This document (000020585) is provided subject to the disclaimer at the end of this document. Show Environment SUSE Manager Server 4.1 SituationAny zypper command which needs to download data from the SUSE Manager Server gives the following error: Error code: Curl error 60 ResolutionDepending on which SUSE Manager client is used, the following steps are needed to solve the issue. 1. On servers running the salt-minion.service run "salt-call state.apply certs" 2. On servers using the traditional client. 2.1 Is
rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm package installed? Or 2.2
Is the softlink "/etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT" available? If not create it with: Cause The file RHN-ORG-TRUSTED-SSL-CERT or the link to the file RHN-ORG-TRUSTED-SSL-CERT is missing in the /etc/pki/trusts/anchors
directory. DisclaimerThis Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
< Back to Support Search For questions or concerns with the SUSE Knowledgebase please contact: Edit: I had updated my root CA certificates from curl.haxx.se . When I try curl -Iv https://yahoo.com I get an error as unable to get local issuer certificate in the result. However if I try curl -Iv --cacert /etc/ssl/certs/ca-certificates.crt https://yahoo.com I get a result without any error. Weirdly curl -Iv https://google.com works properly. But curl -Iv https://deb.nodesource.com doesn't. Is there any chance to overcome this issue? (by changing curl configuration etc.) root@ip-172-31-40-176:/var# curl -Iv https://yahoo.com * Rebuilt URL to: https://yahoo.com/ * Hostname was NOT found in DNS cache * Trying 206.190.36.45... * Connected to yahoo.com (206.190.36.45) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.We run the following software versions:
We run an education application, and as part of this we have numerous APIs which upload files to a third party website https://api.turnitinuk.com from our webserver https://nclhe-moodle.ncl-coll.ac.uk. We renewed our SSL certificate for nclhe-moodle.ncl-coll.ac.uk in December 2020 on the webserver successfully and everything carried on working as we expected it to, but then suddenly in February 2021 we started getting the following error and the upload failed. curl: (60) SSL certificate : unable to get local issuer certificate(I dont understand what the local issuer certificate is, is it the client (the webserver) or the server) Not sure why, it just started in February 2021 when the certificates were renewed in December 2020. If I bypass the IPS Certificate checking on our proxy server, our API works successfully. These are what I have tried so far to resolve this issue:
Another question from me: In my /etc/ssl/certs file all of the CA's are sym-linked to /usr/share/ca-certificates apart from the CA which i have just applied which is sym-linked to /usr/local/share/ca-certificates. Is this an issue bearing in mind the certificate is part of the /etc/ssl/certs/ca-certificates/crt file? I am a bit stumped about what else to try and have researched this extensively to try and fix it myself, can anybody help Many thanks in advance, Mac The latest update - the issue is not yet resolved. The files are uploaded automatically via an API, so the turnitin application sits within https://nclhe-moodle.ncl-coll.ac.uk , the users login , click a few buttons and the app uploads files via the API to https://api.turnitinuk.com. The only thing that has changed is the SSL cert was renewed successfully in December 2020 but this issue never started until Feb 2021. How do I fix curl 60 SSL certificate?Locate the curl certificate PEM file location 'curl-config --ca' -- > /usr/local/etc/openssl/cert.pem.. Use the folder location to identify the PEM file 'cd /usr/local/etc/openssl'. Create a backup of the cert.pem file 'cp cert.pem cert_pem.bkup'. How do I fix unable to get local issuer certificate?When ssl certificate problem unable to get local issuer certificate error is caused by a self-signed certificate, the fix is to add the certificate to the trusted certificate store. Open the file ca-bundle. crt located in the directory above, then copy and paste the Git SSL certificate to the end of the file.
How does curl verify SSL certificate?libcurl performs peer SSL certificate verification by default. This is done by using a CA certificate store that the SSL library can use to make sure the peer's server certificate is valid.
How do I bypass SSL verification in curl?To bypass SSL certificate validation for local and test servers, you can pass the -k or --insecure option to the Curl command. This option explicitly tells Curl to perform "insecure" SSL connections and file transfers. Curl will ignore any security warnings about an invalid SSL certificate and accept it as valid.
|