SSL issues "Peer's certificate issuer has been marked as not trusted by the user."

centos ssl centos7 ssl-certificate-errors
55,237

Solution 1

Wanted to answer and close this for future reference.

Turns out we did have a proxy server that was messing with things. We've got quite the interesting situation at my work (3 companies, 2 owned by one owner of my company seperate from my own company).

Turns out company B's system administrator had put a proxy server in the loop x many years ago and forgot all about it. Enter my companys sys admin who takes over the whole system admin role for all companies. Nobody tells him about the proxy. Its been running for years without anyones knowledge.

Solution 2

my here is in CentOS7, run pyspider show error:

Exception HTTP 599 Peer's certificate issuer has been marked as not trusted by the user

and using following steps to fix it:

change invalid libcurl .so file:

/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0_openssl

to valid libcurl .so file:

/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0

and reinstall pycurl:

pip3 uninstall pycurl
export PYCURL_SSL_LIBRARY=nss
export LDFLAGS=-L/usr/local/opt/openssl/lib;export CPPFLAGS=-I/usr/local/opt/openssl/include;pip install pycurl --compile --no-cache-dir

detailed description refer another SO post

Share:
55,237
James F
Author by

James F

Web Application developer. Experienced in LAMP development with high request sites (millions of requests daily). Primarily backend developer, with touches of front-end development as well.

Updated on September 18, 2022

Comments

  • James F
    James F over 1 year

    We have a public facing development server that requires SSL for a particular function.

    Yet EVERYTHING that uses SSL in any form returns

    curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

    This is not an issue of "Well just use ssl-verify=false on yum, or --insecure on curl requests.

    I realize I can do that on both of those to do my calls. But ultimately - I MUST be able to use SSL because the development we are using these servers for requires it.

    It seems that the CA is out of date. I have tried the following https://access.redhat.com/solutions/1549003

    I have tried importing the cacert.pem file myself (tho I will admit, I'm lacking in knowledge here, so its possible I did it wrong)

    I have checked date/time on the server to make sure that is not the issue.

    I cannot get the "Network Admin" (term used loosely, as he'll be the first to admit he has absolutely no knowledge of Linux - pure Microsoft) to even be bothered with reinstalling Centos to this machine, so I need to find a solution to this.

    Any help would be appreciated. Below are some examples of what we get when trying to do things such as yum, curl, and running certbot --apache

    YUM

    [root@localhost work]# yum reinstall mc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel- 
7&arch=x86_64 error was
14: curl#60 - "Peer's certificate issuer has been marked as not trusted by 
the user."
 * base: repos.dfw.quadranet.com
 * epel: mirror.compevo.com
 * extras: repos-tx.psychz.net
 * updates: mirror.us.oneandone.net
 * webtatic: repo.webtatic.com
https://us-east.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 
14] curl#60 - "Peer's certificate issuer has been marked as not trusted by 
the user."
Trying other mirror.
It was impossible to connect to the CentOS servers.
This could mean a connectivity issue in your environment, such as the 
requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect 
system clock.
You can try to solve this issue by using the instructions on 
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use 
https://bugs.centos.org/.

https://uk.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.
https://sp.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.
https://repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.

    CURL

    [root@localhost work]# curl https://www.google.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the 
user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

    CERTBOT (FOR LETSENCRYPT SSL CERT REQUEST)

    [root@localhost work]#  sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 
'c' to cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
(_ssl.c:579)
Please see the logfiles in /var/log/letsencrypt for more details.
    • Michael Hampton
      Michael Hampton over 5 years
      Does your traffic go through a proxy server?
    • James F
      James F over 5 years
      Not to my knowledge. We have 4 different VMS on this same computer with public facing IPs and this is the only one that does this. I learned that the VM was installed from an image made last year tho. The other VMs were fresh installs when they were made. Possible correlation?
    • Michael Hampton
      Michael Hampton over 5 years
      It looks like only some of the mirrors are failing, so the first thing I would try is to reinstall the CA certificates with yum --skip-broken reinstall ca-certificates.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache SSL Errors every 30 seconds
PostgreSQL - FATAL: Ident authentication failed for user
Failed to open stream on file_put_contents in PHP on CentOS 7
Getting error chown: invalid group: ‘nobody:nogroup’ while setting up an NFS server drive ownership permission
How to put scheduled restart in CentOS7?
How to install zip extension for PHP 7.4 compiled from scratch on CentOS 7?
django error logging : [Errno 13] Permission denied
Install PHP Composer on CentOS 7 failed
Centos 7 how get alternatives list for java
Installing a specific Mono version on CentOS7 or RHEL 7.2