🟠 High   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: Oracle Linux 10

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

HTTPS clients fail with certificate verify errors against internal services.

Environment & Reproduction

Observed after CA rotation or incomplete base image hardening.

curl -Iv https://api.internal
openssl s_client -connect api.internal:443 -servername api.internal

Root Cause Analysis

Root or intermediate CA certificates are absent from system trust anchors.

Quick Triage

Inspect presented chain and local trust anchor set.

trust list | grep -i internal -n || true
ls -l /etc/pki/ca-trust/source/anchors

Step-by-Step Diagnosis

Compare service chain to installed local anchors.

openssl s_client -showcerts -connect api.internal:443 </dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p'
update-ca-trust check
Illustrative mockup for oracle-linux-10 β€” terminal_or_shell
certificate trust chain diagnostics β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Install missing CA certs and rebuild trust store.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

cp /tmp/internal-root-ca.crt /etc/pki/ca-trust/source/anchors/
cp /tmp/internal-intermediate-ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
curl -Iv https://api.internal
Illustrative mockup for oracle-linux-10 β€” logs_or_journal
TLS handshake error logs β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use application specific CA bundle while central trust is being corrected.

curl --cacert /etc/pki/ca-trust/source/anchors/internal-root-ca.crt https://api.internal

Verification & Acceptance Criteria

TLS handshakes complete without verify errors.

openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.crt /tmp/service.crt

Rollback Plan

Remove newly added anchors if incorrect certificates were deployed.

rm -f /etc/pki/ca-trust/source/anchors/internal-*.crt
update-ca-trust

Prevention & Hardening

Automate CA distribution with integrity checks and expiry monitoring.

openssl x509 -in /etc/pki/ca-trust/source/anchors/internal-root-ca.crt -noout -enddate

Related to proxy TLS interception and incomplete certificate chains on servers.

Related tutorial: View the step-by-step tutorial for oracle-linux-10.

View all oracle-linux-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Oracle Linux trust store and OpenSSL certificate management documentation.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.