Centos – Curl, lynx etc not accepting certificate locally but OK remotely

When I connect to my web server to view a site over HTTPS, I get the nice green EV thing in the address bar. When I use curl locally to connect, it complains about the certificate and dies.

I'm aware I can just skip the certificate checking but I'd like to fix the problem as there are other times that these certs will be checked locally.

My hosts file (on the server) maps www.domain.com to 192.168.100.62. which Apache is listening on (confirmed by doing a cURL to the same address via http):

root@web3:~# curl -v https://www.domain.com
* About to connect() to www.domain.com port 443 (#0)
*   Trying 192.168.100.62... connected
* Connected to www.domain.com (192.168.100.62) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Peer's certificate issuer is not recognized: 'CN=Symantec Class 3 EV SSL CA - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

I've poked around google a bit, but can't seem to find much.. it may be possible my root CA bundle is out-dated, or curl itself is too old to connect but I've not much experience with this.

root@web3:~# curl --version
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.7 (Santiago)

I have tried adding the verisign root cert by using the update-ca-trust tool, but that also has no impact:

root@web3:anchors# pwd
/etc/pki/ca-trust/source/anchors
root@web3:anchors# ls
VeriSign-Class-3-Public-Primary-Certification-Authority-G3.crt
root@web3:anchors#  update-ca-trust
root@web3:anchors# curl... <snip> same error.

I'm at a bit of a loss as to what the actual issue is. Are certificates only valid on internet IPs?

Best Answer

Edited (2018-12-20): Security warning: Installing a certificate from an unknown source is a security risk.

I fixed the problem by downloading Symantec_Class_3_EV_SSL_CA_G3.crt and installing it:

wget http://symantec.tbs-certificats.com/Symantec_Class_3_EV_SSL_CA_G3.crt
cp Symantec_Class_3_EV_SSL_CA_G3.crt /etc/pki/ca-trust/source/anchors
update-ca-trust

The problem then just went away :) Not sure why this isn't included by default in the root CA bundle.

Best Answer

Related Solutions

SSL 2048-bit certs, how to upgrade our web app without breaking legacy API customers

Linux – Curl: disable certificate verification

Related Topic