[colug-432] centos ca certificate store?
Mark Aufdencamp
mark at aufdencamp.com
Mon Jul 10 22:26:33 EDT 2017
+1
Although I have had OS supplied root certs revoked -
http://mark.aufdencamp.com/debian-ubuntu-ssl-ca-certificates-and-ca-verification/
> -------- Original Message --------
> Subject: Re: [colug-432] centos ca certificate store?
> From: Scott Merrill <skippy at skippy.net>
> Date: Mon, July 10, 2017 5:38 pm
> To: colug-432 at colug.net
>
>
> You likely need to set the full cert chain in the server. That is, your
> server should present the GoDaddy root cert, then any intermediate
> certs, followed by the server cert.
>
> --
> Scott Merrill
> skippy at skippy.net
>
> On Mon, Jul 10, 2017, at 15:23, Rick Hornsby wrote:
> > Having some CA certificate validation difficulties with CentOS 6. For
> > some
> > reason, I can't get an otherwise valid SSL certificate to be recognized
> > because it's CA is not recognized (I think?)
> >
> > $ curl -iv https://myhost.mydomain.org/
> > * About to connect() to myhost.mydomain.org port 443 (#0)
> > * Trying 127.0.0.1... connected
> > * Connected to myhost.mydomain.org (127.0.0.1) port 443 (#0)
> > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> > CApath: none
> > * Peer's certificate issuer is not recognized: 'CN=Go Daddy Secure
> > Certificate Authority -
> > G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
> > Inc.",L=Scottsdale,ST=Arizona,C=US'
> >
> > The latest CA cert bundle package(?) has been installed:
> >
> > $ rpm -qa | grep ca-cert
> > ca-certificates-2017.2.14-65.0.1.el6_9.noarch
> >
> > That package[1] is supposed to update the ca bundle file, but the file
> > date
> > is pretty old -
> >
> > $ ls -l /etc/pki/tls/certs/ca-bundle.crt
> > -rw-r--r--. 1 root root 251894 Sep 3 2014
> > /etc/pki/tls/certs/ca-bundle.crt
> >
> > If this was only affecting cURL or wget, it wouldn't be a big deal. I
> > think
> > it's causing me problems trying to run a java app on this host that needs
> > to connect to https://myhost.mydomain.org.
> >
> > Any thoughts/suggestions?
> >
> > thanks!
> >
> > [1]
> > https://rpmfind.net/linux/RPM/centos/updates/6.9/x86_64/Packages/ca-certificates-2017.2.14-65.0.1.el6_9.noarch.html
> > _______________________________________________
> > colug-432 mailing list
> > colug-432 at colug.net
> > http://lists.colug.net/mailman/listinfo/colug-432
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
More information about the colug-432
mailing list