[colug-432] centos ca certificate store?
Scott Merrill
skippy at skippy.net
Mon Jul 10 17:38:41 EDT 2017
You likely need to set the full cert chain in the server. That is, your
server should present the GoDaddy root cert, then any intermediate
certs, followed by the server cert.
--
Scott Merrill
skippy at skippy.net
On Mon, Jul 10, 2017, at 15:23, Rick Hornsby wrote:
> Having some CA certificate validation difficulties with CentOS 6. For
> some
> reason, I can't get an otherwise valid SSL certificate to be recognized
> because it's CA is not recognized (I think?)
>
> $ curl -iv https://myhost.mydomain.org/
> * About to connect() to myhost.mydomain.org port 443 (#0)
> * Trying 127.0.0.1... connected
> * Connected to myhost.mydomain.org (127.0.0.1) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * Peer's certificate issuer is not recognized: 'CN=Go Daddy Secure
> Certificate Authority -
> G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US'
>
> The latest CA cert bundle package(?) has been installed:
>
> $ rpm -qa | grep ca-cert
> ca-certificates-2017.2.14-65.0.1.el6_9.noarch
>
> That package[1] is supposed to update the ca bundle file, but the file
> date
> is pretty old -
>
> $ ls -l /etc/pki/tls/certs/ca-bundle.crt
> -rw-r--r--. 1 root root 251894 Sep 3 2014
> /etc/pki/tls/certs/ca-bundle.crt
>
> If this was only affecting cURL or wget, it wouldn't be a big deal. I
> think
> it's causing me problems trying to run a java app on this host that needs
> to connect to https://myhost.mydomain.org.
>
> Any thoughts/suggestions?
>
> thanks!
>
> [1]
> https://rpmfind.net/linux/RPM/centos/updates/6.9/x86_64/Packages/ca-certificates-2017.2.14-65.0.1.el6_9.noarch.html
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
More information about the colug-432
mailing list