Missing intermediate certificate from Digicert - "DigiCert Sha2 Secure Server CA"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ca-certificates (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I think that package is missing the one intermediate certificate from DigiCert that is being used for websites.
DigiCert Sha2 Secure Server CA
Located at https:/
For example harpers.org uses that CA.
If you execute this from cli:
curl -v https:/
This is the output
* Hostname was NOT found in DNS cache
* Trying 54.243.234.21...
* Connected to harpers.org (54.243.234.21) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
Workaround is this:
wget -P /tmp/ -nv https:/
openssl x509 -in /tmp/DigiCertSH
-out /tmp/DigiCertSH
sudo cp -uv /tmp/DigiCertSH
sudo c_rehash
It affects all versions of Ubuntu starting from 14.04
tags: | added: trusty xenial |
Hello Darko,
This is a server misconfiguration. Servers need to supply the full certificate chain to a trusted root certificate, not just their end certificate. Qualys's excellent ssltest tool caps the grade for this server at B as a result of this misconfiguration:
https:/ /www.ssllabs. com/ssltest/ analyze. html?d= harpers. org
"This server's certificate chain is incomplete. Grade capped to B. "
Thanks