rails の bundle install が 「Could not verify the SSL certificate for https:// rubygems.org/.」で失敗するとき

目次

1,導入
2,手順

1,導入

環境

OS : CentOS7
Rails : 5.2.0
ruby : 2.4.4p296
gem : 2.6.14.1

前提説明

Gemfileに「gem 'rails-ujs'」を追加してbundle installを実行したときに「Could not verify the SSL certificate for https:// rubygems.org/.」が発生してbundle installが失敗して少々手こずったため、今後も同じことが内容にメモしておきます。

エラー全容

Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on this machine.
The dependency tzinfo-data (>= 0) will be unused by any of the platforms Bundler is installing for. Bundler is installing for ruby but the dependency is only for x86-mingw32, x86-mswin32, x64-mingw32, java. To add those platforms to the bundle, run `bundle lock --add-platform x86-mingw32 x86-mswin32 x64-mingw32 java`.
Fetching source index from https://rubygems.org/

Retrying fetcher due to error (2/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Retrying fetcher due to error (3/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Retrying fetcher due to error (4/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about
OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

このエラーはbundle installの実行時にhttps:// rubygems.org/.に対してhttps接続したんだけど、SSL証明書がきちんと確認できてませんよというときに発生する。このときに確認した手順としては、
1,OpenSSLがきちんと入っているか?
2,証明書が有効なものになっているのか?
の二点。詳しい手順は以下に記載します。

2,手順

1,OpenSSLがきちんと入っているか?

> openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

上記のコマンドを実行して、結果が表示されない場合は以下のコマンドを実行する。

> yum -y install openssl

これの実行後、再び「openssl version」を実行し、結果を確認する

2,証明書が有効なものになっているのか?

まずは以下のコマンドでrubyが使用している証明書の場所を確認する。

> ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE'
"/etc/pki/tls/cert.pem"

上記の出力された場所に移動して、最新の証明書を以下のコマンドでダウンロードする。その後、再起動するときちんと読み込まれる。

> cd /etc/pki/tls/
> mv cert.pem cert.pem_org
> curl -L -O http://curl.haxx.se/ca/cacert.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  210k  100  210k    0     0   268k      0 --:--:-- --:--:-- --:--:-- 1799k
> mv cacert.pem cert.pem
> reboot

> openssl s_client -connect example.com:443 < /dev/null 2> /dev/null | openssl x509 -text | grep Not
            Not Before: Nov  3 00:00:00 2015 GMT
            Not After : Nov 28 12:00:00 2018 GMT    ⬅︎これが証明書の有効期限

上記にて有効期限が更新されたことを確認したのち、再度bundle installを実行すると成功した。