[SRU] ship new public cert
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pollinate (Ubuntu) |
Fix Released
|
Critical
|
Dustin Kirkland | ||
Trusty |
Fix Released
|
Critical
|
Dustin Kirkland | ||
Utopic |
Fix Released
|
Critical
|
Dustin Kirkland |
Bug Description
Pollinate ships entropy.
This certificate has been updated and pollinate needs to be updated.
[Impact]
Any new 14.04 (Trusty) cloud instance with a down-level version of pollinate will fail to seed their PRNG from entropy.ubuntu.com.
[Test Case]
Run:
$ sudo pollinate -r
to reseed your PRNG. If you have the old version of pollinate, you'll get certificate errors (See Comment #1), and it will exit non-zero. If you have the new version (already uploaded to ppa:pollinate/ppa, utopic, trusty-proposed), it will work again and exit zero (see Comment #2).
[Regression Potential]
Negligible. A single file is updated with a new public SSL certificate for https:/
Related branches
- pollinate: Pending requested
-
Diff: 31 lines (+24/-0)1 file modifiedentropy.ubuntu.com.pem (+24/-0)
Changed in pollinate (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in pollinate (Ubuntu Utopic): | |
status: | New → In Progress |
Changed in pollinate (Ubuntu Trusty): | |
importance: | Undecided → Critical |
Changed in pollinate (Ubuntu Utopic): | |
importance: | Undecided → Critical |
Changed in pollinate (Ubuntu Trusty): | |
assignee: | nobody → Dustin Kirkland (kirkland) |
Changed in pollinate (Ubuntu Utopic): | |
assignee: | nobody → Dustin Kirkland (kirkland) |
Changed in pollinate (Ubuntu Trusty): | |
milestone: | none → trusty-updates |
Changed in pollinate (Ubuntu Utopic): | |
milestone: | none → ubuntu-14.10 |
kirkland@living:~$ sudo pollinate -r /entropy. ubuntu. com/] 38:54.681268 * Hostname was NOT found in DNS cache
Dload Upload Total Spent Left Speed entropy. ubuntu. com.pem curl.haxx. se/docs/ sslcerts. html
[sudo] password for kirkland:
Oct 15 02:38:54 living pollinate[16662]: client sent challenge to [https:/
Oct 15 02:38:54 living pollinate[16686]: ERROR: Network communication failed [60]\n02:
% Total % Received % Xferd Average Speed Time Time Time Current
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 002:38:54.934551 * Trying 91.189.94.50...
02:38:55.123359 * Connected to entropy.ubuntu.com (91.189.94.50) port 443 (#0)
02:38:55.125788 * successfully set certificate verify locations:
02:38:55.125863 * CAfile: /etc/pollinate/
CApath: /dev/null
02:38:55.126186 * SSLv3, TLS handshake, Client hello (1):
02:38:55.126308 } [data not shown]
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 002:38:55.321488 * SSLv3, TLS handshake, Server hello (2):
02:38:55.321577 { [data not shown]
02:38:55.321707 * SSLv3, TLS handshake, CERT (11):
02:38:55.321752 { [data not shown]
02:38:55.322811 * SSLv3, TLS alert, Server hello (2):
02:38:55.322895 } [data not shown]
02:38:55.323092 * SSL certificate problem: unable to get local issuer certificate
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
02:38:55.323292 * Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.