[Bug 1549709] Re: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1

proligde Thu, 25 Feb 2016 02:41:30 -0800

** Description changed:

  Several 14.04 servers were reporting problems connecting to different
  sites and APIs this morning.
  
  I'm not entirely sure, but looking at /var/log/apt/history (showing ca-
  certificates:amd64 (20141019ubuntu0.14.04.1, 20160104ubuntu0.14.04.1))
  in combination with what I believe is causing the connection problems
  made me file this bug.
+ 
+ If I'm right this is probably pretty bad, since all connections initiated
+ by this server checking a SSL certificate will fail and actually that's
+ exactly what happened here.
  
  Here is an example where I check a valid ssl domain like www.google.com
  resulting in an Verify return code: 20 (unable to get local issuer
  certificate) while my non 14.04LTS-machines kept accepting it:
  
  echo | openssl s_client -connect www.google.com:443
  CONNECTED(00000003)
  depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
  verify error:num=20:unable to get local issuer certificate
  verify return:0
  ---
  Certificate chain
-  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
-    i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-  1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
-    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-  2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
+  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
+    i:/C=US/O=Google Inc/CN=Google Internet Authority G2
+  1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
+    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+  2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
  ---
  Server certificate
  -----BEGIN CERTIFICATE-----
  MIIEgDCCA2igAwIBAgIIXDR9H6fDVBgwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
  BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
  cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwMjE3MTAyMDE3WhcNMTYwNTE3MDAwMDAw
  WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
  TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
  Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8+Ugs
  pBXm3zFVRCA6k8DEXqpCf4Zw79y1dbgPuGHdw1NXawEvy8M4K3slQAwRBbGJO34Y
  mVQEeJRK98kJ+dBAajlKGbOkqfk7ZdPpl50zSb+OmM5As4+w1K6gWo9CPt525PyS
  /g/vdSj81XgCFQPNSLeTP2Uj6ZlXZpSyc1Ti+P6QZ/omOHtC/Lo1b9baQyQf7E7h
  MOyTh8TAqJjTeVwg50SKhjzTRiY8t94JBXMknDL0eczEMtZRt5+Fwxe0li3xg5Aw
  0bESlWU7qGluvjz+GFbSTdHfAIzYXxp86+zVvdyDTWGC5344GGtYCr5PRDNalV5o
  wBxUVe6l1VYXBKDVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
  KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
  XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
  MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
  A1UdDgQWBBTiRG9FdyKQOTNltPaXqgJRKlSlPjAMBgNVHRMBAf8EAjAAMB8GA1Ud
  IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
  eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
  bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAIUTrfaaB+cJSk20L
  RHqDwaLWe8cyLR8Ks4Vee/ZxLQDcPuxItvlho0N+/j5ZUnU1XseyiE9yD6ezmY7e
  ChyXUlzKzMdLyvjy7/EzTViW28Czbnp/JepBUipMDhJz7EMLdvqkw2cs0BwevRkU
  6jzbQoYzOCalmWs1Mt4S8AyklbMHUjo/vOcs4+RePG9evxV0yWxCDNgLZbMckxcg
  vL4S5P8C4cY96+qhRwR/ErYHFRkuniQleLz1tEMkei5sK3tY5Sae0uTGH2Z30fs0
  RViv9SFdfjMQDMFmEabPoNermhUx9hjENfMvWqJ1r+dbDTl3ANt/feNa+d6Z3Zpz
  MUtO9Q==
  -----END CERTIFICATE-----
  subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
  issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 3727 bytes and written 421 bytes
  ---
