Curl and openssl commands fails with error "curl: (60) Peer certificate cannot be authenticated with known CA certificates" and "Verify return code: 9 (certificate is not yet valid)" respectively.

Solution In Progress - Updated -

Issue

  • curl commands fails with an error "curl: (60) Peer certificate cannot be authenticated with known CA certificates" when trying to connect Red Hat network that has a VALID SSL certificate.
# curl -v https://subscription.rhsm.redhat.com/subscription/ --cacert /etc/rhsm/ca/redhat-uep.pem
* About to connect() to subscription.rhsm.redhat.com port 443 (#0)
*   Trying 209.132.183.108... connected
* Connected to subscription.rhsm.redhat.com (209.132.183.108) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/rhsm/ca/redhat-uep.pem
  CApath: none
* Remote Certificate has expired.
* NSS error -8181
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
  • openssl commands fails with an error "Verify return code: 9 (certificate is not yet valid)" when trying to connect Red Hat network that has a VALID SSL certificate.
# openssl s_client -connect subscription.rhsm.redhat.com:443 -CAfile /etc/rhsm/ca/redhat-uep.pem
CONNECTED(00000003)
depth=2 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Red Hat Network, CN = Entitlement Master CA, emailAddress = ca-support@redhat.com
verify return:1
depth=1 C = US, ST = North Carolina, O = "Red Hat, Inc.", OU = Red Hat Network, CN = Red Hat Entitlement Operations Authority, emailAddress = ca-support@redhat.com
verify return:1
depth=0 C = US, ST = North Carolina, O = "Red Hat, Inc.", OU = Red Hat Network, CN = subscription.rhsm.redhat.com, emailAddress = ca-support@redhat.com
verify error:num=9:certificate is not yet valid
notBefore=May 22 14:00:55 2019 GMT
verify return:1
depth=0 C = US, ST = North Carolina, O = "Red Hat, Inc.", OU = Red Hat Network, CN = subscription.rhsm.redhat.com, emailAddress = ca-support@redhat.com
notBefore=May 22 14:00:55 2019 GMT
verify return:1
---
Certificate chain
 0 s:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=subscription.rhsm.redhat.com/emailAddress=ca-support@redhat.com
   i:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGFDCCA/ygAwIBAgICAYowDQYJKoZIhvcNAQELBQAwgbExCzAJBgNVBAYTAlVT
MRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEWMBQGA1UECgwNUmVkIEhhdCwgSW5j
LjEYMBYGA1UECwwPUmVkIEhhdCBOZXR3b3JrMTEwLwYDVQQDDChSZWQgSGF0IEVu
dGl0bGVtZW50IE9wZXJhdGlvbnMgQXV0aG9yaXR5MSQwIgYJKoZIhvcNAQkBFhVj
YS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTkwNTIyMTQwMDU1WhcNMjEwNTIxMTQw
MDU1WjCBpTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRYw
FAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsx
JTAjBgNVBAMMHHN1YnNjcmlwdGlvbi5yaHNtLnJlZGhhdC5jb20xJDAiBgkqhkiG
9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAMTmI3wXPLoYpRf5SqIsX9sMhC7tdu6fDaZXLwl7t/ZQyzEd
K6KxWaW62xfML0Bb6Bd8QHFdNxt1dukx4WxS2PVnsd56mL/LRDADyeRPNCDhQRs0
6fbds32a0qqzWIJl4/2Xi0fWBpNS/G8LM8p9FTM+1E8xKRUsGqatTznJAjbrCvF5
ftLGsjl1a1ezL9oO6ZgjwWOjIhNSIkEXP2MyRfK25p8MEYpGuiTStzD6Ax24PLW6
ak0HUsL9U8lXQXGAJPS1gE4B8lp4pkWewty7UDdQubPsgbcKZZQ4BHT5/3n98g9P
X0XmP9TEIUS8pcW+oOjn/dO0j5OtLEDryYsvIptoVxQLUhz/hV6nplwQ7H7HpR6F
D1QmkB/wPcHERFpBVVCOJU+KG5e7+83nQlinTxIefK98UPJOR9PvCyvi86f6wf3e
Eb3AkL/kzXU/1XrTMFXuVLlE/gmHeJ1VFXirpAycEtqqgtRY8Ibss7O9faBHum1n
QfXbMKuqi8JoF0+C4JHo95cIohD5jdBMPt7vAerEvNcjQL0h5xmfj1z9/Z4eK6eM
Y48ipaqdR2ayNMZgTgsFel8wafA1j+Jh6WOKy5naiZs3+wyUlRKribM8Uqx5Ng53
r9z7I+74ovq5Th/kzK6X6tuIvwmf58Nc7bg315BIGHizaGZ4NVtP+YL65iE7AgMB
AAGjQDA+MBMGA1UdJQQMMAoGCCsGAQUFBwMBMCcGA1UdEQQgMB6CHHN1YnNjcmlw
dGlvbi5yaHNtLnJlZGhhdC5jb20wDQYJKoZIhvcNAQELBQADggIBAD9IgL3ixcvf
FfsxEvSmHpq2Ob+05mtW5D0TcmIDhFFS1i0lAd8wRtttpBuLgVCV+RW34fqlVC3Z
WHxBrAJXBTM6aynPDGNRLG28UgfSkUAfh9fhUp5pcvR1/zbIOjZNsHk2sg5fPjKt
H972+5olCITAwGcD4w2O18RqjzLwo7/dhzTbVz/L9MezaypnoZczuuSrWRl0a680
F6FBN/qzIcs2QpIVmOz8h5cxhu34zLwb0WdvyeL5tOMsECxOLC0XAH1nMPRUWmoh
TItfLYZRarKV8RjVJswvGXCo9n5v+4LYHUqpNSKdTHxn5hL8jgcnmHalHiV9Ap81
f3PTyT7AGEEtOqDZK9PyVMVy3jxPG3FfgGF7wObPSye2kHApjcWzY0WFCk1WdZBE
rHY1ZXxngeoRKBy+27wEVJBQ6NCRqUf/6BKR4SBJO4Zi3ARsO7CB3XpUSPbgyPVD
baAcWqDn/FbG3capDZAvwsrMQiW4Vbk9vKY83S/spmIOwup0DY/kqqAYGCYl1wAC
UvscPy+StpFqqa3ldxPQbKvkYboH3IVfJMHqRx4rHw+w3RCqK2mP4sUL99EvxVK9
5rz4G8QFj/Un96oseW55hgBuvopnEvOG+wQlsbcMFNud5Lw25f8D3JKa/tUmOKlh
/brZJ+n8JsIhTO1RPhW50ZFr8vbr90sh
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=subscription.rhsm.redhat.com/emailAddress=ca-support@redhat.com
issuer=/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 2394 bytes and written 417 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 44D3167CB8B6AB016CDBB16B633F92CA0ABA88B97D933E3EE50ED208B04F6259
    Session-ID-ctx: 
    Master-Key: 06D68C6BF7537717ED340005F0AEB701E8F18A248FAC605AEB637EFD63C594DC69BD664B4A30385520B1E6754180D6F9
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1441498257
    Timeout   : 300 (sec)
    Verify return code: 9 (certificate is not yet valid)

Environment

  • Red Hat Enterprise Linux 6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In