17

I am using CentOs 6.6 64bit, and have a problem when using curl. The server primarily hosts several wordpress blogs using apache and mysql.

My simplest means to generate the error is with the following yum command which outputs the below

yum list "ca-certi*"

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
 * base: cosmos.cites.illinois.edu
 * epel: mirror.cogentco.com
 * extras: mirrors.rit.edu
 * updates: mirrors.rit.edu
Installed Packages
ca-certificates.noarch                 2014.1.98-65.1.el6                  @base

Soutions tried and failed so far based from googling around

1) I have tried restarting the VPS, no good

2) Executing curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt without any luck

3) This solution was no good at all, as it relies on yum to solve the SSL problem that yum also suffers http://syslint.com/syslint/curl-77-problem-with-the-ssl-ca-cert-path-access-rights-solved/

Can I run these yum steps to install with wget?, would you think it would help?

# yum reinstall ca-certificates

# yum reinstall openssl

I think virtualmin had installed some updates in the last 24 hours, is there a log of updates it ran somewhere?

Can anyone please help get around this "Problem with the SSL CA cert (path? access rights?)" problem.

TIA

BradMcA
  • 339
  • 2
  • 3
  • 10
  • Did you try the `reinstall` commands? If you already have the package locally yum doesn't need to touch the network to complete that action. Though you might not have it in which case it won't work if that package needs to come from the EPEL repo (which I don't believe it does). – Etan Reisner Jan 16 '15 at 15:23
  • curl without certificates is good so must be certificate specific curl -k http://www.reddit.com works – BradMcA Jan 16 '15 at 15:29
  • reinstall for openssl is no good at least, no local store yum reinstall openssl .....Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was 14: PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)" ....... Reinstalling: openssl x86_64 1.0.1e-30.el6_6.4 updates 1.5 M ......... Total size: 1.5 M Installed size: 4.0 M Is this ok [y/N]: y Downloading Packages: error: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD Problem opening package openssl-1.0.1e-30.el6_6.4.x86_64.rpm – BradMcA Jan 16 '15 at 15:32
  • That's interesting but seems unrelated. Also I'm not sure what part of this issue the other poster thought reinstalling openssl was going to help with. It shouldn't make any difference to the certificate issue I don't think. – Etan Reisner Jan 16 '15 at 15:36
  • Is there a way to confirm that curl is looking in the right location on the file system for the certificates? – BradMcA Jan 16 '15 at 15:40
  • `curl -v` seems to indicate which files/directories it is using. But `yum` may or may not be using that. The `yum` config can specify locations too. What does `rpm -V ca-certifictes` say? – Etan Reisner Jan 16 '15 at 15:44
  • output is [root@bradmca ~]# rpm -V ca-certificates error: rpmdbNextIterator: skipping h# 585 Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD package ca-certificates is not installed [root@bradmca ~]# – BradMcA Jan 16 '15 at 22:52
  • but the same kind of command for python also claims its not installed, however running python proves otherwise. I think there was a large scale corruption in the virtualmin update recently – BradMcA Jan 16 '15 at 22:53
  • 1
    This question may be off-topic because its not about programming or development. Perhaps [Super User](http://superuser.com/) or [Webmasters Stack Exchange](http://webmasters.stackexchange.com/) would be a better place to ask. – jww Jan 17 '15 at 03:28
  • Possible duplicate of [cURL not working (Error #77) for SSL connections on CentOS for non-root users](https://stackoverflow.com/questions/17064601/curl-not-working-error-77-for-ssl-connections-on-centos-for-non-root-users) – kenorb May 09 '19 at 18:00

3 Answers3

10

More easy solution for centos 6/7. Remove ca and reinstall certificate.

rm -f /etc/ssl/certs/ca-bundle.crt && yum reinstall -y ca-certificates

Problem that if you just only reinstall certs. This will dont replace ca-bundle. Leave it new with .rpmnew name.

otakuf
  • 101
  • 1
  • 3
  • I didn't realise that this problem was because I'd deleted ca-bundle.crt (because we use external certificates and i didn't realise it was needed) . I did what you suggest here - without the rm -f step - and the problem was resolved. thank you! – Pancho Feb 04 '19 at 19:43
5

this worked for me : centos 6

mkdir /usr/src/ca-certificates && cd /usr/src/ca-certificates

wget http://mirror.centos.org/centos/6/os/x86_64/Packages/ca-certificates-2015.2.6-65.0.1.el6_7.noarch.rpm

rpm2cpio ca-certificates-2015.2.6-65.0.1.el6_7.noarch.rpm | cpio -idmv

cp -pi ./etc/pki/tls/certs/ca-bundle.* /etc/pki/tls/certs/

do yes to override

to check :

curl -vvv https://www.unixy.net

batchenr
  • 51
  • 1
  • 2
  • 1
    Also works with centos 7 by changing the URL to centos/7/os/x86_64/Packages/ca-certificates-2017.2.14-71.el7.noarch.rpm in order to reflect new version. – Odecif Sep 26 '17 at 09:03
1

Solution from here https://www.virtualmin.com/node/35857

nss-softokn breaks yum/rpm in CentOS 6 In order to fix it do the following:

wget http://mirror.centos.org/centos/6/updates/x86_64/Packages/nss-softokn-fr...

rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv

cd lib64

cp libfreeblpriv3.* /lib64

yum update # sync new repo package

Community
  • 1
  • 1
BradMcA
  • 339
  • 2
  • 3
  • 10