0

Centos 7.6
Curl 7.29

My app needs to run Curl requests which come from user requests, but some URL's are returning a curl: (60) Peer's Certificate issuer is not recognized.

So far I have:

Downloaded latest cacert bundle sudo curl -k https://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt.

Checked to see the latest bundle installed: sudo vi /etc/pki/tls/certs/ca-bundle.crt

#
# Bundle of CA Root Certificates
#
# Certificate data from Mozilla as of: Wed Jan 23 04:12:09 2019 GMT
# 
...

Ran a few test HTTPS URL's such as superuser.com which curl without any problems.

 curl -v https://superuser.com/questions/1091521/centos-7-wont-accept-any-ssl-certificates

 About to connect() to superuser.com port 443 (#0)
   Trying 151.101.1.69...
 Connected to superuser.com (151.101.1.69) port 443 (#0)
 Initializing NSS with certpath: sql:/etc/pki/nssdb
   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
 SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 Server certificate:
       subject: CN=*.stackexchange.com,O="Stack Exchange, Inc.",L=New York,ST=NY,C=US
       start date: Oct 05 00:00:00 2018 GMT
       expire date: Aug 14 12:00:00 2019 GMT
       common name: *.stackexchange.com
       issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 GET /questions/1091521/centos-7-wont-accept-any-ssl-certificates HTTP/1.1
 User-Agent: curl/7.29.0
 Host: superuser.com
 Accept: */*

 HTTP/1.1 200 OK
...

Then I test a couple of URLs which also use HTTPS, but return an curl: (60) Peer's Certificate issuer is not recognized. error.

curl -v https://www.movistar.com

 About to connect() to www.movistar.com port 443 (#0)
   Trying 194.224.110.42...
 Connected to www.movistar.com (194.224.110.42) port 443 (#0)
 Initializing NSS with certpath: sql:/etc/pki/nssdb
   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
 Server certificate:
       subject: CN=www.movistar.com,O=Telefonica S.A.,L=Madrid,ST=Madrid,C=ES
       start date: Jul 05 12:51:04 2018 GMT
       expire date: Aug 29 09:01:02 2019 GMT
       common name: www.movistar.com
       issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
 NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
 Peer's Certificate issuer is not recognized.
 Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

and 


curl -v https://signup.lotro.com

 About to connect() to signup.lotro.com port 443 (#0)
   Trying 198.252.160.63...
 Connected to signup.lotro.com (198.252.160.63) port 443 (#0)
 Initializing NSS with certpath: sql:/etc/pki/nssdb
   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
 Server certificate:
       subject: CN=*.lotro.com,OU=Standing Stone Games LLC,O=Standing Stone Games,L=Needham,ST=ma,C=US
       start date: Mar 12 00:00:00 2018 GMT
       expire date: Mar 20 12:00:00 2019 GMT
       common name: *.lotro.com
       issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
 Peer's Certificate issuer is not recognized.
 Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

The only way I can get these URL's to work is by disabling certificate validation e.g curl -v --insecure https://signup.lotro.com.

Bearing in mind the URL's are from user requests how can I get these URL's to curl without receiving this error and without using the --insecure argument?

Note: I'm working in a Virtual box VM at the moment, but the same problem also occurs on my VPS.

Note 2: Notice the issuer for both superuser.com and signup.lotro.com are the same, yet I can only curl superuser.com.

Improve this question
1
  • Have you tried curl -v --capath /etc/ssl/certs ?
    – Eugen Rieck
    Commented Feb 23, 2019 at 16:38

2 Answers 2

Reset to default
3

The SSLLabs report for both domains shows:

This server's certificate chain is incomplete

In other words: a misconfiguration of the server is causing the error you see. While desktop browsers try to work around it simpler tools like curl don't. To fix this you need to explicitly add the missing CA certificate to your trust store. In case of www.movistar.com this would be GlobalSign Organization Validation CA - SHA256 - G2 and for signup.lotro.com this would be DigiCert SHA2 High Assurance Server CA. You can download the missing CA certificates as PEM at the links I've provided and then add these to your trust store, then call curl with this trust store:

$ ( 
  curl https://censys.io/certificates/74ef335e5e18788307fb9d89cb704bec112abd23487dbff41c4ded5070f241d9/pem/raw;
  echo;
  curl https://censys.io/certificates/19400be5b7a31fb733917700789d2f0a2471c0c9d506c0e504c06c16d7cb17c0/pem/raw;
  echo;
  cat /etc/ssl/certs/ca-certificates.crt 
) > myca.pem
$ curl -v --cacert myca.pem https://www.movistar.com
Improve this answer
5
  • Thanks, I'll give this a try. The problem is the URL's are based on user requests, so I wouldn't be able to have a different curl command for certain URL's. The actual curl command is called via PHP. Is there any way around this? Also how did you find the links to the certificates on censys.io/?
    – turrican_34
    Commented Feb 23, 2019 at 17:03
  • @turrican_34: "how did you find the links..." - the SSLabs report includes the fingerprints of the missing certificates. Just google for the fingerprint and you'll find the relevant certificate.
    – Steffen Ullrich
    Commented Feb 23, 2019 at 19:34
  • @turrican_34: You can use the same curl command for all URLs. It does not matter if certificates are in the trust store (cacert) which don't get used for this specific site, all what matters is that all CA certificates used for the site are either send by the server (intermediate certificates) or are includes in the trust store (root CA certificates, missing intermediate certificates).
    – Steffen Ullrich
    Commented Feb 23, 2019 at 19:37
  • Thanks, it's working. I added the new PEM file to /etc/pki/ca-trust/source/anchors/, then ran update-ca-trust enable and update-ca-trust extract to update the certificate bundle and now I can curl the URLs.
    – turrican_34
    Commented Feb 24, 2019 at 12:58
  • I created the PEM file like this though: ( curl https://censys.io/certificates/74ef3d...0f241d9/pem/raw; echo; ) > example.pem
    – turrican_34
    Commented Feb 24, 2019 at 13:01
0

my here is in CentOS7, run pyspider show error:

Exception HTTP 599 Peer's certificate issuer has been marked as not trusted by the user

and using following steps to fix it:

change invalid libcurl:

/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0_openssl

to valid libcurl:

/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0

and reinstall pycurl:

pip3 uninstall pycurl
export PYCURL_SSL_LIBRARY=nss
export LDFLAGS=-L/usr/local/opt/openssl/lib;export CPPFLAGS=-I/usr/local/opt/openssl/include;pip install pycurl --compile --no-cache-dir

detailed description refer another SO post

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .