Translated message

A translation of this page exists in English.

有効な SSL 証明書を持つサイトで curl コマンドを実行すると、エラー"curl: (60) Peer certificate cannot be authenticated with known CA certificates" が発生する

Solution In Progress - Updated -

Issue

  • 有効な SSL 証明書を持つサイトで curl コマンドを実行すると、エラー"curl: (60) Peer certificate cannot be authenticated with known CA certificates" が発生します。

    [root@example.com ~]# curl -v https://example.com
    * About to connect() to example.com port 443 (#0)
    *   Trying 192.168.0.254... connected
    * Connected to example.com (192.168.0.254) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
    * Certificate is signed by an untrusted issuer: 'CN=Go Daddy Secure Certificate Authority - G2,OU=http://www.example.com/repository/,O="example.com, Inc.",L=Scottsdale,ST=Arizona,C=US'
    * NSS error -8172
    * Closing connection #0
    * Peer certificate cannot be authenticated with known CA certificates
    curl: (60) Peer certificate cannot be authenticated with known CA certificates
    More details here: http://www.example.com/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a "bundle"
    of Certificate Authority (CA) public keys (CA certs). If the default
    bundle file isn't adequate, you can specify an alternate file
    using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
    the bundle, the certificate verification probably failed due to a
    problem with the certificate (it might be expired, or the name might
    not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
    the -k (or --insecure) option.

  • 証明書を手動で更新すると、エラーは発生しません。

    [root@example.com certs]# curl http://www.example.com/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
    Dload  Upload   Total   Spent    Left  Speed
    100  223k  100  223k    0     0   222k      0  0:00:01  0:00:01 --:--:--  265k
    [root@example.com certs]# curl -v https://example.com
    * About to connect() to example.com port 443 (#0)
    *   Trying 192.168.0.254... connected
    * Connected to example.com (192.168.0.254) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
    * SSL connection using SSL_RSA_WITH_RC4_128_SHA
    * Server certificate:
    *       subject: CN=www.example.com,OU=Domain Control Validated
    *       start date: Sep 06 18:00:03 2013 GMT
    *       expire date: Sep 06 18:00:03 2014 GMT
    *       common name: www.example.com
    *       issuer: CN=Secure Certificate Authority - G2,OU=http://www.example.com/repository/,O="example.com, Inc.",L=Scottsdale,ST=Arizona,C=US
    > GET / HTTP/1.1
    > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
    > Host: example.com
    > Accept: */*
    > 
    < HTTP/1.1 200 OK
    < Date: Mon, 16 Sep 2013 19:49:10 GMT
    < Server: Apache
    < X-Powered-By: PHP/5.3.3
    < Content-Length: 0
    < Connection: close
    < Content-Type: text/html; charset=UTF-8
    < 
    * Closing connection #0

Environment

  • Red Hat Enterprise Linux 6.4
  • ca-certificates-2010.63-3.el6_1.5.noarch
  • curl-7.19.7-35.el6.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content