How to fix “ERROR: the certificate of … is not trusted” on RHEL 8 / CentOS 8 /AlmaLinux 8

Every operating system (and most browsers) have their own local list of trusted Certificate Authorities (CA). If a SSL certificate is issued by one of the CA’s in this list the SSL certificate will be validated. However if you try to access a website of which the SSL certificate is NOT issued by a known Certificate Authority, then you might come across the following error message:

[lanedirt@localhost ~]$ wget https://domain.local
--2021-11-20 11:45:07--  https://domain.local/
Resolving domain.local (domain.local)... 10.0.0.1
Connecting to domain.local (domain.local)|10.0.0.1|:443... connected.
ERROR: The certificate of ‘domain.local’ is not trusted.
ERROR: The certificate of ‘domain.local’ hasn't got a known issuer.

This error might pop up when you issue a wget or curl command on Linux. Most often this error is caused by websites with internally issued SSL certificates (e.g. company intranets). Read on to learn how to fix this problem.

1. Retrieve root certificate of the local issuer

If the error above is thrown when you try to visit an internal company network website (such as an intranet webpage), then ask whoever is responsible for this website to provide you with a root CA certificate (.cer).

If you are yourself responsible for the website that causes this issue, then you should be able to download the root certificate (.cer) from the company that issued you the SSL certificate.

Once you have one or more root certificates (.cer), proceed to the next step.

2. Install root certificate on Linux

Copy the “.cer” files that you got in step 1 to the Linux server, and place them in the following directory:

/etc/pki/ca-trust/source-anchors

3. Update ca-trust-extract

Once the files are placed in the directory above, you need to issue one simple statement via SSH. The command below combines all separate root certificates into one file, which is then used by the operating system for further lookups.

sudo update-ca-trust extract

Now try to issue the original wget/curl command again. This time it should work!

[lanedirt@localhost ~]$ wget https://domain.local
--2021-11-20 11:50:17--  https://domain.local/
Resolving domain.local (domain.local)... 10.0.0.1
Connecting to domain.local (domain.local)|10.0.0.1|:443... connected.
HTTP request sent, awaiting response... 200 OK

By Leendert de Borst

Freelance software architect with 10+ years of experience. Expert in translating complex technical problems into creative & simple solutions.

Leave a comment

Your email address will not be published.