Centos 7.6
Curl 7.29
My app needs to run Curl requests which come from user requests, but some URL's are returning a curl: (60) Peer's Certificate issuer is not recognized.
So far I have:
Downloaded latest cacert bundle
sudo curl -k https://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
.
Checked to see the latest bundle installed:
sudo vi /etc/pki/tls/certs/ca-bundle.crt
#
# Bundle of CA Root Certificates
#
# Certificate data from Mozilla as of: Wed Jan 23 04:12:09 2019 GMT
#
...
Ran a few test HTTPS URL's such as superuser.com which curl without any problems.
curl -v https://superuser.com/questions/1091521/centos-7-wont-accept-any-ssl-certificates
About to connect() to superuser.com port 443 (#0)
Trying 151.101.1.69...
Connected to superuser.com (151.101.1.69) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Server certificate:
subject: CN=*.stackexchange.com,O="Stack Exchange, Inc.",L=New York,ST=NY,C=US
start date: Oct 05 00:00:00 2018 GMT
expire date: Aug 14 12:00:00 2019 GMT
common name: *.stackexchange.com
issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
GET /questions/1091521/centos-7-wont-accept-any-ssl-certificates HTTP/1.1
User-Agent: curl/7.29.0
Host: superuser.com
Accept: */*
HTTP/1.1 200 OK
...
Then I test a couple of URLs which also use HTTPS, but return an curl: (60) Peer's Certificate issuer is not recognized.
error.
curl -v https://www.movistar.com
About to connect() to www.movistar.com port 443 (#0)
Trying 194.224.110.42...
Connected to www.movistar.com (194.224.110.42) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
Server certificate:
subject: CN=www.movistar.com,O=Telefonica S.A.,L=Madrid,ST=Madrid,C=ES
start date: Jul 05 12:51:04 2018 GMT
expire date: Aug 29 09:01:02 2019 GMT
common name: www.movistar.com
issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
Peer's Certificate issuer is not recognized.
Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
and
curl -v https://signup.lotro.com
About to connect() to signup.lotro.com port 443 (#0)
Trying 198.252.160.63...
Connected to signup.lotro.com (198.252.160.63) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
Server certificate:
subject: CN=*.lotro.com,OU=Standing Stone Games LLC,O=Standing Stone Games,L=Needham,ST=ma,C=US
start date: Mar 12 00:00:00 2018 GMT
expire date: Mar 20 12:00:00 2019 GMT
common name: *.lotro.com
issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
Peer's Certificate issuer is not recognized.
Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
The only way I can get these URL's to work is by disabling certificate validation e.g curl -v --insecure https://signup.lotro.com
.
Bearing in mind the URL's are from user requests how can I get these URL's to curl without receiving this error and without using the --insecure
argument?
Note: I'm working in a Virtual box VM at the moment, but the same problem also occurs on my VPS.
Note 2: Notice the issuer for both superuser.com
and signup.lotro.com
are the same, yet I can only curl superuser.com.