2

My CentOS 7 server which is in AWS private cloud(company network), is unable to connect to some sites. After some work I managed to narrow the problem down to following problem.

  1. The following internal site is not accessible (SSL by public CA)

curl -v https://git.company.com

which returns,

About to connect() to git.company.com port 443 (#0)
Trying 10.62.124.6...
Connected to git.company.com (10.62.124.6) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
  1. But following internal site works (SSL by public CA)

curl -v https://alm.company.com

which returns

About to connect() to alm.company.com port 443 (#0)
Trying 10.64.167.137...
Connected to alm.company.com (10.64.167.137) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
...
...
...
Accept: */*

These are both internal sites trusted by same public CA.

How can debug this further? I ran into some solutions where they ask to install company's into the server(though i'm wondering why one site works but other one doesnt), but not sure how to install this certificate correctly.

Can someone help please?

Thanks for the help.

alexander.polomodov
  • 1,068
  • 3
  • 10
  • 14
Chandima Jayawickrema
  • 21
  • 1
  • 1
  • 2

1 Answers1

2

You can use curl -k ... to make it ignore certificate irregularities.

Or you can use curl --cacert <CA certificate> to supply your company CA cert.

Or you can add your company CA cert to /etc/pki/tls/certs/ and run make there to make it available system-wide.

Ah, and to retrieve the company root CA use this: openssl s_client -connect git.company.com:443 -showcerts - that will dump all the certificates in the chain.

potom
  • 360
  • 1
  • 2
  • 8