Missing intermediate certificate from Digicert - "DigiCert Sha2 Secure Server CA"
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ca-certificates (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
I think that package is missing the one intermediate certificate from DigiCert that is being used for websites.
DigiCert Sha2 Secure Server CA
Located at https:/
For example harpers.org uses that CA.
If you execute this from cli:
curl -v https:/
This is the output
* Hostname was NOT found in DNS cache
* Trying 54.243.234.21...
* Connected to harpers.org (54.243.234.21) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
Workaround is this:
wget -P /tmp/ -nv https:/
openssl x509 -in /tmp/DigiCertSH
-out /tmp/DigiCertSH
sudo cp -uv /tmp/DigiCertSH
sudo c_rehash
It affects all versions of Ubuntu starting from 14.04
| tags: | added: trusty xenial |
| Seth Arnold (seth-arnold) wrote | #1 |
| Changed in ca-certificates (Ubuntu): | |
| status: | New → Invalid |
Hello Darko,
This is a server misconfiguration. Servers need to supply the full certificate chain to a trusted root certificate, not just their end certificate. Qualys's excellent ssltest tool caps the grade for this server at B as a result of this misconfiguration:
https:/
"This server's certificate chain is incomplete. Grade capped to B. "
Thanks