Fixing CentOS Root Certificate Authority Issues

01
Jun

While trying to clone a repository from Github the other day on one of my EC2 servers and I ran into an SSL verification issue. As it turns out, Github renewed their SSL certificate (as people who are responsible about their web presence do when their certificate is about to expire). As a result, I couldn’t git clone over https. This presents a problem since all my deploys work using git clone over https.

The error looks something like this:

1
2
3
4
*** error: SSL certificate problem, verify that the CA cert is OK. Details:
*** error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/indexzero/daemon.node.git/info/refs
*** fatal: HTTP request failed
*** Clone of 'https://github.com/indexzero/daemon.node.git' into submodule path 'support/daemon' failed

The reason for the error is because CentOS (at least the RightScale version 5.6.8.1 has an old certificate authority bundle: /etc/pki/tls/certs/ca-bundle.crt.

I backed up the existing certificate file just to be on the safe side.

1
# cp /etc/pki/tls/certs/ca-bundle.crt /root/backup/

To fix the issue, just download a new certificate bundle. I used the one from haxx.se.

1
# curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
  • Thanks man.

  • Marcius

    Thanks!
    I had the same problem on my hosting box and your solution worked fine!

  • thanks eric  for the great tips.. its really  worked

  • Pingback: what I did « momorandom()

  • Pingback: MojoWill » CentOS Root Certificate Authority Failures()

  • Thanks!

  • Pingback: yo61.com » Blog Archive » Fixing CentOS Root Certificate Authority issues()

  • Anonymous

    This solved my problem! Thanks!

  • victorcoder

    Thanks! problem solved

  • Billy

    Just saved me from having to read many, many pages of documentation. Thanks!

  • Heitor Althmann

    EXCELENT!

  • Jam

    why no work on centOS 5.8

  • Adam Lau

    Thanks! This also fixes my problem on RHEL. 😉

  • disqus_g1FrhVMOSX

    thx m3n

  • Two years old post but keeps solving the problems. Thank you for this tip! My CentOS 5.6 had identical problem when trying to curl opscode.com.

  • bqdx

    It helps! thx very much!

  • Alternatively, if it’s a CA that’s in the standard bundles that has emerged since, you can also try updating openssl:
    # yum update openssl -y

    • Ilias Okoosi

      You absolute maestro. You’ve saved me hours of head scratching!

    • TheArtist

      Mmm… let’s see. Highlight, Control+C, switch screen, Control+V. Whack Enter. Oops, nope didn’t work for me, it seems your solution does not do the trick after all. Next idea?

  • Thank you, after a day of googling and trying to get my web hosts to fix this . I followed your steps and bingo it works again! Legend.

  • Matt Barrio

    Woot: Running CENTOS 6.4. Ran into this issue today out of nowhere. Worked like a charm! I was about to just remove the server certs and let the bundle auto update on re-adding them (I think that would have worked).

    Anyways, cheers for the solution!

  • I love you~

  • Kevin

    Im using ubuntu and having trouble testing oinkmaster with the error 422 unprocessable entity ?? Please help me 🙁 this problem is related to http