Bundler "SSL_connect ... certificate verify failed" fetching gems in CI
Bundler or gem opened a TLS connection to the gem source but could not validate the server certificate against the runner CA bundle. The handshake aborts before any gem downloads.
What this error means
bundle install or gem install fails with "SSL_connect returned=1 errno=0 state=error: certificate verify failed", often against a corporate mirror or proxy.
Bundler::Fetcher::CertificateFailureError: Could not verify the SSL certificate for
https://rubygems.org/. SSL_connect returned=1 errno=0 state=error: certificate verify failedCommon causes
A proxy presents an untrusted certificate
A TLS-inspecting proxy or self-hosted mirror serves a certificate signed by a CA not in the runner trust store.
An outdated CA bundle on the runner
A slim image with stale ca-certificates cannot validate a modern certificate chain.
How to fix it
Refresh the runner CA store
Update ca-certificates so the chain validates without disabling verification.
sudo apt-get update && sudo apt-get install -y ca-certificates
sudo update-ca-certificatesPoint RubyGems at the corporate CA
Trust the proxy CA explicitly instead of turning verification off.
export SSL_CERT_FILE=/etc/ssl/certs/corp-ca.pem
bundle installHow to prevent it
- Keep ca-certificates current in custom runner images.
- Install the corporate CA into the trust store, not into flags.
- Avoid disabling SSL verification as a permanent fix.