In our ongoing efforts to improve the security of our products, we’ve made a change that affects the way NGINX Plus is installed and updated. We are replacing the self‑signed certificate we previously used to secure the NGINX Plus repository with a certificate from GlobalSign, a well‑known and trusted Certificate Authority (CA). With a CA‑signed certificate, clients can now verify the certificate we present and be assured that the code they are downloading is from NGINX, Inc.
The next time you install or update NGINX Plus, you might see an error such as:
On Amazon Linux, CentOS, Oracle Linux, and RHEL:
curl#60 - "Peer's certificate issuer has been marked as not trusted by the user."
On Debian and Ubuntu:
server certificate verification failed. CAfile: /etc/ssl/nginx/CA.crt CRLfile: none
If you get these errors, you need to update how your package management tool accesses the NGINX Plus repository. Follow the instructions for your OS distribution:
Amazon Linux
# yum install ca-certificates# rm -f /etc/yum.repos.d/nginx-plus-amazon.repo /etc/ssl/nginx/CA.crt
# wget -O /etc/yum.repos.d/nginx-plus-amazon.repo https://cs.nginx.com/static/files/nginx-plus-amazon.repo
CentOS 5.10+ / Oracle Linux 5.10+ / RHEL 5.10+
# yum install openssl# rm -f /etc/yum.repos.d/nginx-plus-5.repo /etc/ssl/nginx/CA.crt
# wget -O /etc/yum.repos.d/nginx-plus-5.repo https://cs.nginx.com/static/files/nginx-plus-5.repo
CentOS 6.5+ / Oracle Linux 6.5+ / RHEL 6.5+
# yum install ca-certificates# rm -f /etc/yum.repos.d/nginx-plus-6.repo /etc/ssl/nginx/CA.crt
# wget -O /etc/yum.repos.d/nginx-plus-6.repo https://cs.nginx.com/static/files/nginx-plus-6.repo
CentOS 7.0+ / Oracle Linux 7.0+ / RHEL 7.0+
# yum install ca-certificates# rm -f /etc/yum.repos.d/nginx-plus-7.repo /etc/ssl/nginx/CA.crt
# wget -O /etc/yum.repos.d/nginx-plus-7.repo https://cs.nginx.com/static/files/nginx-plus-7.repo
Debian 7.0, 8.0
# apt-get install ca-certificates# rm -f /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx/CA.crt
# wget -O /etc/apt/apt.conf.d/90nginx https://cs.nginx.com/static/files/90nginx
FreeBSD 9.3, 10.1+
# pkg install ca_root_nss# rm -f /etc/ssl/nginx/CA.crt
SLES 12, 12 SP1
# zypper install ca-certificates# zypper rr nginx-plus
# zypper addrepo -G -t yum -c 'https://plus-pkgs.nginx.com/sles/12?ssl_clientcert=/etc/ssl/nginx/nginx-repo-bundle.crt&ssl_verify=peer' nginx-plus
Ubuntu 12.04 LTS, 14.04 LTS, 15.10, 16.04 LTS
# apt-get install ca-certificates# rm -f /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx/CA.crt
# wget -O /etc/apt/apt.conf.d/90nginx https://cs.nginx.com/static/files/90nginx
The instructions at the NGINX Plus Customer Portal have been updated to reflect this change. If you have any questions, please contact our support team.
"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous NGINX.com links will redirect to similar NGINX content on F5.com."