OpenSSL::SSL::SSLError en Heroku [duplicado]

I'm trying to authenticate a user via Facebook or Twitter, get them to fill out their information, and then click save (thus creating a user record). I'm getting an OpenSSL error on that final step -- after clicking save. This happens at the Devise RegistrationsController#create method.

So I'm getting this error in my Rails application, hosted on Heroku:

2012-07-28T18:25:13+00:00 app[web.1]: OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)

I've seen plenty of solutions, none of them work. Here are some things I've tried:

1) Instalación del certified joya

2) Upgrading the Heroku gem to v2.30, pushing again

3) Esto:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :twitter, TWITTER_KEY, TWITTER_SECRET, {:client_options => {:ssl => {:ca_file => "/usr/lib/ssl/certs/ca-certificates.crt"}}}
  provider :facebook, FACEBOOK_KEY, FACEBOOK_SECRET, {:scope => "publish_actions,user_location,email", :client_options => {:ssl => {:ca_file => "/usr/lib/ssl/certs/ca-certificates.crt"}}}

It seems like one problem could be that this cert file doesn't actually exist -- I've seen it in several places, and it seems like that is the default path to the ca_cert file for Heroku, but I could be wrong.

Oddly enough, this is happening después de I've already authenticated via FB/Twitter, and am trying to create a user's account. Why would this be, and how can I solve/debug this? Sincerely confused.

Actualizar: I added this line to the Omniauth initializer, and now it "works". Thus I've diagnosed the problem is with Omniauth. However, I'd like to still have the SSL verification... this obviously leaves a security gap.


preguntado el 28 de julio de 12 a las 19:07

take a look at my answer below. It still keeps the verification. -

@Simone Carletti marked this question as duplicate, but it is not. The other question is about problems to update Ruby Gems and this one is for not being able to call 3rd party https:// services from Heroku. -

2 Respuestas

After some searching here is what I found:

If you’re using Ruby to open connections to an external server over https, eg. the Facebook Graph API, you may run into the following error:


This error is due to Ruby not being able to find the certification authority certificates (CA Certs) used to verify the authenticity of secured web servers. The solution is to download the this ca-bundle.crt into your application’s lib/ directory: Then add the following code to config/initializers/fix_ssl.rb:

require 'open-uri'
require 'net/https'

module Net
  class HTTP
    alias_method :original_use_ssl=, :use_ssl=

    def use_ssl=(flag)
      self.ca_file = Rails.root.join('lib/ca-bundle.crt').to_s
      self.verify_mode = OpenSSL::SSL::VERIFY_PEER
      self.original_use_ssl = flag

This should force ruby to use the CA bundle from your application’s lib/ directory.

Tomado de:


Puede que necesite utilizar self.ca_path= en lugar de self.ca_file= dependiendo de su sistema.

Respondido el 07 de junio de 13 a las 14:06

I tried this and it didn't work. How is the .crt file kept up to date? - red

You have to keep it up to date manually. If you are hosting on Heroku I think you can use their CA file /usr/lib/ssl/certs/ca-certificates.crt - pavel nikolov

Worked for me on Heroku using /usr/lib/ssl/certs/ca-certificates.crt - thanks! - Todd

This worked for me on Windows 7 using the exact code posted. - Nicola Peluchetti

I just started getting this error on Heroku - nothing has changed in my app... I tried Pavel's solution with self.ca_path and self.ca_file and the hardwired path to the certs - did not work for me. I'm using ruby 1.9.3 and Rails 3.2.12. The OpenSSL version is OpenSSL 0.9.8k 25 Mar 2009. Any other ideas? -

It sounds like you've got the right openssl configuration in OmniAuth, but perhaps your CA certs path isn't correct?

You can check that on your heroku servers by running:

heroku run bash

... and then running openssl to display the proper path:

$ openssl version -a
OpenSSL 1.0.0e 6 Sep 2011
OPENSSLDIR: "/usr/lib/ssl"

... You should find the ca_certificates.crt file at $OPENSSLDIR/certs/ca-certificates.crt

I would confirm that path an update your code to match.

Respondido 30 Jul 12, 22:07

Yup ca-certificates is there... (in /usr/lib/ssl/certs). Thanks for heroku run bash.. didn't know about that - Varatis

Is this something that Omniauth requires, or every external request? Maybe that's the problem... I'm making another external request that isn't working? - Varatis

Yeah, can you provide more context from your logs about where it's throwing the SSL error? Perhaps a stack trace? - Winfield

Unfortunately, that's all it gave me so far, I'll try to set the debug level higher and let you know. But also, check the update -- it's sort of helpful. - Varatis

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.