https clients (curl, wget, openssl, firefox, etc) on some hosts unable to connect to server

Solution Verified - Updated -

Issue

  • We installed a new TLS cert into our webserver and some RHEL clients that do cert validation are unable to connect now. For example, curl gives errors like this:

    [user]$ curl -v https://mysite.example.com
    * About to connect() to mysite.example.com port 443 (#0)
    *   Trying 1.2.3.4...
    * Connected to mysite.example.com (1.2.3.4) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * Server certificate:
    *         subject: CN=mysite.example.com,O="My Example, Inc.",L=Raleigh,ST=North Carolina,C=US
    *         start date: Oct 22 12:00:01 2013 GMT
    *         expire date: May 19 12:00:00 2016 GMT
    *         common name: mysite.example.com
    *         issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
    * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
    * Peer's Certificate issuer is not recognized.
    * Closing connection 0
    curl: (60) Peer's Certificate issuer is not recognized.
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    

Environment

  • Red Hat Enterprise Linux

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In