Rails and WebPacker: SSL_connect error

When implementing SSO for a legacy Rails 5 application with a Puma dev environment, I encountered an issue with JavaScript content not loading on some pages. The server output the following error message:

➜ bundle exec rails s -b "ssl://localhost:3000?key=config/cert.key&cert=config/cert.crt"
=> Booting Puma
=> Rails LTS application starting in development
=> Run `rails server -h` for more startup options
Puma starting in single mode...
* Puma version: 5.6.4 (ruby 2.7.4-p191) ("Birdie's Version")
Started GET "/" for at 2022-06-21 17:07:43 +1000
2022-06-21 17:17:21 +1000 Rack app ("GET /packs/js/form-2c133051829ab02ebb74.js" - ( #<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: wrong version number>

The Fix

It looks like the local dev environment had previously been run under HTTP, not HTTPS. Updating the webpacker config and restarting the server resolved the issue:

➜ vim config/webpacker.yml
  <<: *default
  compile: true
  warnings: true

    host: localhost
    port: 3035
    hmr: false
    https: false # <-- set this to true

➜ ./bin/webpack-dev-server

Rails: Python2 error on yarn install

I recently worked on a legacy codebase that requires Python2, which has been deprecated for some time and is no longer available via homebrew.

Using this Stack Overflow thread I was able to resolve the issue as below. Note that the “pyenv global” command might interfere with with your Python3 environment.

The Error

➜ yarn install --check-files
gyp verb command configure []
gyp verb check python checking for Python executable "python2" in the PATH
gyp verb `which` failed Error: not found: python2

➜ which python
python not found

➜ which python2
python2 not found

The Fix

➜ brew install pyenv
➜ pyenv install 2.7.18
➜ pyenv global 2.7.18
➜ PATH=$(pyenv root)/shims:$PATH
➜ which python2

➜ yarn install --check-files
yarn install v1.22.19
Done in 10.26s

Add to ~/.bashrc or ~/.zshrc to make available in future shell sessions:

# make python exe available globally
PATH=$(pyenv root)/shims:$PATH

Rails: Puma MiniSSL::SSLError

The problem

When setting up a dev environment for older Rails projects, Puma can sometimes have trouble serving https:// pages. Puma boots ok but will begin choking with a MiniSSL::SSLError:

➜ bundle exec rails s -b "ssl://"
=> Booting Puma
=> Rails application starting in development

2022-03-03 17:19:21 +1100: SSL error, peer:, peer cert: , # <Puma::MiniSSL::SSLError: OpenSSL error: error:141F7065:SSL routines:final_key_share:no suitable key share - 337604709>

The fix

This error is caused by a bug in older versions of Puma. To fix, simply update the version of Puma in the Rails gemfile:

#gem 'puma', '~> 3.11'
gem 'puma', '~> 4.3.8'

Then install the new version of the Puma gem and test:

➜ bundle install
➜ bundle exec rails s -b "ssl://"
=> Booting Puma
=> Rails application starting in development

Puma should now run and serve https pages successfully.

Rails 6 & Node: Yarn error on install around ‘remove_cv_t’

This error can occur when setting up a development environment for an existing Rails 6 project and the node dependencies are being installed. It seems to be caused by an incompatibility between node-sass and Node 16.

Here are step by step instructions on how to fix the problem by specifying the version of node to use in the project folder using NVM.

➜ bundle exec rails server # rails won't boot, yarn error
  Your Yarn packages are out of date!
  Please run `yarn install --check-files` to update.

➜ yarn install --check-files # yarn install fails...
/Users/user/.node-gyp/16.13.1/include/node/v8-internal.h:492:38: error: no template named 'remove_cv_t' in namespace 'std'; did you mean 'remove_cv'?

➜ brew install nvm # install Node Version Mgr if needed
➜ echo "14.18.2" > .nvmrc # create a version file for NVM (do this in your rails project directory)
➜ cat .nvmrc

➜ node -v # check the current node version

➜ nvm use
Found '/Users/user/project/.nvmrc' with version <14.18.2>
Now using node v14.18.2 (npm v6.14.15)

➜ node -v # verify we're now using the correct node version

➜ yarn install --check-files # install should now complete ok
✨  Done in 8.73s.

➜ bundle exec rails server # rails should now boot
=> Booting Puma

Here’s the full error trace:

In file included from /Users/user/.node-gyp/16.13.1/include/node/v8.h:30:
/Users/user/.node-gyp/16.13.1/include/node/v8-internal.h:492:38: error: no template named 'remove_cv_t' in namespace 'std'; did you mean 'remove_cv'?
            !std::is_same<Data, std::remove_cv_t<T>>::value>::Perform(data);
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/c++/v1/type_traits:710:50: note: 'remove_cv' declared here
template <class _Tp> struct _LIBCPP_TEMPLATE_VIS remove_cv
1 error generated.
make: *** [Release/obj.target/binding/src/binding.o] Error 1
gyp ERR! build error
gyp ERR! stack Error: `make` failed with exit code: 2
gyp ERR! stack     at ChildProcess.onExit (/Users/user/project/node_modules/node-gyp/lib/build.js:262:23)
gyp ERR! stack     at ChildProcess.emit (node:events:390:28)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (node:internal/child_process:290:12)
gyp ERR! System Darwin 21.2.0
gyp ERR! command "/Users/user/.nvm/versions/node/v16.13.1/bin/node" "/Users/user/project/node_modules/node-gyp/bin/node-gyp.js" "rebuild" "--verbose" "--libsass_ext=" "--libsass_cflags=" "--libsass_ldflags=" "--libsass_library="
gyp ERR! cwd /Users/user/project/node_modules/node-sass
gyp ERR! node -v v16.13.1
gyp ERR! node-gyp -v v3.8.0
gyp ERR! not ok

RSpec error – Host header or origin header is specified and is not whitelisted or localhost.

