SSL issues "Peer's certificate issuer has been marked as not trusted by the user."

ssl centos centos7 ssl-certificate-errors

We have a public facing development server that requires SSL for a particular function.

Yet EVERYTHING that uses SSL in any form returns

curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

This is not an issue of "Well just use ssl-verify=false on yum, or --insecure on curl requests.

I realize I can do that on both of those to do my calls. But ultimately - I MUST be able to use SSL because the development we are using these servers for requires it.

It seems that the CA is out of date. I have tried the following https://access.redhat.com/solutions/1549003

I have tried importing the cacert.pem file myself (tho I will admit, I'm lacking in knowledge here, so its possible I did it wrong)

I have checked date/time on the server to make sure that is not the issue.

I cannot get the "Network Admin" (term used loosely, as he'll be the first to admit he has absolutely no knowledge of Linux - pure Microsoft) to even be bothered with reinstalling Centos to this machine, so I need to find a solution to this.

Any help would be appreciated. Below are some examples of what we get when trying to do things such as yum, curl, and running certbot --apache

YUM

[root@localhost work]# yum reinstall mc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel- 
7&arch=x86_64 error was
14: curl#60 - "Peer's certificate issuer has been marked as not trusted by 
the user."
 * base: repos.dfw.quadranet.com
 * epel: mirror.compevo.com
 * extras: repos-tx.psychz.net
 * updates: mirror.us.oneandone.net
 * webtatic: repo.webtatic.com
https://us-east.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 
14] curl#60 - "Peer's certificate issuer has been marked as not trusted by 
the user."
Trying other mirror.
It was impossible to connect to the CentOS servers.
This could mean a connectivity issue in your environment, such as the 
requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect 
system clock.
You can try to solve this issue by using the instructions on 
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use 
https://bugs.centos.org/.

https://uk.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.
https://sp.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.
https://repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.

CURL

[root@localhost work]# curl https://www.google.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the 
user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

CERTBOT (FOR LETSENCRYPT SSL CERT REQUEST)

[root@localhost work]#  sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 
'c' to cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
(_ssl.c:579)
Please see the logfiles in /var/log/letsencrypt for more details.

my here is in CentOS7, run pyspider show error:

Exception HTTP 599 Peer's certificate issuer has been marked as not trusted by the user

and using following steps to fix it:

change invalid libcurl .so file:

/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0_openssl

to valid libcurl .so file:

/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0

and reinstall pycurl:

pip3 uninstall pycurl
export PYCURL_SSL_LIBRARY=nss
export LDFLAGS=-L/usr/local/opt/openssl/lib;export CPPFLAGS=-I/usr/local/opt/openssl/include;pip install pycurl --compile --no-cache-dir

detailed description refer another SO post


Wanted to answer and close this for future reference.

Turns out we did have a proxy server that was messing with things. We've got quite the interesting situation at my work (3 companies, 2 owned by one owner of my company seperate from my own company).

Turns out company B's system administrator had put a proxy server in the loop x many years ago and forgot all about it. Enter my companys sys admin who takes over the whole system admin role for all companies. Nobody tells him about the proxy. Its been running for years without anyones knowledge.

Related

How to configure notification on degraded RAID? [closed]
Why am I unable to access my website after installing an SSL certificate using Certbot? (running Ubuntu and Nginx)
Can't run docker in Centos 7
Self signed ssl I created for localhost cannot be trusted even though I have already imported it to chrome
Exim - Sender verify failed - rejected RCPT
CUPS - output a copy of all print jobs as PDF
mysql_install_db wrong charset and collation
MySQL 1 schema, 1 filesystem
Why can I airdrop from my MacBook to my iPhone, but not my iPhone to my Macbook?
App crashing because of cache issue [closed]
Why is it difficult to drag with the Magic Trackpad 2?
Can you charge an iPad and connect a USB-C device at the same time?