SSL issues "Peer's certificate issuer has been marked as not trusted by the user."

Question

We have a public facing development server that requires SSL for a particular function.

Yet EVERYTHING that uses SSL in any form returns

curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

This is not an issue of "Well just use ssl-verify=false on yum, or --insecure on curl requests.

I realize I can do that on both of those to do my calls. But ultimately - I MUST be able to use SSL because the development we are using these servers for requires it.

It seems that the CA is out of date. I have tried the following https://access.redhat.com/solutions/1549003

I have tried importing the cacert.pem file myself (tho I will admit, I'm lacking in knowledge here, so its possible I did it wrong)

I have checked date/time on the server to make sure that is not the issue.

I cannot get the "Network Admin" (term used loosely, as he'll be the first to admit he has absolutely no knowledge of Linux - pure Microsoft) to even be bothered with reinstalling Centos to this machine, so I need to find a solution to this.

Any help would be appreciated. Below are some examples of what we get when trying to do things such as yum, curl, and running certbot --apache

YUM

[root@localhost work]# yum reinstall mc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel- 
7&arch=x86_64 error was
14: curl#60 - "Peer's certificate issuer has been marked as not trusted by 
the user."
 * base: repos.dfw.quadranet.com
 * epel: mirror.compevo.com
 * extras: repos-tx.psychz.net
 * updates: mirror.us.oneandone.net
 * webtatic: repo.webtatic.com
https://us-east.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 
14] curl#60 - "Peer's certificate issuer has been marked as not trusted by 
the user."
Trying other mirror.
It was impossible to connect to the CentOS servers.
This could mean a connectivity issue in your environment, such as the 
requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect 
system clock.
You can try to solve this issue by using the instructions on 
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use 
https://bugs.centos.org/.

https://uk.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.
https://sp.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.
https://repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.

CURL

[root@localhost work]# curl https://www.google.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the 
user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

CERTBOT (FOR LETSENCRYPT SSL CERT REQUEST)

[root@localhost work]#  sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 
'c' to cancel): email@host.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
(_ssl.c:579)
Please see the logfiles in /var/log/letsencrypt for more details.

Answer 1

Wanted to answer and close this for future reference.

Turns out we did have a proxy server that was messing with things. We've got quite the interesting situation at my work (3 companies, 2 owned by one owner of my company seperate from my own company).

Turns out company B's system administrator had put a proxy server in the loop x many years ago and forgot all about it. Enter my companys sys admin who takes over the whole system admin role for all companies. Nobody tells him about the proxy. Its been running for years without anyones knowledge.

Answer 2

my here is in CentOS7, run pyspider show error:

Exception HTTP 599 Peer's certificate issuer has been marked as not trusted by the user

and using following steps to fix it:

change invalid libcurl .so file:

/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0_openssl

to valid libcurl .so file:

/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0

and reinstall pycurl:

pip3 uninstall pycurl
export PYCURL_SSL_LIBRARY=nss
export LDFLAGS=-L/usr/local/opt/openssl/lib;export CPPFLAGS=-I/usr/local/opt/openssl/include;pip install pycurl --compile --no-cache-dir

detailed description refer another SO post

Answer 3

Diffrential-Diagonsis of the Issue

1. Self-signed certificate expired
2. Repository is using https links for downloads
3. Proxy server is not configured for given links used by baseurl
4. Proxy http and https are not configured for downloading packages

How to mitigate peer certficate issue lets say i am installing PHP 7.4 using remi-php74 repo what can be done to avoid all the worries of diagonsis:>

1. Self-signed certificate expired

   yum-config-manager --save --setopt=remi-php74.skip_if_unavailable=true

   yum-config-manager --save --setopt=remiphp74.ssl_check_cert_permissions=false

2. Repository is using https links for downloads

   grep 'baseurl' /etc/yum.repos.d/* | grep php

   vi /etc/yum.repos.d/remi-php74.repo

   Edit the urls comment the ones using https uncomment the http for baseurl or mirrorlist to ensure peer certificate issue doesn't pops up

3. Proxy server is not configured for given links used by baseurl

   yum-config-manager --save --setopt=remiphp74.proxy= https://proxy_ip:proxy_port

4. Proxy http and https are not configured for downloading packages

   export http_proxy=http://proxy_ip:proxy_port

   export https_proxy=https://proxy_ip:proxy_port

Step by step what needs to be done if faced for particular repo and its installation list available:>

Check repo available using:>

Yum repolist

Check the repo needed and disable all others:>

    yum list available --disablerepo=* --enablerepo=remi-php74

    yum-config-manager --enable remi-php74

If peer certificate issue persist set the repo option:>

yum-config-manager --save --setopt=remi-php74.skip_if_unavailable=true

yum-config-manager --save --setopt=remiphp74.ssl_check_cert_permissions=false

If any issue with urls check the base url are in http thus uncheck them in the repo file of needed repo:>

grep 'baseurl' /etc/yum.repos.d/* | grep php

Edit needed repository for change for base url with http to avoid peer certificate issue

vi /etc/yum.repos.d/remi-php74.repo

Install the needed package:>

Yum install php

This procedure applies to all other installation using needed repository no need to get a CA certificate if the issue is installing of packages and peer certificate issue comes also add DNS if further issue persist in terms of can't resolve urls as google dns helps for greater resolution of the baseurls used by the packages below helps if configured.

in /etc/resolv.conf add below entries

nameserver 8.8.8.8
nameserver 8.8.4.4