** Description changed: Several 14.04 servers were reporting problems connecting to different sites and APIs this morning. I'm not entirely sure, but looking at /var/log/apt/history (showing ca- certificates:amd64 (20141019ubuntu0.14.04.1, 20160104ubuntu0.14.04.1)) in combination with what I believe is causing the connection problems made me file this bug. + + If I'm right this is probably pretty bad, since all connections initiated + by this server checking a SSL certificate will fail and actually that's + exactly what happened here. Here is an example where I check a valid ssl domain like www.google.com resulting in an Verify return code: 20 (unable to get local issuer certificate) while my non 14.04LTS-machines kept accepting it: echo | openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain - 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com - i:/C=US/O=Google Inc/CN=Google Internet Authority G2 - 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 - i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA - 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA - i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority + 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com + i:/C=US/O=Google Inc/CN=Google Internet Authority G2 + 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 + i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA + 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA + i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEgDCCA2igAwIBAgIIXDR9H6fDVBgwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwMjE3MTAyMDE3WhcNMTYwNTE3MDAwMDAw WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8+Ugs pBXm3zFVRCA6k8DEXqpCf4Zw79y1dbgPuGHdw1NXawEvy8M4K3slQAwRBbGJO34Y mVQEeJRK98kJ+dBAajlKGbOkqfk7ZdPpl50zSb+OmM5As4+w1K6gWo9CPt525PyS /g/vdSj81XgCFQPNSLeTP2Uj6ZlXZpSyc1Ti+P6QZ/omOHtC/Lo1b9baQyQf7E7h MOyTh8TAqJjTeVwg50SKhjzTRiY8t94JBXMknDL0eczEMtZRt5+Fwxe0li3xg5Aw 0bESlWU7qGluvjz+GFbSTdHfAIzYXxp86+zVvdyDTWGC5344GGtYCr5PRDNalV5o wBxUVe6l1VYXBKDVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G A1UdDgQWBBTiRG9FdyKQOTNltPaXqgJRKlSlPjAMBgNVHRMBAf8EAjAAMB8GA1Ud IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAIUTrfaaB+cJSk20L RHqDwaLWe8cyLR8Ks4Vee/ZxLQDcPuxItvlho0N+/j5ZUnU1XseyiE9yD6ezmY7e ChyXUlzKzMdLyvjy7/EzTViW28Czbnp/JepBUipMDhJz7EMLdvqkw2cs0BwevRkU 6jzbQoYzOCalmWs1Mt4S8AyklbMHUjo/vOcs4+RePG9evxV0yWxCDNgLZbMckxcg vL4S5P8C4cY96+qhRwR/ErYHFRkuniQleLz1tEMkei5sK3tY5Sae0uTGH2Z30fs0 RViv9SFdfjMQDMFmEabPoNermhUx9hjENfMvWqJ1r+dbDTl3ANt/feNa+d6Z3Zpz MUtO9Q== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3727 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: - Protocol : TLSv1.2 - Cipher : ECDHE-RSA-AES128-GCM-SHA256 - Session-ID: 6635C1B245005CBE38B6B857F422476F6CE8963462561E0A8AA926AEE25CA711 - Session-ID-ctx: - Master-Key: 89C73689FE905D803AB2589FF70FA5B0466DB3EC372333B7A22EFF03A6D60314C84AA9B6DAAF7D1D64F4882E1B463838 - Key-Arg : None - PSK identity: None - PSK identity hint: None - SRP username: None - TLS session ticket lifetime hint: 100800 (seconds) - TLS session ticket: - 0000 - 82 ef b9 02 2c a1 b6 6f-a0 6c cd 1f 87 ff 3a 83 ....,..o.l....:. - 0010 - 6c 27 c3 3c 9b 00 91 90-72 a4 8c 34 ca 6a 45 fd l'.<....r..4.jE. - 0020 - 51 5d 8d 50 56 77 d2 48-d7 9a dc ce be 67 8e ca Q].PVw.H.....g.. - 0030 - 9d 59 94 8c a4 2f 23 75-09 db b7 c2 f8 9f 71 38 .Y.../#u......q8 - 0040 - 05 b2 8b 8f 4e f5 6b d9-e8 dd ae 6e f8 17 92 c4 ....N.k....n.... - 0050 - 04 14 52 91 58 b9 92 a6-8f f2 5d 60 70 f5 3b ab ..R.X.....]`p.;. - 0060 - a9 3b 8c 69 d5 67 44 2b-0b da 1c 90 58 0e 9b a8 .;.i.gD+....X... - 0070 - 90 fe 41 1a 82 77 ab 44-23 2a 1a 13 fa 5d 00 54 ..A..w.D#*...].T - 0080 - cd c4 ac 7b 4a 21 8a 59-e7 7a dc e0 d3 13 9b 16 ...{J!.Y.z...... - 0090 - 2f 61 24 5f 3d 9e d7 d0-81 e5 1e fb 93 78 09 60 /a$_=........x.` - 00a0 - a3 79 10 35 .y.5 + Protocol : TLSv1.2 + Cipher : ECDHE-RSA-AES128-GCM-SHA256 + Session-ID: 6635C1B245005CBE38B6B857F422476F6CE8963462561E0A8AA926AEE25CA711 + Session-ID-ctx: + Master-Key: 89C73689FE905D803AB2589FF70FA5B0466DB3EC372333B7A22EFF03A6D60314C84AA9B6DAAF7D1D64F4882E1B463838 + Key-Arg : None + PSK identity: None + PSK identity hint: None + SRP username: None + TLS session ticket lifetime hint: 100800 (seconds) + TLS session ticket: + 0000 - 82 ef b9 02 2c a1 b6 6f-a0 6c cd 1f 87 ff 3a 83 ....,..o.l....:. + 0010 - 6c 27 c3 3c 9b 00 91 90-72 a4 8c 34 ca 6a 45 fd l'.<....r..4.jE. + 0020 - 51 5d 8d 50 56 77 d2 48-d7 9a dc ce be 67 8e ca Q].PVw.H.....g.. + 0030 - 9d 59 94 8c a4 2f 23 75-09 db b7 c2 f8 9f 71 38 .Y.../#u......q8 + 0040 - 05 b2 8b 8f 4e f5 6b d9-e8 dd ae 6e f8 17 92 c4 ....N.k....n.... + 0050 - 04 14 52 91 58 b9 92 a6-8f f2 5d 60 70 f5 3b ab ..R.X.....]`p.;. + 0060 - a9 3b 8c 69 d5 67 44 2b-0b da 1c 90 58 0e 9b a8 .;.i.gD+....X... + 0070 - 90 fe 41 1a 82 77 ab 44-23 2a 1a 13 fa 5d 00 54 ..A..w.D#*...].T + 0080 - cd c4 ac 7b 4a 21 8a 59-e7 7a dc e0 d3 13 9b 16 ...{J!.Y.z...... + 0090 - 2f 61 24 5f 3d 9e d7 d0-81 e5 1e fb 93 78 09 60 /a$_=........x.` + 00a0 - a3 79 10 35 .y.5 - Start Time: 1456391908 - Timeout : 300 (sec) - Verify return code: 20 (unable to get local issuer certificate) + Start Time: 1456391908 + Timeout : 300 (sec) + Verify return code: 20 (unable to get local issuer certificate) --- DONE thanks in advance - max
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549709 Title: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1549709/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs