[Bug 1549709] Re: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1
Thanks! I've closed the bug. ** Changed in: ca-certificates (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549709 Title: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1549709/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549709] Re: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1
Looks like I can't close it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549709 Title: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1549709/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549709] Re: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1
Hi Marc, thanks for pointing out to restart services. In fact I had a service still running during the update causing the error. Combined with the different behaviour you just described betweent 15.10 and 14.04 it made me make a wrong conclusion. I'll close the bug. Thanks again! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549709 Title: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1549709/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549709] Re: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1
The openssl tools in Ubuntu 14.04 never did use the system CA file by default. That was fixed in later releases. So it's normal that you don't need to specify it manually when using 15.10 for example, but do need to specify it in 14.04. The path to it has always been /etc/ssl/certs/ca-certificates.crt. Are you still having issues after updating openssl and restarting your services? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549709 Title: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1549709/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549709] Re: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1
additional info:
on both servers ("working" and "not working") show:
openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
and both show (since /usr/lib/ssl/certs is symlinked to /etc/ssl/certs
ls -l /usr/lib/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 274340 Feb 25 12:45
/usr/lib/ssl/certs/ca-certificates.crt
My first guess was that these were different or the symlink wouldn't
exist - but that all looks fine
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1549709
Title:
getting "unable to get local issuer certificate" for valid domains
after upgrading to 20160104ubuntu0.14.04.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1549709/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549709] Re: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1
Hi Marc, thanks for your feedback. That's interesting! My comman echo | openssl s_client -connect www.google.com:443 works perfectly well on all my servers returning a positive result except the servers that have been updated as far as I can see. When I add the argument -CAfile /etc/ssl/certs/ca-certificates.crt it work on these updated servers as well. Now this looks like it's not a problem with the ca-certificate file but with the default CA-Path changed... Here is a list of updates that took place directly before the problem occured: Start-Date: 2016-02-25 06:36:45 Upgrade: libgnutls-openssl27:amd64 (2.12.23-12ubuntu2.4, 2.12.23-12ubuntu2.5), libssl1.0.0:amd64 (1.0.1f-1ubuntu2.16, 1.0.1f-1ubuntu2.17), ca-certificates:amd64 (20141019ubuntu0.14.04.1, 20160104ubuntu0.14.04.1), libgnutls26:amd64 (2.12.23-12ubuntu2.4, 2.12.23-12ubuntu2.5), openssl:amd64 (1.0.1f-1ubuntu2.16, 1.0.1f-1ubuntu2.17) End-Date: 2016-02-25 06:36:58 I guess then this bug report has to be moved to the package that changed the default CA-Path I guess? Here is the output of: apt-cache policy libssl1.0.0 libssl1.0.0: Installiert: 1.0.1f-1ubuntu2.17 Installationskandidat: 1.0.1f-1ubuntu2.17 Versionstabelle: *** 1.0.1f-1ubuntu2.17 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 100 /var/lib/dpkg/status 1.0.1f-1ubuntu2 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages Thanks - Max -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549709 Title: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1549709/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549709] Re: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1
Your example command doesn't work. You need to tell openssl where the certificate store is, like so: echo | openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect www.google.com:443 What version is your openssl package? Please do: apt-cache policy libssl1.0.0 Thanks. ** Changed in: ca-certificates (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549709 Title: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1549709/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549709] Re: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1
** Description changed: Several 14.04 servers were reporting problems connecting to different sites and APIs this morning. I'm not entirely sure, but looking at /var/log/apt/history (showing ca- certificates:amd64 (20141019ubuntu0.14.04.1, 20160104ubuntu0.14.04.1)) in combination with what I believe is causing the connection problems made me file this bug. + + If I'm right this is probably pretty bad, since all connections initiated + by this server checking a SSL certificate will fail and actually that's + exactly what happened here. Here is an example where I check a valid ssl domain like www.google.com resulting in an Verify return code: 20 (unable to get local issuer certificate) while my non 14.04LTS-machines kept accepting it: echo | openssl s_client -connect www.google.com:443 CONNECTED(0003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain - 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com -i:/C=US/O=Google Inc/CN=Google Internet Authority G2 - 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 -i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA - 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA -i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority + 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com + i:/C=US/O=Google Inc/CN=Google Internet Authority G2 + 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 + i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA + 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA + i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -BEGIN CERTIFICATE- MIIEgDCCA2igAwIBAgIIXDR9H6fDVBgwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwMjE3MTAyMDE3WhcNMTYwNTE3MDAwMDAw WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8+Ugs pBXm3zFVRCA6k8DEXqpCf4Zw79y1dbgPuGHdw1NXawEvy8M4K3slQAwRBbGJO34Y mVQEeJRK98kJ+dBAajlKGbOkqfk7ZdPpl50zSb+OmM5As4+w1K6gWo9CPt525PyS /g/vdSj81XgCFQPNSLeTP2Uj6ZlXZpSyc1Ti+P6QZ/omOHtC/Lo1b9baQyQf7E7h MOyTh8TAqJjTeVwg50SKhjzTRiY8t94JBXMknDL0eczEMtZRt5+Fwxe0li3xg5Aw 0bESlWU7qGluvjz+GFbSTdHfAIzYXxp86+zVvdyDTWGC5344GGtYCr5PRDNalV5o wBxUVe6l1VYXBKDVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G A1UdDgQWBBTiRG9FdyKQOTNltPaXqgJRKlSlPjAMBgNVHRMBAf8EAjAAMB8GA1Ud IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAIUTrfaaB+cJSk20L RHqDwaLWe8cyLR8Ks4Vee/ZxLQDcPuxItvlho0N+/j5ZUnU1XseyiE9yD6ezmY7e ChyXUlzKzMdLyvjy7/EzTViW28Czbnp/JepBUipMDhJz7EMLdvqkw2cs0BwevRkU 6jzbQoYzOCalmWs1Mt4S8AyklbMHUjo/vOcs4+RePG9evxV0yWxCDNgLZbMckxcg vL4S5P8C4cY96+qhRwR/ErYHFRkuniQleLz1tEMkei5sK3tY5Sae0uTGH2Z30fs0 RViv9SFdfjMQDMFmEabPoNermhUx9hjENfMvWqJ1r+dbDTl3ANt/feNa+d6Z3Zpz MUtO9Q== -END CERTIFICATE- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3727 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: - Protocol : TLSv1.2 - Cipher: ECDHE-RSA-AES128-GCM-SHA256 - Session-ID: 6635C1B245005CBE38B6B857F422476F6CE8963462561E0A8AA926AEE25CA711 - Session-ID-ctx: - Master-Key: 89C73689FE905D803AB2589FF70FA5B0466DB3EC372333B7A22EFF03A6D60314C84AA9B6DAAF7D1D64F4882E1B463838 - Key-Arg : None - PSK identity: None - PSK identity hint: None - SRP username: None - TLS session ticket lifetime hint: 100800 (seconds) - TLS session ticket: - - 82 ef b9 02 2c a1 b6 6f-a0 6c cd 1f 87 ff 3a 83 ,..o.l:. - 0010 - 6c 27 c3 3c 9b 00 91 90-72 a4 8c 34 ca 6a 45 fd l'.