  New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
  Server public key is 2048 bit
  Secure Renegotiation IS supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
-     Protocol  : TLSv1.2
-     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
-     Session-ID: 
6635C1B245005CBE38B6B857F422476F6CE8963462561E0A8AA926AEE25CA711
-     Session-ID-ctx: 
-     Master-Key: 
89C73689FE905D803AB2589FF70FA5B0466DB3EC372333B7A22EFF03A6D60314C84AA9B6DAAF7D1D64F4882E1B463838
-     Key-Arg   : None
-     PSK identity: None
-     PSK identity hint: None
-     SRP username: None
-     TLS session ticket lifetime hint: 100800 (seconds)
-     TLS session ticket:
-     0000 - 82 ef b9 02 2c a1 b6 6f-a0 6c cd 1f 87 ff 3a 83   ....,..o.l....:.
-     0010 - 6c 27 c3 3c 9b 00 91 90-72 a4 8c 34 ca 6a 45 fd   l'.<....r..4.jE.
-     0020 - 51 5d 8d 50 56 77 d2 48-d7 9a dc ce be 67 8e ca   Q].PVw.H.....g..
-     0030 - 9d 59 94 8c a4 2f 23 75-09 db b7 c2 f8 9f 71 38   .Y.../#u......q8
-     0040 - 05 b2 8b 8f 4e f5 6b d9-e8 dd ae 6e f8 17 92 c4   ....N.k....n....
-     0050 - 04 14 52 91 58 b9 92 a6-8f f2 5d 60 70 f5 3b ab   ..R.X.....]`p.;.
-     0060 - a9 3b 8c 69 d5 67 44 2b-0b da 1c 90 58 0e 9b a8   .;.i.gD+....X...
-     0070 - 90 fe 41 1a 82 77 ab 44-23 2a 1a 13 fa 5d 00 54   ..A..w.D#*...].T
-     0080 - cd c4 ac 7b 4a 21 8a 59-e7 7a dc e0 d3 13 9b 16   ...{J!.Y.z......
-     0090 - 2f 61 24 5f 3d 9e d7 d0-81 e5 1e fb 93 78 09 60   /a$_=........x.`
-     00a0 - a3 79 10 35                                       .y.5
+     Protocol  : TLSv1.2
+     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
+     Session-ID: 
6635C1B245005CBE38B6B857F422476F6CE8963462561E0A8AA926AEE25CA711
+     Session-ID-ctx:
+     Master-Key: 
89C73689FE905D803AB2589FF70FA5B0466DB3EC372333B7A22EFF03A6D60314C84AA9B6DAAF7D1D64F4882E1B463838
+     Key-Arg   : None
+     PSK identity: None
+     PSK identity hint: None
+     SRP username: None
+     TLS session ticket lifetime hint: 100800 (seconds)
+     TLS session ticket:
+     0000 - 82 ef b9 02 2c a1 b6 6f-a0 6c cd 1f 87 ff 3a 83   ....,..o.l....:.
+     0010 - 6c 27 c3 3c 9b 00 91 90-72 a4 8c 34 ca 6a 45 fd   l'.<....r..4.jE.
+     0020 - 51 5d 8d 50 56 77 d2 48-d7 9a dc ce be 67 8e ca   Q].PVw.H.....g..
+     0030 - 9d 59 94 8c a4 2f 23 75-09 db b7 c2 f8 9f 71 38   .Y.../#u......q8
+     0040 - 05 b2 8b 8f 4e f5 6b d9-e8 dd ae 6e f8 17 92 c4   ....N.k....n....
+     0050 - 04 14 52 91 58 b9 92 a6-8f f2 5d 60 70 f5 3b ab   ..R.X.....]`p.;.
+     0060 - a9 3b 8c 69 d5 67 44 2b-0b da 1c 90 58 0e 9b a8   .;.i.gD+....X...
+     0070 - 90 fe 41 1a 82 77 ab 44-23 2a 1a 13 fa 5d 00 54   ..A..w.D#*...].T
+     0080 - cd c4 ac 7b 4a 21 8a 59-e7 7a dc e0 d3 13 9b 16   ...{J!.Y.z......
+     0090 - 2f 61 24 5f 3d 9e d7 d0-81 e5 1e fb 93 78 09 60   /a$_=........x.`
+     00a0 - a3 79 10 35                                       .y.5
  
-     Start Time: 1456391908
-     Timeout   : 300 (sec)
-     Verify return code: 20 (unable to get local issuer certificate)
+     Start Time: 1456391908
+     Timeout   : 300 (sec)
+     Verify return code: 20 (unable to get local issuer certificate)
  ---
  DONE
  
  thanks in advance - max


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1549709

Title:
  getting "unable to get local issuer certificate" for valid domains
  after upgrading to 20160104ubuntu0.14.04.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1549709/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1549709] Re: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1

Reply via email to