SSL check fails on Tumbleweed due to missing ca-certificates.crt - Ruby net/http: ❌ failed

[KarimElsayad247]

First of all, I apologize if this is the wrong place to report this issue. Please tell me if there's a more appropriate place. I don't know if I should report here or in net::http repo.

Describe the problem as clearly as you can

For me it all started when I was setting up Sorbet/Tapioca. running its init command resulted in an error that can be seen in this issue

Retrieving index from central repository... bundler: failed to load command: tapioca (/home/karim/.rbenv/versions/3.4.2/bin/tapioca)
/home/karim/.rbenv/versions/3.4.2/lib/ruby/gems/3.4.0/gems/net-protocol-0.2.2/lib/net/protocol.rb:46:in 'OpenSSL::SSL::SSLSocket#connect_nonblock': SSL_connect returned=1 errno=0 peeraddr=185.199.111.133:443 stat
e=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)

BUT bundle install works flawlessly, seeing as I can perfectly setup my rails project.

My ruby (3.4.2) is installed using rbenv, though the problem also occurred with 3.3.

Did you try upgrading RubyGems?

updated with gem update --system

gem --version is 3.6.6

and

$ ruby -ropenssl -e 'puts OpenSSL::OPENSSL_LIBRARY_VERSION' 

OpenSSL 3.0.16 11 Feb 2025

Post steps to reproduce the problem

OS

Operating System: openSUSE Tumbleweed 20250315
KDE Plasma Version: 6.3.3
KDE Frameworks Version: 6.11.0
Qt Version: 6.8.2
Kernel Version: 6.13.6-1-default (64-bit)
Graphics Platform: X11

Ruby

rbenv: 1.3.2

ruby: 3.4.2

SSL Check

 ❯ curl -Lks 'https://git.io/rg-ssl' | ruby

Here's your Ruby and OpenSSL environment:

Ruby:          ruby 3.4.2 (2025-02-15 revision d2930f8e7a) +PRISM [x86_64-linux]
RubyGems:      3.6.6
Bundler:       2.6.6
OpenSSL:       3.3.0
Compiled with: OpenSSL 3.0.16 11 Feb 2025
Loaded with:   OpenSSL 3.0.16 11 Feb 2025

Trying connections to https://rubygems.org:

Bundler:       ✅ success
RubyGems:      ✅ success
Ruby net/http: ❌ failed

Unfortunately, this Ruby can't connect to rubygems.org. 😡

Below affect only Ruby net/http connections:

SSL_CERT_FILE: ❌ is missing /etc/ssl/certs/ca-certificates.crt
SSL_CERT_DIR:  ✅ exists     /home/karim/.rbenv/versions/3.4.2/openssl/ssl/certs


Your Ruby can't connect to rubygems.org because you are missing the certificate
files OpenSSL needs to verify you are connecting to the genuine rubygems.org servers.

Steps:

• rails new project
• bundle install
• add the following to Gemfile:

gem 'sorbet', :group => :development
gem 'sorbet-runtime'
gem 'tapioca', require: false, :group => [:development, :test]

• Verify that tapioca is installed

❯ bundle exec srb
[help output]

• finally, run

❯ bundle exec tapioca init

Which command did you run?

bundle exec tapioca init

What were you expecting to happen?

command to complete without issues

What actually happened?

Command failed without the following output

✗❯ bundle exec tapioca init
   identical  sorbet/config
   identical  sorbet/tapioca/config.yml
   identical  sorbet/tapioca/require.rb
       force  bin/tapioca
Retrieving index from central repository... ""
"--------------------------------------------------------------------------------"
#<URI::HTTPS https://raw.githubusercontent.com/Shopify/rbi-central/main/index.json>
bundler: failed to load command: tapioca (/home/karim/.rbenv/versions/3.4.2/bin/tapioca)
/home/karim/.rbenv/versions/3.4.2/lib/ruby/gems/3.4.0/gems/net-protocol-0.2.2/lib/net/protocol.rb:46:in 'OpenSSL::SSL::SSLSocket#connect_nonblock': SSL_connect returned=1 errno=0 peeraddr=18
5.199.110.133:443 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
        from /home/karim/.rbenv/versions/3.4.2/lib/ruby/gems/3.4.0/gems/net-protocol-0.2.2/lib/net/protocol.rb:46:in 'Net::Protocol#ssl_socket_connect'
        from /home/karim/.rbenv/versions/3.4.2/lib/ruby/3.4.0/net/http.rb:1736:in 'Net::HTTP#connect'
        from /home/karim/.rbenv/versions/3.4.2/lib/ruby/3.4.0/net/http.rb:1636:in 'Net::HTTP#do_start'
        from /home/karim/.rbenv/versions/3.4.2/lib/ruby/3.4.0/net/http.rb:1625:in 'Net::HTTP#start'
        from /home/karim/.rbenv/versions/3.4.2/lib/ruby/3.4.0/net/http.rb:1064:in 'Net::HTTP.start'
        from /home/karim/.rbenv/versions/3.4.2/lib/ruby/gems/3.4.0/gems/tapioca-0.16.11/lib/tapioca/commands/annotations.rb:184:in 'Tapioca::Commands::Annotations#fetch_http_file'
        from /home/karim/.rbenv/versions/3.4.2/lib/ruby/gems/3.4.0/gems/sorbet-runtime-0.5.11945/lib/types/private/methods/_methods.rb:279:in 'UnboundMethod#bind_call'
        from /home/karim/.rbenv/versions/3.4.2/lib/ruby/gems/3.4.0/gems/sorbet-runtime-0.5.11945/lib/types/private/methods/_methods.rb:279:in 'block in Tapioca::Commands::Annotations#_on_met
hod_added'
............................more stack trace

Run gem env and paste the output below

❯ gem env
RubyGems Environment:
  - RUBYGEMS VERSION: 3.6.6
  - RUBY VERSION: 3.4.2 (2025-02-15 patchlevel 28) [x86_64-linux]
  - INSTALLATION DIRECTORY: /home/karim/.rbenv/versions/3.4.2/lib/ruby/gems/3.4.0
  - USER INSTALLATION DIRECTORY: /home/karim/.local/share/gem/ruby/3.4.0
  - CREDENTIALS FILE: /home/karim/.local/share/gem/credentials
  - RUBY EXECUTABLE: /home/karim/.rbenv/versions/3.4.2/bin/ruby
  - GIT EXECUTABLE: /usr/bin/git
  - EXECUTABLE DIRECTORY: /home/karim/.rbenv/versions/3.4.2/bin
  - SPEC CACHE DIRECTORY: /home/karim/.cache/gem/specs
  - SYSTEM CONFIGURATION DIRECTORY: /home/karim/.rbenv/versions/3.4.2/etc
  - RUBYGEMS PLATFORMS:
     - ruby
     - x86_64-linux
  - GEM PATHS:
     - /home/karim/.rbenv/versions/3.4.2/lib/ruby/gems/3.4.0
     - /home/karim/.local/share/gem/ruby/3.4.0
  - GEM CONFIGURATION:
     - :update_sources => true
     - :verbose => true
     - :backtrace => true
     - :bulk_threshold => 1000
  - REMOTE SOURCES:
     - https://rubygems.org/
  - SHELL PATH:
     - /home/karim/.rbenv/versions/3.4.2/bin
     - /home/karim/.rbenv/libexec
     - /home/karim/.rbenv/plugins/ruby-build/bin
     - /home/karim/.rbenv/shims
     - /home/karim/.cargo/bin
     - /home/karim/.rbenv/shims
     - /home/karim/.rbenv/bin
     - /usr/local/bin
     - /usr/bin
     - /bin
     - /usr/X11R6/bin
     

[deivid-rodriguez]

Bundler and RubyGems use net/http under the hood. So if they are working but tapioca is not, it's most likely because Bundler & RubyGems are passing some SSL related options to net/http that tapioca is not passing.

I would add some debugging prints to net/http to see the options each library is passing around to discover the differences.

In any case, this seems definitely not an issue in RubyGems or Bundler, so I'll close this ticket. Your issues in tapioca (to add the missing options) and/or net/http (in case there's some behavior that could be improved in net/http to make this just work, without additional options) seem better options.

Good luck!

