Skip to main content

Raymii.org Logo (IEC resistor symbol) logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

CentOS 5 CA Certificate Bundle Update

Published: 06-07-2014 | Author: Remy van Elst | Text only version of this article


Table of Contents


This simple snippet shows you how to update the root ca certificate bundle on CentOS 5. Some websites have certificates signed by authorities not in the default bundle and those websites will not work with tools like git, curl, wget or anything else that uses https.

If you like this article, consider sponsoring me by trying out a Digital Ocean VPS. With this link you'll get $100 credit for 60 days). (referral link)

When trying to clone a repository from Github on an older CentOS 5 machine I ran into an SSL certificate verification issue. As it turns out, the Github certificate was no longer singed by one of the trusted root certificate authorities in CentOS 5. Therefore I could not clone the repo over https.

The error looks a bit like this:

*** error: SSL certificate problem, verify that the CA cert is OK. Details:
*** error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/RaymiiOrg/nopriv.py.git/info/refs
*** fatal: HTTP request failed
*** Clone of 'https://github.com/RaymiiOrg/NoPriv.py.git' failed

By updating the root ca bundle we can fix this problem. The cURL website has a bundle ready that also ships with cURL, and work on CentOS 5.

First, backup the old bundle:

cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.bak

Then download the new bundle:

wget -O /etc/pki/tls/certs/ca-bundle.crt http://curl.haxx.se/ca/cacert.pem 
Tags: ca , centos , certificates , rhel , snippets , ssl