As a response to a sudden appearance of intermittent errors on bundle install related to SSL, we’ve upgraded the RubyGems package to the latest version (2.1.9) in all Rubies provided on the Semaphore build platform.
The problem affected users sourcing rubygems.org via https in Gemfile:
source "https://rubygems.org"
The typical error looks like this:
Resolving deltas: 100% (1572/1572), done. Could not verify the SSL certificate for https://rubygems.org/. There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
The consensus seems to be that the solution is to upgrade RubyGems and ca-certificates package. Version 2.1.6 of RubyGems from October 8th indeed adds certificates “to follow s3.amazonaws.com certificate change”. The ca-certificates package that we had was already up to date, at least on Ubuntu 12.04 LTS.
The original problem is difficult to debug because it appears randomly. However our tests so far have shown that with the latest RubyGems it appears to be gone. We will continue to monitor the situation, and if necessary investigate if we can backport an even newer version of ca-certificates.
If you do encounter this problem from now again, please let us know via a support request.
Note that a possible general workaround to this kind of a problem is to source “http://rubygems.org” in Gemfile.
In other news, we’ve upgraded JRuby to 1.7.5.
Update 21 Oct: we’re now also setting the SSL_CERT_FILE environment variable. Thanks to Mislav Marohnić for a very good explanation.
Update 23 Oct: created a symlink for the previously nonexisting file returned by OpenSSL::X509::DEFAULT_CERT_FILE.
Update 25 Oct: the issue was acknowledged and fixed on RubyGems infrastructure. It boils down to this commit (via).