Fixing CentOS Root Certificate Authority Issues

While trying to clone a repository from Github the other day on one of my EC2 servers and I ran into an SSL verification issue. As it turns out, Github renewed their SSL certificate (as people who are responsible about their web presence do when their certificate is about to expire). As a result, I couldn’t git clone over https. This presents a problem since all my deploys work using git clone over https.

The error looks something like this:

*** error: SSL certificate problem, verify that the CA cert is OK. Details:
*** error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing
*** fatal: HTTP request failed
*** Clone of '' into submodule path 'support/daemon' failed

The reason for the error is because CentOS (at least the RightScale version has an old certificate authority bundle: /etc/pki/tls/certs/ca-bundle.crt.

I backed up the existing certificate file just to be on the safe side.

# cp /etc/pki/tls/certs/ca-bundle.crt /root/backup/

To fix the issue, just download a new certificate bundle. I used the one from

# curl -o /etc/pki/tls/certs/ca-bundle.crt
Posted in Security. Tags: , . 23 Comments »
  • Mike Conigliaro

    Thanks man.

  • Marcius

    I had the same problem on my hosting box and your solution worked fine!

  • Rob Benwell

    thanks eric  for the great tips.. its really  worked

  • Pingback: what I did « momorandom

  • Pingback: MojoWill » CentOS Root Certificate Authority Failures



  • Pingback: » Blog Archive » Fixing CentOS Root Certificate Authority issues

  • Anonymous

    This solved my problem! Thanks!

  • victorcoder

    Thanks! problem solved

  • Billy

    Just saved me from having to read many, many pages of documentation. Thanks!

  • Heitor Althmann


  • Jam

    why no work on centOS 5.8

  • Adam Lau

    Thanks! This also fixes my problem on RHEL. 😉

  • disqus_g1FrhVMOSX

    thx m3n

  • Esen Sagynov

    Two years old post but keeps solving the problems. Thank you for this tip! My CentOS 5.6 had identical problem when trying to curl

  • bqdx

    It helps! thx very much!

  • Brett Cave

    Alternatively, if it’s a CA that’s in the standard bundles that has emerged since, you can also try updating openssl:
    # yum update openssl -y

  • Ilias Okoosi

    You absolute maestro. You’ve saved me hours of head scratching!

  • Ralph Vugts

    Thank you, after a day of googling and trying to get my web hosts to fix this . I followed your steps and bingo it works again! Legend.

  • Matt Barrio

    Woot: Running CENTOS 6.4. Ran into this issue today out of nowhere. Worked like a charm! I was about to just remove the server certs and let the bundle auto update on re-adding them (I think that would have worked).

    Anyways, cheers for the solution!

  • laike9m

    I love you~

  • TheArtist

    Mmm… let’s see. Highlight, Control+C, switch screen, Control+V. Whack Enter. Oops, nope didn’t work for me, it seems your solution does not do the trick after all. Next idea?

  • Kevin

    Im using ubuntu and having trouble testing oinkmaster with the error 422 unprocessable entity ?? Please help me 🙁 this problem is related to http