Fixing CentOS Root Certificate Authority Issues

01
Jun

While trying to clone a repository from Github the other day on one of my EC2 servers and I ran into an SSL verification issue. As it turns out, Github renewed their SSL certificate (as people who are responsible about their web presence do when their certificate is about to expire). As a result, I couldn’t git clone over https. This presents a problem since all my deploys work using git clone over https.

The error looks something like this:

1
2
3
4
*** error: SSL certificate problem, verify that the CA cert is OK. Details:
*** error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/indexzero/daemon.node.git/info/refs
*** fatal: HTTP request failed
*** Clone of 'https://github.com/indexzero/daemon.node.git' into submodule path 'support/daemon' failed

The reason for the error is because CentOS (at least the RightScale version 5.6.8.1 has an old certificate authority bundle: /etc/pki/tls/certs/ca-bundle.crt.

I backed up the existing certificate file just to be on the safe side.

1
# cp /etc/pki/tls/certs/ca-bundle.crt /root/backup/

To fix the issue, just download a new certificate bundle. I used the one from haxx.se.

1
# curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

23 Responses to “Fixing CentOS Root Certificate Authority Issues”

  1. Marcius says:

    Thanks!
    I had the same problem on my hosting box and your solution worked fine!

  2. Rob Benwell says:

    thanks eric  for the great tips.. its really  worked

  3. […] Fixing CentOS Root Certificate Authority Issues | Erics Tech Blog […]

  4. […] found a blog post from last year here and made sense for my […]

  5. […] This is the solution I use most often. Thanks Eric! […]

  6. Anonymous says:

    This solved my problem! Thanks!

  7. victorcoder says:

    Thanks! problem solved

  8. Billy says:

    Just saved me from having to read many, many pages of documentation. Thanks!

  9. Heitor Althmann says:

    EXCELENT!

  10. Jam says:

    why no work on centOS 5.8

  11. Adam Lau says:

    Thanks! This also fixes my problem on RHEL. 😉

  12. disqus_g1FrhVMOSX says:

    thx m3n

  13. Esen Sagynov says:

    Two years old post but keeps solving the problems. Thank you for this tip! My CentOS 5.6 had identical problem when trying to curl opscode.com.

  14. bqdx says:

    It helps! thx very much!

  15. Brett Cave says:

    Alternatively, if it’s a CA that’s in the standard bundles that has emerged since, you can also try updating openssl:
    # yum update openssl -y

    • Ilias Okoosi says:

      You absolute maestro. You’ve saved me hours of head scratching!

    • TheArtist says:

      Mmm… let’s see. Highlight, Control+C, switch screen, Control+V. Whack Enter. Oops, nope didn’t work for me, it seems your solution does not do the trick after all. Next idea?

  16. Ralph Vugts says:

    Thank you, after a day of googling and trying to get my web hosts to fix this . I followed your steps and bingo it works again! Legend.

  17. Matt Barrio says:

    Woot: Running CENTOS 6.4. Ran into this issue today out of nowhere. Worked like a charm! I was about to just remove the server certs and let the bundle auto update on re-adding them (I think that would have worked).

    Anyways, cheers for the solution!

  18. Kevin says:

    Im using ubuntu and having trouble testing oinkmaster with the error 422 unprocessable entity ?? Please help me 🙁 this problem is related to http

Leave a Reply