openssl 1.1.1q-0ubuntu1 - c_rehash script broken ("update-ca-certificates -f -v" fails)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
SavOS |
Fix Released
|
Medium
|
Rob Savoury |
Bug Description
I just installed openssl 1.1.1q as part of the apt-get update and apt-get upgrade process in Ubuntu 16.04 Xenial (it's a server using ffmpeg4), and now when I try to connect to any https website, I get the following error:
Verification error: unable to get local issuer certificate
update-
Doing .
x509: Unknown parameter cert
x509: Use -help for summary.
x509: Unknown parameter cert
x509: Use -help for summary.
x509: Unknown parameter cert
x509: Use -help for summary.
x509: Unknown parameter cert
x509: Use -help for summary.
x509: Unknown parameter cert
x509: Use -help for summary.
x509: Unknown parameter cert
x509: Use -help for summary.
x509: Unknown parameter cert
Any idea what's going on?
openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect github.com:443 </dev/null
CONNECTED(00000003)
---
Certificate chain
0 s:C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
i:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
-----BEGIN CERTIFICATE-----
MIIFajCCBPCgAwI
CQYDVQQGEwJVUzE
Q2VydCBUTFMgSHl
MDAwWhcNMjMwMzE
aWZvcm5pYTEWMBQ
LCBJbmMuMRMwEQY
AQcDQgAESrCTcYU
KTtYuDdUeEu3PRx
jKU5bXoOzjPHLrP
BgNVHREEHjAcggp
BAMCB4AwHQYDVR0
gZAwRqBEoEKGQGh
YnJpZEVDQ1NIQTM
Z2ljZXJ0LmNvbS9
cmwwPgYDVR0gBDc
dy5kaWdpY2VydC5
GGh0dHA6Ly9vY3N
Y2VydHMuZGlnaWN
MENBMS0xLmNydDA
dgCt9776fP8QyIu
MEUCIAR9cNnvYkZ
P/DkUltwIS4c73V
P+Eq76gDwzvWTAA
u/PBaIAObzNZeNM
AHYAs3N3B+
RzBFAiEA9Uj5Ed/
EHdV5Vk8bLMBW1Q
7L/stBmv1XqSRNf
tGKrYDGt0pH8iF6
-----END CERTIFICATE-----
1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIEFzCCAv+
MQswCQYDVQQGEwJ
d3cuZGlnaWNlcnQ
QTAeFw0yMTA0MTQ
MRUwEwYDVQQKEwx
eWJyaWQgRUNDIFN
BMEbxppbmNmkKaD
qLSDyLiQ0cx0NTY
c6OCAYIwggF+
bXoOzjPHLrPt+
A1UdDwEB/
KwYBBQUHAQEEajB
b20wQAYIKwYBBQU
Q2VydEdsb2JhbFJ
bDMuZGlnaWNlcnQ
NjA0MAsGCWCGSAG
BmeBDAECAzANBgk
6v8ai6wms0KNMeZ
kDUmotr2qLcy/
BKOLdRHHuSm8EdC
Vq4GNiejcxwIfZM
xRqhqjn1VtvChMQ
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2805 bytes and written 366 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
apt-cache policy openssl
openssl:
Installed: 1.1.1q-
Candidate: 1.1.1q-
Version table:
*** 1.1.1q-
500 http://
500 http://
500 http://
100 /var/lib/
1.
500 https:/
1.
500 http://
500 http://
1.
500 http://
Running the below command as root fixed my issues:
openssl rehash /etc/ssl/certs/
It appears that c_rehash isn't working which is what update- ca-certificates -f calls. Did c_rehash get updated with this latest release of openssl?