It seems that the problem is (1). (but it isn't quite what I expected) The certificates in your file are completely different from what I would expect, in order to properly validate. The leaf certificate in your file (per "openssl x509 -inform pem -in <file> -text", after placing the individual certificate into <file>) is the following:
Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2
Validity
Not Before: Apr 8 08:26:03 2014 GMT
Not After : Oct 15 16:10:53 2014 GMT
Subject: OU=Domain Control Validated, CN=entropy.ubuntu.com
The remainder of the certificates in the file are the CA and intermediate certificates.
Maybe out of date MAAS images are at fault? (though if the packages get updated, you shouldn't see this problem, since you'll get a new "pinned" certificate chain.) You could try updating the MAAS images, or even try using the 'daily' URL (which is updated for security updates and/or every couple of weeks with the latest updated packages):
Perhaps the daily images contain the appropriate certificates. And I hope that's still the case in 20 hours. ;-) I just checked, and the following certificate is actually in *my* pinned trust store:
Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Validity
Not Before: Aug 7 00:00:00 2015 GMT
Not After : Aug 11 12:00:00 2016 GMT
Subject: C=GB, ST=Southwark, L=London, O=Canonical Group Ltd, CN=entropy.ubuntu.com
So my conclusion is that everything should work fine, provided that you have the most up-to-date MAAS images.
It seems that the problem is (1). (but it isn't quite what I expected) The certificates in your file are completely different from what I would expect, in order to properly validate. The leaf certificate in your file (per "openssl x509 -inform pem -in <file> -text", after placing the individual certificate into <file>) is the following:
Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http:// certs.starfield tech.com/ repository/, CN=Starfield Secure Certificate Authority - G2 ubuntu. com
Validity
Not Before: Apr 8 08:26:03 2014 GMT
Not After : Oct 15 16:10:53 2014 GMT
Subject: OU=Domain Control Validated, CN=entropy.
The remainder of the certificates in the file are the CA and intermediate certificates.
Maybe out of date MAAS images are at fault? (though if the packages get updated, you shouldn't see this problem, since you'll get a new "pinned" certificate chain.) You could try updating the MAAS images, or even try using the 'daily' URL (which is updated for security updates and/or every couple of weeks with the latest updated packages):
https:/ /maas.ubuntu. com/images/ ephemeral- v2/daily/
Perhaps the daily images contain the appropriate certificates. And I hope that's still the case in 20 hours. ;-) I just checked, and the following certificate is actually in *my* pinned trust store:
Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA ubuntu. com
Validity
Not Before: Aug 7 00:00:00 2015 GMT
Not After : Aug 11 12:00:00 2016 GMT
Subject: C=GB, ST=Southwark, L=London, O=Canonical Group Ltd, CN=entropy.
So my conclusion is that everything should work fine, provided that you have the most up-to-date MAAS images.