How to update cURL CA bundle on RedHat?

ssl curl redhat certificate-authority

I am running into issues where the CA bundle that has been bundled with my version of cURL is outdated.

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

Reading through the documentation didn't help me because I didn't understand what I needed to do or how to do it. I am running RedHat and need to update the CA bundle. What do I need to do to update my CA bundle on RedHat?


For RHEL 6 or later, you should be using update-ca-trust, as lzap describes in his answer below.

--- For older versions of Fedora, CentOS, Redhat:

Curl is using the system-default CA bundle is stored in /etc/pki/tls/certs/ca-bundle.crt . Before you change it, make a copy of that file so that you can restore the system default if you need to. You can simply append new CA certificates to that file, or you can replace the entire bundle.

Are you also wondering where to get the certificates? I (and others) recommend curl.se/ca . In one line:

curl https://curl.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

Fedora Core 2 location is /usr/share/ssl/certs/ca-bundle.crt.


The recommended way of doing that on RHEL 6+ systems is to use update-ca-trust tool, which is now installed by default.

# cat /etc/pki/ca-trust/source/README 
This directory /etc/pki/ca-trust/source/ contains CA certificates and 
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in 
/usr/share/pki/ca-trust-source/.

=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
            list of CAs trusted on the system:

            Copy it to the
                    /etc/pki/ca-trust/source/anchors/
            subdirectory, and run the
                    update-ca-trust
            command.

            If your certificate is in the extended BEGIN TRUSTED file format,
            then place it into the main source/ directory instead.
=============================================================================

Please refer to the update-ca-trust(8) manual page for additional information

Therefore, you only need to drop your crt file to the /etc/pki/ca-trust/source/anchors/ and to run the tool. Work done. This is safe to do, you don't need to do any backups. Full manual page can be found here: https://www.mankier.com/8/update-ca-trust


Probably depends which version of Redhat. You can find which package actually updates the file by doing:

rpm -qf /etc/pki/tls/certs/ca-bundle.crt

My result was showing that openssl-0.9.8e-12.el5 needs to be updated.

If there is no updated certificates in your distribution, you have to manually update, as per Nada's answer.


RHEL provides the Mozilla CA certificates as part of the ca-certificates package (install this with yum if it's not already installed). To tell cURL to use these, use the --cacert parameter like so.

curl --cacert /etc/ssl/certs/ca-bundle.crt https://google.com/

Related

Rogue DHCP Server Can't be found
How can I find the biggest directories in unix / Ubuntu?
PostgreSQL Replication
.nfsXXXX files appearing, what are those?
Is it possible to enable http compression for requests?
nginx name-based virtual hosts on IPv6
MySQL: creating a user that can connect from multiple hosts
Why rsync is faster than NFS?
Generate an OpenVPN profile for client user to import
Why was I able to delete a file owned by root in my home directory without being root?
PSCP: Upload an entire folder, Windows to Linux
ServerAliveCountMax in SSH