I encountered the following head-scratcher when trying to run the following RSpec test on MacOs:

➜ bundle exec rspec ./spec/features/some_spec.rb:12

Capybara starting Puma…
Version 4.3.8 , codename: Mysterious Traveller
Min threads: 0, max threads: 4
Listening on tcp://

unexpected response, code=500, content-type="text/html"
Host header or origin header is specified and is not whitelisted or localhost.

After much fruitless poking around in ./spec/rails_helper.rb, I checked my /etc/hosts file and realised I had mapped to a custom name. I updated /etc/hosts to include only the following lines: localhost my.localdev

And hey presto, Selenium would now run the rest of my (still failing) tests.

As an aside, I tried passing the options '--headless', '--disable-web-security', '-–allow-file-access-from-files', '--allowed-origins=*‘ to Capybara in ./spec/rails_helper.rb, and none seemed to have any effect.

Rails HTTPs error on localhost – getaddrinfo SocketError

I recently began developing a Rails Plugin gem, and running the dummy app locally using HTTP worked flawlessly out of the box. However, when it came time to test HTTPS, I encountered the following error:

➜ rails s -b "ssl://"
=> Booting WEBrick
=> Rails 5.2.6 application starting in development on http://ssl://
=> Run rails server -h for more startup options
INFO WEBrick 1.4.4
`getaddrinfo': getaddrinfo: nodename nor servname provided, or not known (SocketError)

This was puzzling at first as I had other apps running fine using HTTPS. After closer inspection I discovered the other apps were running under the Puma webserver, while my gem had defaulted to using WEBrick.


The solution was to find the latest version of Puma and add it to my gem:

➜ gem search puma
puma (5.5.2 ruby java java, 5.4.0, 4.3.10)

edit ./Gemfile:
gem "puma", "5.5.2"

Install the gem:

➜ bundle install
Installing puma 5.5.2 with native extensions

The Rails app then booted into HTTPs successfully under Puma:

➜ rails s -b "ssl://"
=> Booting Puma
Listening on ssl://

Rails: Error installing gem mysql2 on MacOs

When installing gems on a new project under MacOs using bundler, I encountered the following error for MySql:

Installing mysql2 0.5.2 with native extensions
Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

linking shared-object mysql2/mysql2.bundle
ld: library not found for -lssl
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [mysql2.bundle] Error 1

It seems the clang compiler couldn’t find an SSL library on the system. The solution was:

> brew install openssl
> bundle config --global build.mysql2 --with-opt-dir="$(brew --prefix openssl)
> bundle

# This also works:
> export LIBRARY_PATH=$LIBRARY_PATH:/usr/local/opt/openssl/lib/

Rails 6: Beware the master.key

Checking encrypted credentials into git using Rails 6 feels weird but is pretty great.

What isn’t great is getting this error when deploying to Heroku:

ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage

After running EDITOR=vim bundle exec rails credentials:edit Rails will create a master.key file which works fine, but expects all your environments to be in a single credentials file and creates a master.key to decrypt the file.

Subsequently running EDITOR=vim bundle exec rails credentials:edit --environment staging appears to not use the master key and instead autocreates a ./config/credentials/staging.key.

In Heroku, the RAILS_MASTER_KEY environment variable needs to be set to the value of staging.key, not master.key, otherwise the MessageEncryptor error is thrown. This wasn’t clear to me from various tutorials and StackOverflow posts.

adding a blocklist break-glass header for Rack::Attack

When blocklisting broad IP ranges using the Rails Rack::Attack gem, it can be valuable to have a break-glass HTTP header so that legitimate users in a blocked range can still access the webapp.

The Rack::Attack docs provide most of the information on how to do this, however the syntax in the current example does not match the format of a header injected into the browser using an extension such as SimpleModifyHeaders.

As it turns out, any such headers are uppercased and prefixed with HTTP_. So if in your browser extension you set your header as SuperSecretKey, Rack::Attack would pass it through as HTTP_SUPERSECRETKEY.

The below code snippet illustrates, and also dumps out all headers to the console as a comma delimited list.

class Rack::Attack

  p "~~~~~~~~ RAAAACK ATTAAAAAAAACK ~~~~~~~~"

  # safelist by HTTP header
  Rack::Attack.whitelist("mark any authenticated user as safe") do |request|

    p "~~ HEADER CHECK ~~"

    p request.env.sort.compact.reject(&:empty?).join(',')

    puts request.env.key?("HTTP_SUPERSECRETKEY")
    puts request.env["HTTP_SUPERSECRETKEY"]
    request.env["HTTP_SUPERSECRETKEY"] == "Hunter2"


Rails: fix Bundler 2 lockfile error

The fix

gem update --system # update Rubygems
gem install bundler # update bundler
bundler update --bundler # update Gemfile.lock in your project

The error message

>bundle exec guard
14:41:40 - INFO - Guard::RSpec is running
14:41:40 - INFO - Guard is now watching at '/Users/user/project'
14:41:52 - INFO - Running: spec/spec.rb
You must use Bundler 2 or greater with this lockfile.
14:41:52 - ERROR - Failed: "bundle exec bin/rspec -f progress -r /Users/user/project/vendor/bundle/ruby/2.6.0/gems/guard-rspec-4.7.3/lib/guard/rspec_formatter.rb -f Guard::RSpecFormatter --failure-exit-code 2 spec/spec.rb" (exit code: 20)