When running any HTTPS requests (e.g., through Net::HTTP, ActiveStorage::Service::S3Service) on macOS with Ruby 3.4.x and OpenSSL 3.6, SSL handshakes fail with the error:
OpenSSL::SSL::SSLError:
SSL_connect returned=1 errno=0 peeraddr=x.x.x.x:443 state=error:
certificate verify failed (unable to get certificate CRL)
check which openssl ruby is linked to
bundle doctor --ssl
or
curl -Lks 'https://git.io/rg-ssl' | ruby
The Gemfile's dependencies are satisfied
Here's your OpenSSL environment:
OpenSSL: 3.3.0
Compiled with: OpenSSL 3.5.2 5 Aug 2025
Loaded with: OpenSSL 3.6.0 1 Oct 2025
Trying connections to https://rubygems.org:
Bundler: success
RubyGems: success
Ruby net/http: failed
Unfortunately, this Ruby can't connect to rubygems.org.
Below affect only Ruby net/http connections:
SSL_CERT_FILE: exists /usr/local/etc/openssl@3/cert.pem
SSL_CERT_DIR: exists /usr/local/etc/openssl@3/certs
Your Ruby can't connect to rubygems.org because you are missing the certificate files OpenSSL needs to verify you are connecting to the genuine rubygems.org servers.
No issues found with the installed bundle
this tells that ruby is compiled with an older OpenSSL version 3.5.2 but currently system has newer OpenSSL version 3.6.0
fix
- reinstall ruby
with rbenv
rbenv uninstall 3.4.5
rbenv install 3.4.5
- check
curl -Lks 'https://git.io/rg-ssl' | ruby
Here's your Ruby and OpenSSL environment:
Ruby: ruby 3.4.5 (2025-07-16 revision 20cda200d3) +PRISM [x86_64-darwin24]
RubyGems: 3.6.9
Bundler: 2.7.1
OpenSSL: 3.3.2
Compiled with: OpenSSL 3.6.0 1 Oct 2025
Loaded with: OpenSSL 3.6.0 1 Oct 2025
Trying connections to https://rubygems.org:
Bundler: ✅ success
RubyGems: ✅ success
Ruby net/http: ✅ success
Hooray! This Ruby can connect to rubygems.org.
You are all set to use Bundler and RubyGems. 👌
now ruby is compiled with a newer OpenSSL 3.6.0.
- specify openssl gem version explicitly in Gemfile
gem "openssl", "~> 3.3", ">= 3.3.2"