Announcing a Change to the Certificate for the NGINX Plus Repository

In our ongoing efforts to improve the security of our products, we’ve made a change that affects the way NGINX Plus is installed and updated. We are replacing the self‑signed certificate we previously used to secure the NGINX Plus repository with a certificate from GlobalSign, a well‑known and trusted Certificate Authority (CA). With a CA‑signed certificate, clients can now verify the certificate we present and be assured that the code they are downloading is from NGINX, Inc.

The next time you install or update NGINX Plus, you might see an error such as:

  • On Amazon Linux, CentOS, Oracle Linux, and RHEL:

    curl#60 - "Peer's certificate issuer has been marked as not trusted by the user."
  • On Debian and Ubuntu:

    server certificate verification failed. CAfile: /etc/ssl/nginx/CA.crt CRLfile: none

If you get these errors, you need to update how your package management tool accesses the NGINX Plus repository. Follow the instructions for your OS distribution:

  • Amazon Linux

    # yum install ca-certificates
    # rm -f /etc/yum.repos.d/nginx-plus-amazon.repo /etc/ssl/nginx/CA.crt
    # wget -O /etc/yum.repos.d/nginx-plus-amazon.repo https://cs.nginx.com/static/files/nginx-plus-amazon.repo
  • CentOS 5.10+ / Oracle Linux 5.10+ / RHEL 5.10+

    # yum install openssl
    # rm -f /etc/yum.repos.d/nginx-plus-5.repo /etc/ssl/nginx/CA.crt
    # wget -O /etc/yum.repos.d/nginx-plus-5.repo https://cs.nginx.com/static/files/nginx-plus-5.repo
  • CentOS 6.5+ / Oracle Linux 6.5+ / RHEL 6.5+

    # yum install ca-certificates
    # rm -f /etc/yum.repos.d/nginx-plus-6.repo /etc/ssl/nginx/CA.crt
    #wget -O /etc/yum.repos.d/nginx-plus-6.repo https://cs.nginx.com/static/files/nginx-plus-6.repo
  • CentOS 7.0+ / Oracle Linux 7.0+ / RHEL 7.0+

    # yum install ca-certificates
    # rm -f /etc/yum.repos.d/nginx-plus-7.repo /etc/ssl/nginx/CA.crt
    # wget -O /etc/yum.repos.d/nginx-plus-7.repo https://cs.nginx.com/static/files/nginx-plus-7.repo
  • Debian 7.0, 8.0

    # apt-get install ca-certificates
    # rm -f /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx/CA.crt
    # wget -O /etc/apt/apt.conf.d/90nginx https://cs.nginx.com/static/files/90nginx
  • FreeBSD 9.3, 10.1+

    # pkg install ca_root_nss
    # rm -f /etc/ssl/nginx/CA.crt
  • SLES 12, 12 SP1

    # zypper install ca-certificates
    # zypper rr nginx-plus
    # zypper addrepo -G -t yum -c 'https://plus-pkgs.nginx.com/sles/12?ssl_clientcert=/etc/ssl/nginx/nginx-repo-bundle.crt&ssl_verify=peer' nginx-plus
  • Ubuntu 12.04 LTS, 14.04 LTS, 15.10, 16.04 LTS

    # apt-get install ca-certificates
    # rm -f /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx/CA.crt
    # wget -O /etc/apt/apt.conf.d/90nginx https://cs.nginx.com/static/files/90nginx

The instructions at the NGINX Plus Customer Portal have been updated to reflect this change. If you have any questions, please contact our support team.

Cover image
Are your applications secure?
Learn how to protect your apps with NGINX and NGINX Plus