These are both internal sites trusted by same public CA.
How can debug this further? I ran into some solutions where they ask to install company's into the server(though i'm wondering why one site works but other one doesnt), but not sure how to install this certificate correctly.
Can someone help please?
Thanks for the help.
1,076 3 3 gold badges 10 10 silver badges 14 14 bronze badges asked Oct 8, 2018 at 16:57 Chandima Jayawickrema Chandima Jayawickrema 21 1 1 gold badge 1 1 silver badge 2 2 bronze badges You could start by posting the error that curl returned. Your post did not include this information. Commented Oct 8, 2018 at 19:04You can use curl -k . to make it ignore certificate irregularities.
Or you can use curl --cacert to supply your company CA cert.
Or you can add your company CA cert to /etc/pki/tls/certs/ and run make there to make it available system-wide.
Ah, and to retrieve the company root CA use this: openssl s_client -connect git.company.com:443 -showcerts - that will dump all the certificates in the chain.
answered Oct 8, 2018 at 22:54 380 1 1 gold badge 2 2 silver badges 8 8 bronze badges There exists no makefile in /etc/pki/tls/certs/. Commented May 18, 2023 at 13:24For me downloading the relevant certificates worked nicely with
host=www.apache.org; \ echo "" | openssl s_client -showcerts -connect $:443 | \ awk '/-----BEGIN CERTIFICATE-----/ < i++; >/-----BEGIN CERTIFICATE-----/, /-----END CERTIFICATE-----/ < print >"cert-" i ".crt" >'; \ for cert in *.crt; do \ newname=$( \ openssl x509 -noout -subject -in $cert | \ sed -nE 's/.*CN ?= ?(.*)/\1/; s/\s/_/g; s/[^[:alnum:]]/_/g; s/__+/_/g; s/^_//g; s/_$//g; p' | \ tr -s '[:upper:]' '[:lower:]'\ ).crt; \ echo "$"; \ mv "$" "$"; \ done
The variable host is of course just "nice-to-have", you can directly edit the host in the first openssl command.
The echo "" reduces waiting time for openssl .
The openssl fetches all certificates.
The awk extracts the certificates and puts each by incremented index in a separate file with file name suffix .crt .
The for iterates over all downloaded/found certificate ( .crt ) files.
The sed and tr removes all clutter from the name iterates over all downloaded/found certificates.
BTW: For Ubuntu I head to put the CRT files into /etc/ssl/certs/ not /etc/pki/tls/certs/ and it is needed to run sudo update-ca-certificates afterwards.