CentOS 5 CA Certificate Bundle Update
Published: 06-07-2014 | Author: Remy van Elst | Text only version of this article
❗ This post is over seven years old. It may no longer be up to date. Opinions may have changed.
This simple snippet shows you how to update the root ca certificate bundle on CentOS 5. Some websites have certificates signed by authorities not in the default bundle and those websites will not work with tools like git, curl, wget or anything else that uses https.
Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.
You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.
When trying to clone a repository from Github on an older CentOS 5 machine I ran into an SSL certificate verification issue. As it turns out, the Github certificate was no longer singed by one of the trusted root certificate authorities in CentOS 5. Therefore I could not clone the repo over https.
The error looks a bit like this:
*** error: SSL certificate problem, verify that the CA cert is OK. Details: *** error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/RaymiiOrg/nopriv.py.git/info/refs *** fatal: HTTP request failed *** Clone of 'https://github.com/RaymiiOrg/NoPriv.py.git' failed
By updating the root ca bundle we can fix this problem. The cURL website has a bundle ready that also ships with cURL, and work on CentOS 5.
First, backup the old bundle:
cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.bak
Then download the new bundle:
Tags: ca , centos , certificates , rhel , snippets , ssl
wget -O /etc/pki/tls/certs/ca-bundle.crt http://curl.haxx.se/ca/cacert.pem