For whatever the reason, the /etc/pki/tls/certs/ca-bundle.crt file may get corrupted, in my case, accidentally overwritten. I could have gone the route of copying the ca-bundle.crt file from another vanilla server, but I wanted a more elegant solution. There is one, download a new certificate bundle.
Download the new certificate bundle. Since my ca-bundle.crt was overwritten, there was no need to back it up.
curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
This fixed any issue that I had encountered as a result of a bad crt.
Alternately, reset the list of trusted CA certificates in RHEL 6 and RHEL 7. I have not tested this solution yet.
- Create a backup directory to store any found certs for later inspection
~]# mkdir -p /root/cert.bak mkdir: created directory ‘/root/cert.bak’ - Reset and update the
ca-certificatespackage
This will revert away any direct customizations (e.g., toca-bundle.crt) and update or reinstall the package. -
~]# rpm -Vv ca-certificates | awk '$1!="........." && $2!="d" {system("mv -v " $NF " /root/cert.bak")}' `/etc/pki/java/cacerts' -> `/root/cert.bak/cacerts' `/etc/pki/tls/certs/ca-bundle.crt' -> `/root/cert.bak/ca-bundle.crt' `/etc/pki/tls/certs/ca-bundle.trust.crt' -> `/root/cert.bak/ca-bundle.trust.crt' ~]# yum check-update ca-certificates; (($?==100)) && yum update ca-certificates || yum reinstall ca-certificates
- Ensure the
/etc/pki/ca-trust/source/and/etc/pki/ca-trust/source/anchors/directories together contain only the following 2 files
Move any other files to the backup directory~]# find /etc/pki/ca-trust/source{,/anchors} -maxdepth 1 -not -type d -exec ls -1 {} + /etc/pki/ca-trust/source/ca-bundle.legacy.crt /etc/pki/ca-trust/source/README - Ensure the
/usr/share/pki/ca-trust-source/and/usr/share/pki/ca-trust-source/directories together contain only the following 4 files
Move any other files to the backup directory~]# find /usr/share/pki/ca-trust-source{,/anchors} -maxdepth 1 -not -type d -exec ls -1 {} + /usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit /usr/share/pki/ca-trust-source/ca-bundle.trust.crt /usr/share/pki/ca-trust-source/README - Rebuild the CA-trust database with
update-ca-trust- Execute:
update-ca-trust extract
- Execute:
Source(s)
https://eric.lubow.org/2011/fixing-centos-root-certificate-authority-issues
https://curl.haxx.se/docs/caextract.html
https://access.redhat.com/solutions/1549003
