<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap:break-word"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">Having some CA certificate validation difficulties with CentOS 6. For some reason, I can&#39;t get an otherwise valid SSL certificate to be recognized because it&#39;s CA is not recognized (I think?)</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><div id="bloop_customfont" style="margin:0px"><span class="Apple-tab-span" style="white-space:pre">        </span>$ curl -iv <a href="https://myhost.mydomain.org/">https://myhost.mydomain.org/</a></div><div id="bloop_customfont" style="margin:0px"><span class="Apple-tab-span" style="white-space:pre">        </span>* About to connect() to <a href="http://myhost.mydomain.org">myhost.mydomain.org</a> port 443 (#0)</div><div id="bloop_customfont" style="margin:0px"><span class="Apple-tab-span" style="white-space:pre">        </span>*   Trying 127.0.0.1... connected</div><div id="bloop_customfont" style="margin:0px"><span class="Apple-tab-span" style="white-space:pre">        </span>* Connected to <a href="http://myhost.mydomain.org">myhost.mydomain.org</a> (127.0.0.1) port 443 (#0)</div><div id="bloop_customfont" style="margin:0px"><span class="Apple-tab-span" style="white-space:pre">        </span>* Initializing NSS with certpath: sql:/etc/pki/nssdb</div><div id="bloop_customfont" style="margin:0px"><span class="Apple-tab-span" style="white-space:pre">        </span>*   CAfile: /etc/pki/tls/certs/ca-bundle.crt</div><div id="bloop_customfont" style="margin:0px"><span class="Apple-tab-span" style="white-space:pre">        </span>  CApath: none</div><div id="bloop_customfont" style="margin:0px"><span class="Apple-tab-span" style="white-space:pre">        </span>* Peer&#39;s certificate issuer is not recognized: &#39;CN=Go Daddy Secure Certificate Authority - <span class="Apple-tab-span" style="white-space:pre">        </span></div><div id="bloop_customfont" style="margin:0px"><span class="Apple-tab-span" style="white-space:pre">        </span>G2,OU=<a href="http://certs.godaddy.com/repository/,O=">http://certs.godaddy.com/repository/,O=</a>&quot;GoDaddy.com, Inc.&quot;,L=Scottsdale,ST=Arizona,C=US&#39;</div></div><br><div id="bloop_sign_1499713998043356928" class="bloop_sign">The latest CA cert bundle package(?) has been installed:</div><div id="bloop_sign_1499713998043356928" class="bloop_sign"><br></div><div id="bloop_sign_1499713998043356928" class="bloop_sign"><span class="Apple-tab-span" style="white-space:pre">        </span>$ rpm -qa | grep ca-cert</div><div id="bloop_sign_1499713998043356928" class="bloop_sign"><span class="Apple-tab-span" style="white-space:pre">        </span>ca-certificates-2017.2.14-65.0.1.el6_9.noarch</div><div id="bloop_sign_1499713998043356928" class="bloop_sign"><br></div><div id="bloop_sign_1499713998043356928" class="bloop_sign">That package[1] is supposed to update the ca bundle file, but the file date is pretty old -</div><div id="bloop_sign_1499713998043356928" class="bloop_sign"><br></div><div id="bloop_sign_1499713998043356928" class="bloop_sign"><div id="bloop_sign_1499713998043356928" class="bloop_sign"><span class="Apple-tab-span" style="white-space:pre">        </span>$ ls -l /etc/pki/tls/certs/ca-bundle.crt</div><div id="bloop_sign_1499713998043356928" class="bloop_sign"><span class="Apple-tab-span" style="white-space:pre">        </span>-rw-r--r--. 1 root root 251894 Sep  3  2014 /etc/pki/tls/certs/ca-bundle.crt</div><div id="bloop_sign_1499713998043356928" class="bloop_sign"><br></div><div id="bloop_sign_1499713998043356928" class="bloop_sign">If this was only affecting cURL or wget, it wouldn&#39;t be a big deal. I think it&#39;s causing me problems trying to run a java app on this host that needs to connect to <a href="https://myhost.mydomain.org">https://myhost.mydomain.org</a>.</div><div id="bloop_sign_1499713998043356928" class="bloop_sign"><br></div><div id="bloop_sign_1499713998043356928" class="bloop_sign">Any thoughts/suggestions?</div><div id="bloop_sign_1499713998043356928" class="bloop_sign"><br></div><div id="bloop_sign_1499713998043356928" class="bloop_sign">thanks!</div><div id="bloop_sign_1499713998043356928" class="bloop_sign"><br></div><div id="bloop_sign_1499713998043356928" class="bloop_sign">[1] <a href="https://rpmfind.net/linux/RPM/centos/updates/6.9/x86_64/Packages/ca-certificates-2017.2.14-65.0.1.el6_9.noarch.html">https://rpmfind.net/linux/RPM/centos/updates/6.9/x86_64/Packages/ca-certificates-2017.2.14-65.0.1.el6_9.noarch.html</a></div></div></body></html>