curl: (60) Peer's Certificate issuer is not recognized

Question

I am trying to install the .net Core SDK 2.0.0 on Centos 7 following the directions in ".NET Tutorial - Hello World in 5 minutes".

When I ran the first command

sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc

I got this error:

curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
error: https://packages.microsoft.com/keys/microsoft.asc: import read failed(2)

I am behind a corporate proxy, and it seems this error is related to SSL certificate and curl, but I don't know how to fix it.

Also, I get a similar error when I use curl or wget to download the HTTPS URL.

Answer 1

I had the same issue and then just temporary turned off SSL check and installed the packages. But please be warned that this is bypassing a security measure so use with caution.

sudo vi /etc/yum.conf 

And then on the editor just add the following line

sslverify=false

Answer 2

Finally fixed it. Post the answer here as reference.

• Export company trusted root certificate with .cer extension. Somthing naming external root certificate
• Convert the ca file to .pem file using openssl x509 -in xxx.cer -inform der -outform pem -out xxx.pem

Then on the centos 7 os:

• Install the ca-certificates package: yum install ca-certificates

• Enable the dynamic CA configuration feature: update-ca-trust force-enable

• Add the exported pem files to /etc/pki/ca-trust/source/anchors/

• Use command: update-ca-trust extract

References:

https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

http://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

Answer 3

You can simply do:

wget --no-check-certificate https://packages.microsoft.com/keys/microsoft.asc
rpm --import microsoft.asc

Answer 4

cd /etc/pki/ca-trust/extracted/pem
mv tls-ca-bundle.pem tls-ca-bundle.pem.back
wget --no-check-certificate https://curl.se/ca/cacert.pem
mv cacert.pem tls-ca-bundle.pem

Answer 5

The self-signed SSL certificate I was using had expired so on Cent OS 7 I run the command below, but increased the days from -days 365 to -days 1400, which is approximately a 4 year guarantee.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

You can find more information in "How To Create an SSL Certificate on Apache for CentOS 7".

Answer 6

Check if your server has valid proxy settings.