SSL issues "Peer's certificate issuer has been marked as not trusted by the user."
We have a public facing development server that requires SSL for a particular function.
Yet EVERYTHING that uses SSL in any form returns
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
This is not an issue of "Well just use ssl-verify=false on yum, or --insecure on curl requests.
I realize I can do that on both of those to do my calls. But ultimately - I MUST be able to use SSL because the development we are using these servers for requires it.
It seems that the CA is out of date. I have tried the following https://access.redhat.com/solutions/1549003
I have tried importing the cacert.pem file myself (tho I will admit, I'm lacking in knowledge here, so its possible I did it wrong)
I have checked date/time on the server to make sure that is not the issue.
I cannot get the "Network Admin" (term used loosely, as he'll be the first to admit he has absolutely no knowledge of Linux - pure Microsoft) to even be bothered with reinstalling Centos to this machine, so I need to find a solution to this.
Any help would be appreciated. Below are some examples of what we get when trying to do things such as yum, curl, and running certbot --apache
YUM
[root@localhost work]# yum reinstall mc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-
7&arch=x86_64 error was
14: curl#60 - "Peer's certificate issuer has been marked as not trusted by
the user."
* base: repos.dfw.quadranet.com
* epel: mirror.compevo.com
* extras: repos-tx.psychz.net
* updates: mirror.us.oneandone.net
* webtatic: repo.webtatic.com
https://us-east.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno
14] curl#60 - "Peer's certificate issuer has been marked as not trusted by
the user."
Trying other mirror.
It was impossible to connect to the CentOS servers.
This could mean a connectivity issue in your environment, such as the
requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect
system clock.
You can try to solve this issue by using the instructions on
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use
https://bugs.centos.org/.
https://uk.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14]
curl#60 - "Peer's certificate issuer has been marked as not trusted by the
user."
Trying other mirror.
https://sp.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14]
curl#60 - "Peer's certificate issuer has been marked as not trusted by the
user."
Trying other mirror.
https://repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14]
curl#60 - "Peer's certificate issuer has been marked as not trusted by the
user."
Trying other mirror.
CURL
[root@localhost work]# curl https://www.google.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the
user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
CERTBOT (FOR LETSENCRYPT SSL CERT REQUEST)
[root@localhost work]# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter
'c' to cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:579)
Please see the logfiles in /var/log/letsencrypt for more details.
my here is in CentOS7, run pyspider
show error:
Exception HTTP 599 Peer's certificate issuer has been marked as not trusted by the user
and using following steps to fix it:
change invalid libcurl .so file:
/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0_openssl
to valid libcurl .so file:
/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0
and reinstall pycurl:
pip3 uninstall pycurl
export PYCURL_SSL_LIBRARY=nss
export LDFLAGS=-L/usr/local/opt/openssl/lib;export CPPFLAGS=-I/usr/local/opt/openssl/include;pip install pycurl --compile --no-cache-dir
detailed description refer another SO post
Wanted to answer and close this for future reference.
Turns out we did have a proxy server that was messing with things. We've got quite the interesting situation at my work (3 companies, 2 owned by one owner of my company seperate from my own company).
Turns out company B's system administrator had put a proxy server in the loop x many years ago and forgot all about it. Enter my companys sys admin who takes over the whole system admin role for all companies. Nobody tells him about the proxy. Its been running for years without anyones knowledge.