Bug #9774

Net::HTTP failure to validate certificate

Added by dougalcorn (Doug Alcorn) almost 7 years ago. Updated over 1 year ago.

Target version:
ruby -v:
ruby 2.0.0p451 (2014-02-24 revision 45167) [x86_64-darwin13.1.0]


I'm trying to make an https connection to a host that uses a self-signed certificate. I've downloaded the certificate into a directory of my project and named it based on the fingerprint of the certificate. Using the openssl command line tool, I can verify the certificate. All examples below use an exported environment variable REMOTE_HOST for the hostname I'm connecting to.

echo | openssl s_client -CApath ./config/certs/ -connect ${REMOTE_HOST}:${REMOTE_PORT} 2>&1 | grep -i verify
verify return:1
    Verify return code: 0 (ok)

I've tried to do the same thing in ruby using this simple script stored in bin/test-net-http.rb:

require 'net/http'
require 'net/https'
require 'uri'

ca_path = File.join(File.dirname(__FILE__), "../config/certs")
url = URI.parse "https://#{ENV['REMOTE_HOST']}/authenticate/upauth"
auth_params = {
  uname: "test",
  pswd: "test"

http =, url.port)
http.set_debug_output $stderr
http.use_ssl = (url.scheme == 'https')
if ( && http.use_ssl?)
  http.ca_path = ca_path
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER
  http.verify_depth = 5
  http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request =
response = http.request(request)

puts response.inspect

When I run it from the command line as ruby ./bin/test-net-http.rb, I get this stack trace:

opening connection to <REMOTE_HOST>:443...
starting SSL for <REMOTE_HOST>:443...
SSL established
Conn close because of connect error SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
/Users/dalcorn/.rbenv/versions/2.0.0-p451/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from /Users/dalcorn/.rbenv/versions/2.0.0-p451/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
    from /Users/dalcorn/.rbenv/versions/2.0.0-p451/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
    from /Users/dalcorn/.rbenv/versions/2.0.0-p451/lib/ruby/2.0.0/net/http.rb:918:in `connect'
    from /Users/dalcorn/.rbenv/versions/2.0.0-p451/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
    from /Users/dalcorn/.rbenv/versions/2.0.0-p451/lib/ruby/2.0.0/net/http.rb:851:in `start'
    from /Users/dalcorn/.rbenv/versions/2.0.0-p451/lib/ruby/2.0.0/net/http.rb:1367:in `request'
    from ./bin/test-net-http.rb:24:in `<main>'

What I can't tell is the reason the certificate failed to verify. One thing that's different about this cert is that it's a multihost certificate using x509v3 subject alternative names. So, the hostname of REMOTE_HOST mismatches the common name of the cert.

Same results in:

  • ruby 1.9.3p448 (2013-06-27 revision 41675) [x86_64-darwin12.5.0]
  • ruby 2.0.0p451 (2014-02-24 revision 45167) [x86_64-darwin13.1.0]
  • ruby 2.1.0p0 (2013-12-25 revision 44422) [x86_64-darwin13.0]

Updated by pfrasa (Pierpaolo Frasa) over 6 years ago

I can confirm this bug on Mac OS X Mavericks with Ruby 2.1.1.

I actually didn't specify a ca_path, but imported the self-signed certificate into the Mac OS X keychain. The behaviour is the same however:

require 'net/http'
http ='someurl', 443)
http.use_ssl = true
=> OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

This bug does not arise with Ruby 1.9.3-p484, where the connection opens normally.

Updated by nagachika (Tomoyuki Chikanaga) over 6 years ago


I've encounter the similar issue on Mac OS X Mavericks with Ruby 2.0.0-p481 and 2.1.2.
But in my case, the problem is server configuration about intermediate certificate.
The right configuration (SSSLCertificateChainFile of httpd.conf) fixes the problem.
Just for reference.


Updated by naruse (Yui NARUSE) over 6 years ago

  • Status changed from Open to Feedback

Could you show the site to reproduce on my Mavericks?


Updated by jeremyevans0 (Jeremy Evans) over 1 year ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF