CentOS 7 - Won't accept any SSL certificates

ssl centos

I have a problem on my CentOS 7 box doing anything that requires SSL, including curl, wget or updating via YUM.

The output is always the same:

[root@localhost ~]# curl -I -v https://google.com
* About to connect() to google.com port 443 (#0)
*   Trying 74.125.138.100...
* Connected to google.com (74.125.138.100) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
*       start date: Jun 16 08:37:32 2016 GMT
*       expire date: Sep 08 08:29:00 2016 GMT
*       common name: *.google.com
*       issuer: CN=192.168.2.44,C=US
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

All certificates appear to be "marked as not trusted" (I've tried this with a dozen different URLs). I tried reintalling CA certificates doing this:

yum --disablerepo="epel" reinstall ca-certificates

but that didn't help. Any ideas?


Solution 1:

I would check out your nss installation. It's possible that is out of date / corrupted in some way.

Check the version you are running; latest on centos 7 should be:

nss-config version
3.21.0

Then check if any nss packages have been modified / corrupted:

rpm -Vv nss-*

Depending on your results, an nss update or reinstall may be required.

You can semi-definitively see if it is an issue with nss by temporarily changing the permissions on that directory (as root):

chmod 400 /etc/pki/nssdb/*

Then issue the curl command as a regular user - if it works, it will output something like this: 

* Connected to google.com (172.217.4.206) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Unable to initialize NSS database
* Initializing NSS with certpath: none
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
<clipped>

Which indicates that it just used the CA certs and not the nssdb based authentication.

If this isn't a nss related problem, here is a RHEL guide that applies to CentOS as well that walks through ensuring you have a clean CA cert configuration. I don't believe that link is behind their paywall; let me know if you need it and can't access it.

Solution 2:

What environment are you running CentOS7 under?

There is an nasty bug related to Centos 6.8 update / NSS 3.21.0-8.el6 on systems under (Zen) virtualization and/or CPU AES support. I've experienced the issue after CentOS 6.8 & NSS update on both Rackspace & AWS t1.micro instances.

I believe you are having a related issue with an Centos7 NSS update.

https://www.centos.org/forums/viewtopic.php?t=58002

https://bugs.centos.org/view.php?id=10930#c26705

How to check that AES-NI is supported by my CPU? https://unix.stackexchange.com/questions/14077/how-to-check-that-aes-ni-is-supported-by-my-cpu

On 6.8, Some people have succeeded in downgrading NSS by setting the environment variable: "NSS_DISABLE_HW_GCM=1" 

# NSS_DISABLE_HW_AES=1
# yum downgrade nss nss-util nss-tools nss-sysinit
# yum install yum-plugin-versionlock
# yum versionlock add! nss-3.21.0-0.3.el6_7.x86_64 nss-sysinit-3.21.0-0.3.el6_7.x86_64 nss-tools-3.21.0-0.3.el6_7.x86_64 nss-util-3.21.0-0.3.el6_7.x86_64

Again the above code is for 6.8 NOT CentOS 7

I found nss-3.21.0-0.3.el6_7.x86_64 depreciated and unavailable. I've reloaded the entire server from a image backup prior to the 6.8 update and YUM version locked nss nss-sysinit nss-tools nss-util before updating again.

NOTE: I would add the above info as a 'comment' NOT an 'answer' but my low rep score prevents me from commenting, I can only 'answer'.

I hope this helps.

Solution 3:

I had similar issue. Granted it is most likely my own gaffau.

It was necessary to install *nss-*

[not showing this]# nss-config version

bash: nss-config: command not found

yum install -y nss-*

Installed:
  nss-devel.x86_64 0:3.36.0-7.el7_5
  nss-pam-ldapd.x86_64 0:0.8.13-16.el7
  nss-pkcs11-devel.x86_64 0:3.36.0-7.el7_5
  nss-softokn-devel.x86_64 0:3.36.0-5.el7_5
  nss-softokn-freebl-devel.x86_64 0:3.36.0-5.el7_5
  nss-util-devel.x86_64 0:3.36.0-1.el7_5

Dependency Installed:
  nscd.x86_64 0:2.17-260.el7            nspr-devel.x86_64 0:4.19.0-1.el7_5

nss-config version

Usage: nss-config [OPTIONS] [LIBRARIES]

Options:
        [--prefix[=DIR]]
        [--exec-prefix[=DIR]]
        [--includedir[=DIR]]
        [--libdir[=DIR]]
        [--version]
        [--libs]
        [--cflags]

Dynamic Libraries:
        nss
        nssutil
        ssl
        smime

[not showing this still]# nss-config --version
3.36.0

Related

How is the CPU initialized by clock ticks?
How to have Firefox open all internal links normally?
Dos executable lookup except PATH
How to disable HyperThreading on Mac OS X Lion?
Change only the font of numerics/numbers in Word 2007
Is it possible to recover / convert / mount fakeraid image files? (TL;DR - have fakeraid images, want to convert them to mdadm images)
How to start CLSIDs from the command line?
How to print an image over several sheets of paper
Installing nodeJS
Strong "Force Touch" feedback for normal clicks
Excel 2010 formula to delete repeated content based on value
To install Markdown's extensions by Python