fix: SSL certificate verification issue

jeffreytse · jeffreytse · commit 2762fb08312d · 2025-11-09T02:04:49.000+08:00
Error message as follows:

&gt; error: certificate verify failed (unable to get certificate CRL)
diff --git a/script/init_environment.sh b/script/init_environment.sh
@@ -11,10 +11,6 @@ pre-flight() {
   # Installing git package
   pacman -S --noconfirm git
 
-  # Installing ca-certificates package to avoid SSL issues
-  pacman -S --noconfirm ca-certificates
-  update-ca-trust
-
   # Installing openssh package
   if [[ -n "${SSH_PRIVATE_KEY}" ]]; then
     pacman -S --noconfirm openssh
@@ -58,6 +54,22 @@ init_ruby() {
 
   # debug
   ruby -v && bundle version
+
+  # Update CA certificates to avoid SSL issues
+  # See https://github.com/ruby/openssl/issues/949
+# read -r -d '' UPDATE_SSL_CODE << EOF
+# require "openssl"
+# s = OpenSSL::X509::Store.new.tap(&:set_default_paths)
+# OpenSSL::SSL::SSLContext.send(:remove_const, :DEFAULT_CERT_STORE) rescue nil
+# OpenSSL::SSL::SSLContext.const_set(:DEFAULT_CERT_STORE, s.freeze)
+# EOF
+#   UPDATE_SSL_CODE_PATH="${WORKING_DIR}/.rubyopenssl_default_store.rb"
+#   echo "${UPDATE_SSL_CODE}" > ${UPDATE_SSL_CODE_PATH}
+#   export RUBYOPT="-r${UPDATE_SSL_CODE_PATH} $RUBYOPT"
+
+  # OpenSSL 3.6 broke Ruby's OpenSSL bindings, see: https://github.com/ruby/openssl/issues/949
+  # By using the openssl gem, we can pick up the fixes without needing to upgrade Ruby.
+  echo "gem 'openssl', '>= 3.3.1'" >> ${WORKING_DIR}/Gemfile"
 }
 
 pre-flight && init_ruby