[KarimElsayad247]

Thanks a lot for your help!

[KarimElsayad247]

@deivid-rodriguez Still, even if Tapioca has an issue, why does the ruby ssl check fail?

especially

SSL_CERT_FILE: ❌ is missing /etc/ssl/certs/ca-certificates.crt

[KarimElsayad247]

I tried to sim link it to /var/lib/ca-certificates/ca-bundle.pem to no avail, and I just can't figure out why net::http is annoyed.

[deivid-rodriguez]

So it turns out that RubyGems & Bundler vendor their own certificates, and configures net/http to use them. That's why Bundler & RubyGems work.

If you want tapioca or other usages of net/http to work on your system, you should make sure that either OpenSSL::X509::DEFAULT_CERT_FILE points to a valid system certificate, or that OpenSSL::X509::DEFAULT_CERT_DIR directory has a valid system certificate inside.

I think in ubuntu, it's the ca-certificates package providing these files, but I'm not sure about OpenSUSE.

[KarimElsayad247]

Thanks for the tip/pointer about default OpenSSL cert file.

Turns out, my problem was that default OpenSSL cert file used a path relative to my home dir like this

"~/.rbenv/versions/3.4.2/openssl/ssl/cert.pem"

but when I set my SSL_CERT_FILE env var to an absolute path like this

export SSL_CERT_FILE=/home/karim/.rbenv/versions/3.4.2/openssl/ssl/cert.pem

The cert was finally found.

I also discovered that Ruby's File.exist? doesn't seem to understand ~, as it always returned false, this is why the SSL check script always failed.

[deivid-rodriguez]

I see, so you had SSL_CERT_FILE="~/.rbenv/versions/3.4.2/openssl/ssl/cert.pem" set somewhere, correct? That indeed seems like an issue in your environment, because tilde expansion is a shell thing, but not considered anywhere else. However, we could possibly add some code to https://github.com/rubygems/ruby-ssl-check to help troubleshooting this kind of issue.

[deivid-rodriguez]

I proposed rubygems/ruby-ssl-check#17 because I believe with that change in place, this problem would've been way more straightforward to figure out.

[dennyluan]

I'm running into this problem on a previously working install:

Here's your Ruby and OpenSSL environment:

Ruby:          ruby 3.4.5 (2025-07-16 revision 20cda200d3) +PRISM [arm64-darwin24]
RubyGems:      3.6.9
Bundler:       2.6.3
OpenSSL:       3.3.0
Compiled with: OpenSSL 3.6.0 1 Oct 2025
Loaded with:   OpenSSL 3.6.0 1 Oct 2025

Trying connections to https://rubygems.org:

Bundler:       ✅ success
RubyGems:      ✅ success
Ruby net/http: ❌ failed

Unfortunately, this Ruby can't connect to rubygems.org. 😡

Below affect only Ruby net/http connections:

SSL_CERT_FILE: ✅ exists     /opt/homebrew/etc/openssl@3/cert.pem
SSL_CERT_DIR:  ✅ exists     /opt/homebrew/etc/openssl@3/certs


Your Ruby can't connect to rubygems.org because you are missing the certificate
files OpenSSL needs to verify you are connecting to the genuine rubygems.org servers.

> bundle doctor --ssl                                                                                                                                                                          
The Gemfile's dependencies are satisfied
Here's your OpenSSL environment:

OpenSSL:       3.3.0
Compiled with: OpenSSL 3.6.0 1 Oct 2025
Loaded with:   OpenSSL 3.6.0 1 Oct 2025

Trying connections to https://rubygems.org:
Bundler:       success
RubyGems:      success
Ruby net/http: failed

Unfortunately, this Ruby can't connect to rubygems.org.

Below affect only Ruby net/http connections:
SSL_CERT_FILE: exists     /opt/homebrew/etc/openssl@3/cert.pem
SSL_CERT_DIR:  exists     /opt/homebrew/etc/openssl@3/certs

Your Ruby can't connect to rubygems.org because you are missing the certificate files OpenSSL needs to verify you are connecting to the genuine rubygems.org servers.

No issues found with the installed bundle

Sorry nevermind this looks like a net-http issue: ruby/net-http#229