Skip to content
Latchkey

Bundler "SSL_connect ... certificate verify failed" fetching gems in CI

Bundler or gem opened a TLS connection to the gem source but could not validate the server certificate against the runner CA bundle. The handshake aborts before any gem downloads.

What this error means

bundle install or gem install fails with "SSL_connect returned=1 errno=0 state=error: certificate verify failed", often against a corporate mirror or proxy.

bundler
Bundler::Fetcher::CertificateFailureError: Could not verify the SSL certificate for
https://rubygems.org/. SSL_connect returned=1 errno=0 state=error: certificate verify failed

Common causes

A proxy presents an untrusted certificate

A TLS-inspecting proxy or self-hosted mirror serves a certificate signed by a CA not in the runner trust store.

An outdated CA bundle on the runner

A slim image with stale ca-certificates cannot validate a modern certificate chain.

How to fix it

Refresh the runner CA store

Update ca-certificates so the chain validates without disabling verification.

Terminal
sudo apt-get update && sudo apt-get install -y ca-certificates
sudo update-ca-certificates

Point RubyGems at the corporate CA

Trust the proxy CA explicitly instead of turning verification off.

Terminal
export SSL_CERT_FILE=/etc/ssl/certs/corp-ca.pem
bundle install

How to prevent it

  • Keep ca-certificates current in custom runner images.
  • Install the corporate CA into the trust store, not into flags.
  • Avoid disabling SSL verification as a permanent fix.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →