Curl：在 CentOS 7 上使用一些 URL 和最新的 cacert 包时，出现“无法识别对等方的证书颁发者”的错误

Centos 7.6
Curl 7.29

我的应用需要运行来自用户请求的 Curl 请求，但某些 URL 返回curl: (60) Peer's Certificate issuer is not recognized.

到目前为止我已经：

下载了最新的 cacert 包 sudo curl -k https://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt。

检查已安装的最新软件包： sudo vi /etc/pki/tls/certs/ca-bundle.crt

#
# Bundle of CA Root Certificates
#
# Certificate data from Mozilla as of: Wed Jan 23 04:12:09 2019 GMT
# 
...

运行了一些测试 HTTPS URL，例如 superuser.com，其 curl 没有任何问题。

 curl -v https://superuser.com/questions/1091521/centos-7-wont-accept-any-ssl-certificates

 About to connect() to superuser.com port 443 (#0)
   Trying 151.101.1.69...
 Connected to superuser.com (151.101.1.69) port 443 (#0)
 Initializing NSS with certpath: sql:/etc/pki/nssdb
   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
 SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 Server certificate:
       subject: CN=*.stackexchange.com,O="Stack Exchange, Inc.",L=New York,ST=NY,C=US
       start date: Oct 05 00:00:00 2018 GMT
       expire date: Aug 14 12:00:00 2019 GMT
       common name: *.stackexchange.com
       issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 GET /questions/1091521/centos-7-wont-accept-any-ssl-certificates HTTP/1.1
 User-Agent: curl/7.29.0
 Host: superuser.com
 Accept: */*

 HTTP/1.1 200 OK
...

然后我测试了几个也使用 HTTPS 的 URL，但返回了curl: (60) Peer's Certificate issuer is not recognized.错误。

curl -v https://www.movistar.com

 About to connect() to www.movistar.com port 443 (#0)
   Trying 194.224.110.42...
 Connected to www.movistar.com (194.224.110.42) port 443 (#0)
 Initializing NSS with certpath: sql:/etc/pki/nssdb
   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
 Server certificate:
       subject: CN=www.movistar.com,O=Telefonica S.A.,L=Madrid,ST=Madrid,C=ES
       start date: Jul 05 12:51:04 2018 GMT
       expire date: Aug 29 09:01:02 2019 GMT
       common name: www.movistar.com
       issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
 NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
 Peer's Certificate issuer is not recognized.
 Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

和

curl -v https://signup.lotro.com

 About to connect() to signup.lotro.com port 443 (#0)
   Trying 198.252.160.63...
 Connected to signup.lotro.com (198.252.160.63) port 443 (#0)
 Initializing NSS with certpath: sql:/etc/pki/nssdb
   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
 Server certificate:
       subject: CN=*.lotro.com,OU=Standing Stone Games LLC,O=Standing Stone Games,L=Needham,ST=ma,C=US
       start date: Mar 12 00:00:00 2018 GMT
       expire date: Mar 20 12:00:00 2019 GMT
       common name: *.lotro.com
       issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
 Peer's Certificate issuer is not recognized.
 Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

使这些 URL 正常工作的唯一方法是禁用证书验证，例如curl -v --insecure https://signup.lotro.com。

考虑到这些 URL 是来自用户请求的，我怎样才能让这些 URL 进行 curl 而不收到此错误并且不使用该--insecure参数？

注意：我目前正在 Virtual Box VM 中工作，但我的 VPS 上也出现了同样的问题。

superuser.com注 2：请注意和的发行者signup.lotro.com相同，但我只能 curl superuser.com。