How to update cURL CA bundle on RedHat?

Question

I am running into issues where the CA bundle that has been bundled with my version of cURL is outdated.

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

Reading through the documentation didn't help me because I didn't understand what I needed to do or how to do it. I am running RedHat and need to update the CA bundle. What do I need to do to update my CA bundle on RedHat?

Answer 1

For RHEL 6 or later, you should be using update-ca-trust, as lzap describes in his answer below.

--- For older versions of Fedora, CentOS, Redhat:

Curl is using the system-default CA bundle is stored in /etc/pki/tls/certs/ca-bundle.crt . Before you change it, make a copy of that file so that you can restore the system default if you need to. You can simply append new CA certificates to that file, or you can replace the entire bundle.

Are you also wondering where to get the certificates? I (and others) recommend curl.se/ca . In one line:

curl https://curl.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

Fedora Core 2 location is /usr/share/ssl/certs/ca-bundle.crt.

Answer 2

The recommended way of doing that on RHEL 6+ systems is to use update-ca-trust tool, which is now installed by default.

# cat /etc/pki/ca-trust/source/README 
This directory /etc/pki/ca-trust/source/ contains CA certificates and 
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in 
/usr/share/pki/ca-trust-source/.

=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
            list of CAs trusted on the system:

            Copy it to the
                    /etc/pki/ca-trust/source/anchors/
            subdirectory, and run the
                    update-ca-trust
            command.

            If your certificate is in the extended BEGIN TRUSTED file format,
            then place it into the main source/ directory instead.
=============================================================================

Please refer to the update-ca-trust(8) manual page for additional information

Therefore, you only need to drop your crt file to the /etc/pki/ca-trust/source/anchors/ and to run the tool. Work done. This is safe to do, you don't need to do any backups. Full manual page can be found here: https://www.mankier.com/8/update-ca-trust

Answer 3

Probably depends which version of Redhat. You can find which package actually updates the file by doing:

rpm -qf /etc/pki/tls/certs/ca-bundle.crt

My result was showing that openssl-0.9.8e-12.el5 needs to be updated.

If there is no updated certificates in your distribution, you have to manually update, as per Nada's answer.

Answer 4

RHEL provides the Mozilla CA certificates as part of the ca-certificates package (install this with yum if it's not already installed). To tell cURL to use these, use the --cacert parameter like so.

curl --cacert /etc/ssl/certs/ca-bundle.crt https://google.com/

Answer 5

Since Dan Pritts' comment, Red Hat has been updating the certificate bundles for supported RHEL releases more often; you can see this quite easily in the package changelog. RHEL 6's certificates were updated twice in 2013 and twice in 2014.

All RHEL and related / clone / derived distros provide a bundle file at /etc/pki/tls/certs/ca-bundle.crt , and the same file at /etc/pki/tls/cert.pem (on older distros cert.pem is a symlink to ca-bundle.crt; on newer distros both are symlinks to a file output by update-ca-trust).

In RHEL 6 and newer, the bundle is part of the 'ca-certificates' package. In RHEL 5 and earlier it is part of the 'openssl' package.

In RHEL 6 with the update https://rhn.redhat.com/errata/RHEA-2013-1596.html and any newer RHEL, the 'shared system certificates' system is available (you must run update-ca-trust enable to enable it) and the best method is that given by lzap. A benefit of this system is that it works for NSS and GnuTLS-based applications as well as OpenSSL-based ones. Note that you can also distrust a certificate by placing it in the directory /etc/pki/ca-trust/source/blacklist/.

In RHEL 5 and older (and RHEL 6 if you do not wish to use the new system) you can trust extra CAs by placing their PEM formatted certificate files with the extension .pem in /etc/pki/tls/certs and running c_rehash (may also need yum install /usr/bin/c_rehash). This will only work for software that uses OpenSSL's default trust stores. This is better than editing or replacing the bundle file because it allows you to continue receiving official updates to the bundle file.

Software that uses one of the bundle file locations directly (rather than asking OpenSSL to use the system default trust stores) will not respect the change; if you have such software you are stuck editing the bundle file (or improving the software). Software that doesn't use OpenSSL at all will not respect the added certificate.

Answer 6

I just had to do this on an old RHEL5 box. I hit the catch 22... curl would reject the https download because the certificates on the machine were too old to validate the curl.haxx.se certs.

I used the --insecure option of curl to force the https download. (Yeah, I know... it is "insecure".)

curl https://curl.haxx.se/ca/cacert.pem --insecure -o /etc/pki/tls/certs/ca-bundle.crt

Answer 7

For RHEL 6, I was able to fix this by updating and re-installing the latest CA certs package from Red Hat:

sudo yum update ca-certificates
sudo yum reinstall ca-certificates

(In my case, this was enough to allow the newer "Let’s Encrypt Authority X3" signing certificate to be trusted.)