm 1.27.0, Jruby, rails, JDK 1.8.

I found an easy test to run quickly to compare environments and test for the problem:

ruby -e 'require "net/http"; require "uri"; require "jruby-openssl"; puts "ruby: "+RUBY_VERSION; puts "openssl: "+OpenSSL::OPENSSL_VERSION;Net::HTTP.get(URI("https://rails-assets.org"))'

If that fails, but changing rails-assets to rubygems succeeds, then you probably have the same problem and can try my solution.  What I don’t quite understand is how that test fails on OSX 10.10, yet the bundle install succeeds.

When using Jruby, the certificates are stored in the JDK.   You can use part of a recommended solution to find out where they are:

rvm osx-ssl-certs status all

It will return something like:

Certificates for /Library/Java/JavaVirtualMachines/jdk1.8.0_91.jdk/Contents/Home/jre/lib/security/cacerts: Up to date.

That cacerts file is a keystore.  You need to add the root certificate used by rails-assets.org to that keystore. There are probably different ways to do it, but Firefox allows you to export the certificate easily:

  1. Browse to rails-assets.org
  2. Click the lock icon, then the right arrow, more information,  view certificate, details
  3. Click the root certificate (DST Root CA X3)
  4. Click export, save to a file ending in .pem, with format X509 certificate.  In my example I saved to ~/Desktop/DSTRootCAX3.pem

Now put it in your keystore:

cd /Library/Java/JavaVirtualMachines/jdk1.8.0_91.jdk/Contents/Home/jre/lib/security/
sudo keytool -import -trustcacerts -alias root -file ~/Desktop/DSTRootCAX3.pem -keystore cacerts

(Note that the default password for the keystore is ‘changeit’)

That import fixes the ruby one line test above for 10.10 and 10.11, for JDK 1.7 and 1.8.

Things that seemed good but did nothing:
Several solutions here.

  1. Try bypassing ssl by using http in your gemfile (it must redirect to SSL because this does not work).
  2. gem update –system. No apparent effect
  3. put ‘:ssl_verify_mode: 0‘ in your ~/.gemrc.   This has the effect of getting past the first level of certificate error, but fails installing specific bower assets.   Further, it isn’t a good solution because it’s disabling ssl.
  4. use rvm to install ssl before installing ruby:  Doesn’t work for Jruby — the build is done with maven and the option for the ssl directory is not supported.

This looked promising.  Unfortunately on my laptop, the “rvm osx-ssl-certs update” ends up corrupting the JDK keystore! Instead of a keystore, it puts a text file containing certificates in its place, and subsequent failures start complaining about an invalid keystore. You’ll need to reinstall the JDK or recover the certificate file from a backup. The other solutions in the page simply don’t work.

Leave a Reply