I've been trying to configure fresh dedicated server, when found a strange behavior of curl on CentOS 6 (and 7):
curl "https://google.com"
returns
curl (60): Peer certificate cannot be authenticated with known CA certificates
Seems like curl does not know anything about CA installed on current system.
# curl https://google.com --verbose
* About to connect() to google.com port 443 (#0)
* Trying 172.217.25.174... connected
* Connected to google.com (172.217.25.174) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Remote Certificate has expired.
* NSS error -8181
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
--insecure is not good for me.
I've tried to:
- reinstall
ca-certificates, - extract certificates via
update-ca-trust extract - download third-party ca certificate
- even set a
--cacertoption to curl execution directly
but it does not help me.
First thought - okay, fresh OS could not has actual version of certificates, but what if I do yum update -y? Should be actual, shouldn't it?
I've checked previously asked questions like this get-60-error-with-curl and many others.
