OpenSSL

Bug #1014640
Comment #7

Comment 7 for bug 1014640

Revision history for this message

Chris Bainbridge (chris-bainbridge) wrote on 2013-06-07:

TLDR summary: run "c_rehash" as root to fix this issue.

I just ran into this issue (symptoms: "wget https://ev-root.digicert.com/", "openssl c_client ev-root.digicert.com" would fail) .

The problem is that the symbolic links that are supposed to exist in /etc/ssl/certs aren't there. Running "c_rehash" command recreates the links . Reinstallling ca-certificates does not fix this issue, because /usr/sbin/update-ca-certificates only runs c_rehash when /etc/ssl/certs/ca-certificates.crt is out of date (ie. when you added or removed some certificates).

I don't know why an Ubuntu 12.04 LTS system would be in this state, perhaps it only happens on systems that were upgraded from earlier Ubuntu installs, and for some reason c_rehash never got run.

$ wget https://ev-root.digicert.com/
--2013-06-07 19:55:03-- https://ev-root.digicert.com/
Resolving ev-root.digicert.com (ev-root.digicert.com)... 64.58.225.123
Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... connected.
ERROR: cannot verify ev-root.digicert.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1':
Unable to locally verify the issuer's authority.
To connect to ev-root.digicert.com insecurely, use `--no-check-certificate'.

$ strace wget https://ev-root.digicert.com/

write(2, "Connecting to ev-root.digicert.c"..., 80Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... ) = 80
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("64.58.225.123")}, 16) = 0
.....
stat("/usr/lib/ssl/certs/244b5494.0", 0x7fff22ff0b60) = -1 ENOENT (No such file or directory)

$ c_rehash
....

$ ls -l /usr/lib/ssl/certs/244b5494.0
lrwxrwxrwx 1 root root 38 Jun 7 20:20 /usr/lib/ssl/certs/244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem

$ wget https://ev-root.digicert.com/
--2013-06-07 20:20:10-- https://ev-root.digicert.com/
Resolving ev-root.digicert.com (ev-root.digicert.com)... 64.58.225.123
Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... connected.
HTTP request sent, awaiting response... 200 OK

TLDR summary: run "c_rehash" as root to fix this issue.

I just ran into this issue (symptoms: "wget https://ev-root.digicert.com/", "openssl c_client ev-root.digicert.com" would fail) .

I don't know why an Ubuntu 12.04 LTS system would be in this state, perhaps it only happens on systems that were upgraded from earlier Ubuntu installs, and for some reason c_rehash never got run.

$ wget https://ev-root.digicert.com/
--2013-06-07 19:55:03--  https://ev-root.digicert.com/
Resolving ev-root.digicert.com (ev-root.digicert.com)... 64.58.225.123
Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... connected.
ERROR: cannot verify ev-root.digicert.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1':
  Unable to locally verify the issuer's authority.
To connect to ev-root.digicert.com insecurely, use `--no-check-certificate'.

$ strace wget https://ev-root.digicert.com/

$ c_rehash
....

$ ls -l /usr/lib/ssl/certs/244b5494.0
lrwxrwxrwx 1 root root 38 Jun  7 20:20 /usr/lib/ssl/certs/244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem

$ wget https://ev-root.digicert.com/
--2013-06-07 20:20:10--  https://ev-root.digicert.com/
Resolving ev-root.digicert.com (ev-root.digicert.com)... 64.58.225.123
Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... connected.
HTTP request sent, awaiting response... 200 OK