We installed a new TLS cert into our webserver and some RHEL clients that do cert validation are unable to connect now. For example,
curlgives errors like this:
[user]$ curl -v https://mysite.example.com * About to connect() to mysite.example.com port 443 (#0) * Trying 220.127.116.11... * Connected to mysite.example.com (18.104.22.168) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=mysite.example.com,O="My Example, Inc.",L=Raleigh,ST=North Carolina,C=US * start date: Oct 22 12:00:01 2013 GMT * expire date: May 19 12:00:00 2016 GMT * common name: mysite.example.com * issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0 curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
- Red Hat Enterprise Linux
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.