Centos 7.6
Curl 7.29
My app needs to run Curl requests which come from user requests, but some URL's are returning a curl: (60) Peer's Certificate issuer is not recognized.
So far I have:
Downloaded latest cacert bundle
sudo curl -k https://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt.
Checked to see the latest bundle installed:
sudo vi /etc/pki/tls/certs/ca-bundle.crt
#
# Bundle of CA Root Certificates
#
# Certificate data from Mozilla as of: Wed Jan 23 04:12:09 2019 GMT
#
...
Ran a few test HTTPS URL's such as superuser.com which curl without any problems.
curl -v https://superuser.com/questions/1091521/centos-7-wont-accept-any-ssl-certificates
About to connect() to superuser.com port 443 (#0)
Trying 151.101.1.69...
Connected to superuser.com (151.101.1.69) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Server certificate:
subject: CN=*.stackexchange.com,O="Stack Exchange, Inc.",L=New York,ST=NY,C=US
start date: Oct 05 00:00:00 2018 GMT
expire date: Aug 14 12:00:00 2019 GMT
common name: *.stackexchange.com
issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
GET /questions/1091521/centos-7-wont-accept-any-ssl-certificates HTTP/1.1
User-Agent: curl/7.29.0
Host: superuser.com
Accept: */*
HTTP/1.1 200 OK
...
Then I test a couple of URLs which also use HTTPS, but return an curl: (60) Peer's Certificate issuer is not recognized. error.
curl -v https://www.movistar.com
About to connect() to www.movistar.com port 443 (#0)
Trying 194.224.110.42...
Connected to www.movistar.com (194.224.110.42) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
Server certificate:
subject: CN=www.movistar.com,O=Telefonica S.A.,L=Madrid,ST=Madrid,C=ES
start date: Jul 05 12:51:04 2018 GMT
expire date: Aug 29 09:01:02 2019 GMT
common name: www.movistar.com
issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
Peer's Certificate issuer is not recognized.
Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
and
curl -v https://signup.lotro.com
About to connect() to signup.lotro.com port 443 (#0)
Trying 198.252.160.63...
Connected to signup.lotro.com (198.252.160.63) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
Server certificate:
subject: CN=*.lotro.com,OU=Standing Stone Games LLC,O=Standing Stone Games,L=Needham,ST=ma,C=US
start date: Mar 12 00:00:00 2018 GMT
expire date: Mar 20 12:00:00 2019 GMT
common name: *.lotro.com
issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
Peer's Certificate issuer is not recognized.
Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
The only way I can get these URL's to work is by disabling certificate validation e.g curl -v --insecure https://signup.lotro.com.
Bearing in mind the URL's are from user requests how can I get these URL's to curl without receiving this error and without using the --insecure argument?
Note: I'm working in a Virtual box VM at the moment, but the same problem also occurs on my VPS.
Note 2: Notice the issuer for both superuser.com and signup.lotro.com are the same, yet I can only curl superuser.com.
Best Answer
The SSLLabs report for both domains shows:
In other words: a misconfiguration of the server is causing the error you see. While desktop browsers try to work around it simpler tools like
curldon't. To fix this you need to explicitly add the missing CA certificate to your trust store. In case of www.movistar.com this would be GlobalSign Organization Validation CA - SHA256 - G2 and for signup.lotro.com this would be DigiCert SHA2 High Assurance Server CA. You can download the missing CA certificates as PEM at the links I've provided and then add these to your trust store, then call curl with this trust store: