Fix the CentOS Root Certificate Authority file

For whatever the reason, the /etc/pki/tls/certs/ca-bundle.crt file may get corrupted, in my case, accidentally overwritten.  I could have gone the route of copying the ca-bundle.crt file from another vanilla server, but I wanted a more elegant solution.  There is one, download a new certificate bundle.

Download the new certificate bundle.  Since my ca-bundle.crt was overwritten, there was no need to back it up.

curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

This fixed any issue that I had encountered as a result of a bad crt.

Alternately, reset the list of trusted CA certificates in RHEL 6 and RHEL 7.  I have not tested this solution yet.

 

  • Create a backup directory to store any found certs for later inspection
    ~]# mkdir -p /root/cert.bak
    mkdir: created directory ‘/root/cert.bak’
    
  • Reset and update the ca-certificates package
    This will revert away any direct customizations (e.g., to ca-bundle.crt) and update or reinstall the package.
  • ~]# rpm -Vv ca-certificates | awk '$1!="........." && $2!="d" {system("mv -v " $NF " /root/cert.bak")}'
    `/etc/pki/java/cacerts' -> `/root/cert.bak/cacerts'
    `/etc/pki/tls/certs/ca-bundle.crt' -> `/root/cert.bak/ca-bundle.crt'
    `/etc/pki/tls/certs/ca-bundle.trust.crt' -> `/root/cert.bak/ca-bundle.trust.crt'
    ~]# yum check-update ca-certificates; (($?==100)) && yum update ca-certificates || yum reinstall ca-certificates
    
  • Ensure the /etc/pki/ca-trust/source/ and /etc/pki/ca-trust/source/anchors/ directories together contain only the following 2 files
    Move any other files to the backup directory

    ~]# find /etc/pki/ca-trust/source{,/anchors} -maxdepth 1 -not -type d -exec ls -1 {} +
    /etc/pki/ca-trust/source/ca-bundle.legacy.crt
    /etc/pki/ca-trust/source/README
    
  • Ensure the /usr/share/pki/ca-trust-source/ and /usr/share/pki/ca-trust-source/ directories together contain only the following 4 files
    Move any other files to the backup directory

    ~]# find /usr/share/pki/ca-trust-source{,/anchors} -maxdepth 1 -not -type d -exec ls -1 {} +
    /usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
    /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
    /usr/share/pki/ca-trust-source/ca-bundle.trust.crt
    /usr/share/pki/ca-trust-source/README
    
  • Rebuild the CA-trust database with update-ca-trust
    • Execute:   update-ca-trust extract

 

Source(s)
http://eric.lubow.org/2011/fixing-centos-root-certificate-authority-issues
https://curl.haxx.se/docs/caextract.html
https://access.redhat.com/solutions/1549003