ruby-on-railsrubyamazon-s3rails-activestorage

How to handle Seahorse::Client::NetworkingError with certificate verify failed error

I'm running a Rails 8 app with a Option model that configures active storage like so:

has_one_attached :picture do |attachable|
  attachable.variant :small, resize_to_limit: [75, 75]
end

config/environments/development.rb:

config.active_storage.service = :amazon

config/storage.yml:

amazon:
  service: S3
  access_key_id: <%= Rails.application.credentials.dig(:aws, :access_key_id) %>
  secret_access_key: <%= Rails.application.credentials.dig(:aws, :secret_access_key) %>
  region: <%= Rails.application.credentials.dig(:aws, :region) %>
  bucket: <%= Rails.application.credentials.dig(:aws, :bucket) %>

All has been fine, but I've had to reinstall OSX on my Mac, and like a dummy, I forgot to make a backup of the local database. Now I'm trying to setup my development environment, and since I have no backup, I've downloaded production data to my local MySQL server and trying to use that. I have an older development version of the active_storage_* tables from another computer, and I've restored those tables to my local Rails development database.

After doing all that, and looking at the tables in MySQL, it seems everything is ok. The active_storage_attachments table record_id matches up with the active_storage_blobs data, and I've verified in the AWS S3 console that everything exists with the proper keys, etc. I have verified that the proper credentials and S3 bucket are being used.

On a given page, I can use = image_tag @option.picture, and the image displays normally. But if I try something like Option.find(359).picture.download in the Rails console, I get the following error:

Seahorse::Client::NetworkingError: SSL_connect returned=1 errno=0 peeraddr=<redacted IP address here>:443 state=error: certificate verify failed (unable to get certificate CRL) (Seahorse::Client::NetworkingError)
from /Users/jasonfloyd/.rubies/ruby-3.4.3/lib/ruby/3.4.0/net/protocol.rb:46:in 'OpenSSL::SSL::SSLSocket#connect_nonblock'

Using the AWS CLI, I can do the following without any errors:

aws s3 ls

That correctly lists all my buckets without any problems.

How can I get around this? I have to be able to download the bare file, as I use it to build as custom PDF with the image. I've researched a lot, and I keep seeing things about updating my root certificates in OSX, but that seems kinda drastic and unnecessary.

Solution

  • Add gem "openssl", "3.3.1" to your Gemfile.

    It's because the openssl library was modified unintentionally and you need to update your openssl gem version to 3.3.1+.

    See the discussion here.