certificate verify failed (unable to get certificate CRL) (OpenSSL::SSL::SSLError)

The following example fails after installing "OpenSSL 3.6.0":

require 'net/http'
require 'uri'

uri = URI('https://example.com')

# Creating a POST request, which is a subclass of Net::HTTPGenericRequest
request = Net::HTTP::Post.new(uri)

# Sending the request
Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  response = http.request(request)
  puts response.body
end

With the following error:

/Users/[user]/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/protocol.rb:46:in 'OpenSSL::SSL::SSLSocket#connect_nonblock': SSL_connect returned=1 errno=0 peeraddr=[2600:1406:5e00:6::17ce:bc12]:443 state=error: certificate verify failed (unable to get certificate CRL) (OpenSSL::SSL::SSLError)
        from /Users/bfolkens/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/protocol.rb:46:in 'Net::Protocol#ssl_socket_connect'
        from /Users/bfolkens/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/http.rb:1736:in 'Net::HTTP#connect'
        from /Users/bfolkens/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/http.rb:1636:in 'Net::HTTP#do_start'
        from /Users/bfolkens/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/http.rb:1625:in 'Net::HTTP#start'
        from /Users/bfolkens/.local/share/mise/installs/ruby/3.4.6/lib/ruby/3.4.0/net/http.rb:1064:in 'Net::HTTP.start'
        from test.rb:10:in '<main>'

bundle doctor --ssl fails with:

The Gemfile's dependencies are satisfied
Here's your OpenSSL environment:

OpenSSL:       3.3.0
Compiled with: OpenSSL 3.6.0 1 Oct 2025
Loaded with:   OpenSSL 3.6.0 1 Oct 2025

Trying connections to https://rubygems.org:
Bundler:       success
RubyGems:      success
Ruby net/http: failed

Unfortunately, this Ruby can't connect to rubygems.org.

Below affect only Ruby net/http connections:
SSL_CERT_FILE: exists     /opt/homebrew/etc/openssl@3/cert.pem
SSL_CERT_DIR:  exists     /opt/homebrew/etc/openssl@3/certs

Your Ruby can't connect to rubygems.org because you are missing the certificate files OpenSSL needs to verify you are connecting to the genuine rubygems.org servers.

No issues found with the installed bundle

Same here. It looks like DEFAULT_CERT_STORE is initialized empty, so Ruby cannot verify any SSL connections. I found this temporary workaround:

Create ~/.rubyopenssl_default_store.rb:

require "openssl"
s = OpenSSL::X509::Store.new.tap(&:set_default_paths)
OpenSSL::SSL::SSLContext.send(:remove_const, :DEFAULT_CERT_STORE) rescue nil
OpenSSL::SSL::SSLContext.const_set(:DEFAULT_CERT_STORE, s.freeze)

Load it for all Ruby processes, e.g. in your shell config:

export RUBYOPT="-r$HOME/.rubyopenssl_default_store.rb $RUBYOPT"

Thanks for your report.

OpenSSL::SSL::SSLContext#set_params uses the default cert store with the OpenSSL::X509::V_FLAG_CRL_CHECK_ALL flag (and no other flags):

openssl/lib/openssl/ssl.rb

Lines 92 to 94 in 7f4886b

 
  DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc: 
 
  DEFAULT_CERT_STORE.set_default_paths 
 
  DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL

OpenSSL 3.6.0 appears to have changed the behavior in commit openssl/openssl@b1b4b15, which doesn't look intentional.

At the same time, ruby/openssl shouldn't set that flag by default. It previously had no effect, according to the man page for X509_VERIFY_PARAM_set_flags():

X509_V_FLAG_CRL_CHECK_ALL expands CRL checking to the entire certificate chain if X509_V_FLAG_CRL_CHECK has also been enabled, and is otherwise ignored.

@ledermann

Same here. It looks like DEFAULT_CERT_STORE is initialized empty, so Ruby cannot verify any SSL connections. I found this temporary workaround:

Create ~/.rubyopenssl_default_store.rb:
require "openssl"
s = OpenSSL::X509::Store.new.tap(&:set_default_paths)
OpenSSL::SSL::SSLContext.send(:remove_const, :DEFAULT_CERT_STORE) rescue nil
OpenSSL::SSL::SSLContext.const_set(:DEFAULT_CERT_STORE, s.freeze)

Load it for all Ruby processes, e.g. in your shell config:
export RUBYOPT="-r$HOME/.rubyopenssl_default_store.rb $RUBYOPT"

Thank you @ledermann !! this worked

Thanks @rhenium for digging into this

ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from the default store

@rhenium

Thanks @rhenium 🙏

I've pushed v3.1.2, v3.2.2, and v3.3.1 to rubygems.org with the change in #950.

[ruby/openssl] ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from t…

@rhenium

@rhenium can you make an update for 3.3.4

fix ssl crl error

add openssl dep at version new enough to fix ruby/openssl#949

add openssl dep at version new enough to fix ruby/openssl#949 (#6094)

add openssl dep at version new enough to fix ruby/openssl#949 (#195)

add openssl dep at version new enough to fix ruby/openssl#949 (#89)

Account for SSL Error

certificate verify failed (unable to get certificate CRL) (OpenSSL::SSL::SSLError) #949

47 remaining items

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Participants

	DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
	DEFAULT_CERT_STORE.set_default_paths
	DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL

certificate verify failed (unable to get certificate CRL) (OpenSSL::SSL::SSLError) #949

Description

Activity

ledermann commented last monthon Oct 4, 2025

rhenium commented last monthon Oct 4, 2025

bfolkens commented last monthon Oct 4, 2025

miharekar commented 3 weeks agoon Oct 6, 2025

rhenium commented 3 weeks agoon Oct 6, 2025

DucNguyenTHT commented 3 weeks agoon Oct 7, 2025

47 remaining items

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Participants

Issue actions

ledermann commented on Oct 4, 2025

rhenium commented on Oct 4, 2025

bfolkens commented on Oct 4, 2025

miharekar commented on Oct 6, 2025

rhenium commented on Oct 6, 2025

DucNguyenTHT commented on Oct 7, 2025