Fixing CentOS Root Certificate Authority Issues

While trying to clone a repository from Github the other day on one of my EC2 servers and I ran into an SSL verification issue. As it turns out, Github renewed their SSL certificate (as people who are responsible about their web presence do when their certificate is about to expire). As a result, I couldn’t git clone over https. This presents a problem since all my deploys work using git clone over https.

The error looks something like this:

*** error: SSL certificate problem, verify that the CA cert is OK. Details:
*** error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/indexzero/daemon.node.git/info/refs
*** fatal: HTTP request failed
*** Clone of 'https://github.com/indexzero/daemon.node.git' into submodule path 'support/daemon' failed

The reason for the error is because CentOS (at least the RightScale version 5.6.8.1 has an old certificate authority bundle: /etc/pki/tls/certs/ca-bundle.crt.

I backed up the existing certificate file just to be on the safe side.

# cp /etc/pki/tls/certs/ca-bundle.crt /root/backup/

To fix the issue, just download a new certificate bundle. I used the one from haxx.se.

# curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
Posted in Security. Tags: , . 18 Comments »
  • http://conigliaro.org/ Mike Conigliaro

    Thanks man.

  • Marcius

    Thanks!
    I had the same problem on my hosting box and your solution worked fine!

  • http://www.robbenwell.com Rob Benwell

    thanks eric  for the great tips.. its really  worked

  • Pingback: what I did « momorandom

  • Pingback: MojoWill » CentOS Root Certificate Authority Failures

  • http://www.gqdev.com/ GQDEV INTERACTIVE

    Thanks!

  • Pingback: yo61.com » Blog Archive » Fixing CentOS Root Certificate Authority issues

  • Anonymous

    This solved my problem! Thanks!

  • victorcoder

    Thanks! problem solved

  • Billy

    Just saved me from having to read many, many pages of documentation. Thanks!

  • Heitor Althmann

    EXCELENT!

  • Jam

    why no work on centOS 5.8

  • Adam Lau

    Thanks! This also fixes my problem on RHEL. ;)

  • disqus_g1FrhVMOSX

    thx m3n

  • http://www.cubrid.org/ Esen Sagynov

    Two years old post but keeps solving the problems. Thank you for this tip! My CentOS 5.6 had identical problem when trying to curl opscode.com.

  • bqdx

    It helps! thx very much!

  • http://brett.cave.za.net Brett Cave

    Alternatively, if it’s a CA that’s in the standard bundles that has emerged since, you can also try updating openssl:
    # yum update openssl -y

  • Ilias Okoosi

    You absolute maestro. You’ve saved me hours of head scratching!