Issue

• We installed a new TLS cert into our webserver and some RHEL clients that do cert validation are unable to connect now. For example, curl gives errors like this:

  [user]$ curl -v https://mysite.example.com
  * About to connect() to mysite.example.com port 443 (#0)
  *   Trying 1.2.3.4...
  * Connected to mysite.example.com (1.2.3.4) port 443 (#0)
  * Initializing NSS with certpath: sql:/etc/pki/nssdb
  *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  * Server certificate:
  *         subject: CN=mysite.example.com,O="My Example, Inc.",L=Raleigh,ST=North Carolina,C=US
  *         start date: Oct 22 12:00:01 2013 GMT
  *         expire date: May 19 12:00:00 2016 GMT
  *         common name: mysite.example.com
  *         issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
  * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
  * Peer's Certificate issuer is not recognized.
  * Closing connection 0
  curl: (60) Peer's Certificate issuer is not recognized.
  More details here: http://curl.haxx.se/docs/sslcerts.html
  
  curl performs SSL certificate verification by default, using a "bundle"
   of Certificate Authority (CA) public keys (CA certs). If the default
   bundle file isn't adequate, you can specify an alternate file
   using the --cacert option.
  If this HTTPS server uses a certificate signed by a CA represented in
   the bundle, the certificate verification probably failed due to a
   problem with the certificate (it might be expired, or the name might
   not match the domain name in the URL).
  If you'd like to turn off curl's verification of the certificate, use
   the -k (or --insecure) option.