Isn’t it frustrating if your cURL request returns an NSS error 8179?

Usually, this error occurs when the SSL certificate chain file is incomplete. Moreover, it causes the curl request to fail.

At Bobcares we often get requests to fix cURL errors, as a part of our Server Management Services.

Today, let’s have a look at how our Support Engineers fix this cURL error.

What is the cURL NSS error?

Firstly, let’s see what is cURL and NSS.

cURL stands for ‘Client of URL’. Basically cURL is a PHP library. And it allows communication between servers with different protocols.

Whereas, NSS aka Network Security Services is a set of libraries. This supports cross-platform secure client-server applications.

cURL always uses NSS to verify SSL. So, the error relates to the SSL of the requested URL. SSL provides secure communication between a browser and the webserver.

cURL NSS error 8179

Users get the error 8179 while making cURL API calls. The typical error message appears as:

* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peers Certificate issuer is not recognized.
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (60) Peers Certificate issuer is not recognized.

The error indicates the secure connection has some error. That is the SSL certificate is from an unknown issuer.

But this does not mean that there is no SSL for the server. The error maybe with the certificate files in the server.

How we fix the cURL error 8179?

We just saw the details of the error. Let’s see how our Support Team fixes this error.

1. Fixing the certificate chain file

Initially, our Support Engineers check the certificate chain files. A certificate chain is an ordered list of certificates. Basically, it contains an SSL Certificate and the CA Certificates. This is to indicate a trustworthy sender.

Usually, a single PEM file contains all the certs. But these certs in the file must follow the predefined order. That is,

1. Primary SSL Certificate
2. Intermediate Certificate
3. Root Certificate

Hence we correct the certificate chain to fix the error.

Later, we make the cURL request specifying the cert file. For instance, consider that xx.pem is the cert file. Then request as follows,

curl -v --cacert xx.pem https://www.domain.com

Here we directly specified the cert file path. So, the request will lead to the desired result.

2. Including multiple certificates

In some cases, the webserver configuration may contain multiple entries of certificate chains. This can also result in error 8179.

Apache 2.4 recognizes a combined certificate and chain file. Usually, this error happens due to mistakenly specifying cert.pem instead of fullchain.pem.

Therefore, we always try to see if there are any other references to the Let’s Encrypt certificate in the Apache configuration that use the cert.pem instead of fullchain.pem.

grep -r SSLCertificate /etc/apache2

Based on the results, we correct the configuration and that fixes the certificate error.

[Need assistance in fixing cURL errors? – Our Experts are available 24/7.]

Conclusion

In short, cURL NSS error 8179 indicate an improper certificate chain file. An ordered list of this file indicates a trusted sender. Today, we saw how our Support Engineers fix this error.