How do you fix Peers certificate issuer has been marked as not trusted by the user?

Published on Aug 24, 2019

In this guide, we are going to solve the “cURL error 60: Peer’s Certificate issuer is not recognized” issue. We may face this at the time to downloading file using wget or curl method. We may also face at the moment to generating or updating Let’s Encrypt SSL certificate.

The error looks like:

curl: (60) Peer's Certificate issuer is not recognized. curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

The Solution

Let’s install the ca-certificates package by using this command:

yum install ca-certificates

We have to enable dynamic CA configuration feature. Let’s do this by this command:

update-ca-trust force-enable

Restart your webserver to check if the error was solved or not.

// Apache sudo systemctl restart httpd // Nginx sudo systemctl restart nginx

If the error not solved yet, then follow these steps:

• Add your cert.pem file to /etc/pki/ca-trust/source/anchors/.
• If you don’t have cert.pem file, you can convert cert.crt to cert.pem using OpenSSL: openssl x509 -in cert.crt -inform der -outform pem -out cert.pem.
• Last update ca-trust using this command: update-ca-trust extract.

Now restart your webserver and check.

Note: You can also upload cert.pem file to any location and can set a Symbolic link like this:

sudo ln -s /etc/ssl/your-cert.pem /etc/pki/ca-trust/source/anchors/your-cert.pem

You don’t want to fix this permanently, you may follow these two methods:

Method 1: Skip Certificate Check

You can simply add --no-check-certificate in your command. Here’s an example:

wget --no-check-certificate //wordpress.org/latest.zip

Method 2: Temporary Turned off SSL

To install any package, you can temporary turned off SSL check. Open yum configuration file:

sudo vi /etc/yum.conf

Just add this line:

sslverify=false

The article is over. Thanks for reading. ?

Most Related:

• SSL: CERTIFICATE_VERIFY_FAILED with Let’s Encrypt
• PHP cURL Error Code 60 : SSL Certificate Problem

So based on the guidance for updates that was sent out, I went and looked at my system's update history and found the last update was in January. That isn't necessarily a problem but I would like antispam updates, so I opened a session on the server and checked for antispam updates. Yum failed immediately:

yum check-update clearsdn-antispam
Loaded plugins: clearcenter-marketplace, fastestmirror
ClearCenter Marketplace: fetching repositories...
Determining fastest mirrors
Could not retrieve mirrorlist //mirrors.iuscommunity.org/mirrorlist?repo=ius-centos7&arch=x86_64&protocol=http error was
14: curl#60 - "Peer's certificate issuer has been marked as not trusted by the user."

One of the configured repositories failed (Unknown),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:

1. Contact the upstream for the repository and get them to fix the problem.

2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).

3. Run the command with the repository temporarily disabled
yum --disablerepo=<repoid> ...

4. Disable the repository permanently, so yum won't use it by default. Yum
will then just ignore the repository until you permanently enable it
again or use --enablerepo for temporary usage:

yum-config-manager --disable <repoid>
or
subscription-manager repos --disable=<repoid>

5. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:

yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: ius/x86_64

The error suggests disabling the repo, but I never got to the repo, it failed out looking for a mirror. Not sure what could even be causing this.

How do I fix peer certificate Cannot be authenticated with given CA certificates?

Is the issuer of this certificate could not be found?