ARTICLE AD BOX
m getting an SSL error when making an HTTPS request in a Rails controller (Ruby 3.1.6):
OpenSSL::SSL::SSLError in PurchaseAttemptsController#create SSL_connect returned=1 errno=0 peeraddr=3.175.45.47:443 state=error: certificate verify failed (unable to get certificate CRL)I also tested using openssl s_client and it fails with the same error:
Verify return code: 3 (unable to get certificate CRL)Environment:
macOS: 15.6 System LibreSSL: 3.3.6 Homebrew OpenSSL: 3.6.0 Ruby: 3.1.6 (installed via asdf) Ruby OpenSSL::OPENSSL_VERSION: OpenSSL 3.6.0 OpenSSL::X509::DEFAULT_CERT_FILE: /opt/homebrew/etc/openssl@3/cert.pem OpenSSL::X509::DEFAULT_CERT_DIR: /opt/homebrew/etc/openssl@3/certs Ruby build flags include: --with-openssl-dir=/opt/homebrew/opt/openssl@3What I already tried:
Recompiled Ruby with --with-openssl-dir targeting Homebrew OpenSSL.
Installed updated certificates via brew install ca-certificates + security add-trusted-cert.
Exported SSL_CERT_FILE and SSL_CERT_DIR to point to Homebrew certs.
Manually tested CRL with openssl verify -crl_check (fails due to CRL not reachable from my network).
Tried using custom OpenSSL::X509::Store in Ruby (still enforces CRL validation).
No custom CRL config in openssl.cnf, using default provider.
Questions:
Why is Ruby/OpenSSL enforcing CRL verification if the certificate doesn’t explicitly require it?
Is there a way to disable CRL checking in Ruby/OpenSSL without setting verify_mode: OpenSSL::SSL::VERIFY_NONE?
Could this be caused by mixing system LibreSSL with Homebrew OpenSSL?
Does openssl.cnf enable CRL verification implicitly?
This seems more like an OpenSSL/Ruby build or config issue than a Rails problem.
Any guidance would be appreciated.
