Missing certificates for rubygems and bundler in Ruby 1.8.7

Using Ruby 1.8.7 you will not be able to use the maximum versions Rubygems 1.8.30 and Bundler 1.17.3 with https://rubygems.org/ anymore. This is a result of a server certificate on December 5th, 2020. The resulting errors will look like following:

  • TypeError: can't modify frozen object
  • Could not verify the SSL certificate for https://rubygems.org/*
  • Bundler::Fetcher::CertificateFailureError: Could not verify the SSL certificate for https://index.rubygems.org/versions.
  • Error fetching data: hostname was not match with the server certificate (https://rubygems.org/*)

Fix 1: Use docker and gemstash (recommended for makandra employees)

Use our legacy docker setup for development. For all other developers:

You can run a local gemstash container and proxy all requests to rubygems:

cat ~/.bundle/config 
---
BUNDLE_MIRROR__HTTPS://RUBYGEMS__ORG/: "http://gemstash:9292"

Fix 2: Disable SSL checks (not recommended)

Be sure you know the risks of man-in-the-middle attacks.

Note: Rubygems 1 defaults to http if no source is set. So only users that have https://rubygems.org/ in their source list will notice an error when trying to run gem install.

Disable SSL checks globally for Rubygems

Add the following line to your ~/.gemrc file:

:ssl_verify_mode: 0

Disable SSL checks globally for Bundler

Update your ~/.bundle/config:

bundle config --global ssl_verify_mode 0

Disable SSL checks locally for Rubygems

You need to install a gem from http, disabling the SSL checks only seems not to be possible:

gem install some_gem --clear-sources --source 'http://rubygems.org/'

Disable SSL checks locally for Bundler

Update your .bundle/config file in the project:

bundle config --local ssl_verify_mode 0

Fix 3: Use a fixed release (status unknown)

It might happen, that a patch for Rubygems 1 and Bundler 1 is released. The patches are already merged in the most recent version of Rubygems and Bundler.

Emanuel Over 3 years ago