Reputation: 1764
CURL fails to load https resources; NSS error -8181
I've been trying to configure fresh dedicated server, when found a strange behavior of curl on CentOS 6 (and 7):
curl "https://google.com"
returns
curl (60): Peer certificate cannot be authenticated with known CA certificates
Seems like curl does not know anything about CA installed on current system.
# curl https://google.com --verbose
* About to connect() to google.com port 443 (#0)
* Trying 172.217.25.174... connected
* Connected to google.com (172.217.25.174) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Remote Certificate has expired.
* NSS error -8181
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
--insecure is not good for me.
I've tried to:
- reinstall
ca-certificates, - extract certificates via
update-ca-trust extract - download third-party ca certificate
- even set a
--cacertoption to curl execution directly
but it does not help me.
First thought - okay, fresh OS could not has actual version of certificates, but what if I do yum update -y? Should be actual, shouldn't it?
I've checked previously asked questions like this get-60-error-with-curl and many others.
Upvotes: 2
Views: 1755
Answers (1)
Reputation: 1764
The only one thing that figured me out was that line - * Remote Certificate has expired. from a verbose response from curl execution.
How google's certificate could be in expired state? What time is right now?
Oops:
# date
Friday, 10 May 2015 12:35:21 -0400
But now is 11/30/2017.
Okay,
sudo yum install ntp ntpdate -y
then you have to check /etc/ntpd.conf, if it not present:
sudo su
echo "server 0.pool.ntp.org" > /etc/ntpd.conf && service ntpd start
And check:
# date
Thursday, 30 November 2017 14:03:35 +0000
Don't forget to set localtime, for example UTC time:
sudo mv /etc/localtime /tmp/localtime.bak
sudo ln -s /usr/share/zoneinfo/UTC /etc/localtime
P.S. More info about ntp configuration you could get here
Upvotes: 1
Related Questions
- HTTP GET using cURL is giving SSL error
- Protocol Https not supported or disabled in curl
- site works on chrome but not on curl
- cURL with NSS - Can't find certificate
- CURL on Centos 7 getting NSS error -12188
- cURL SSL connect error 35 with NSS error -5961
- Unable to connect curl on HTTPS
- SSL certificate error
- PHP cURL call returning error 56 with NSS error -12195
- cURL Error 1: Unsupported protocol: https