Please update ca-certificates on Trusty

Bug #1528645 reported by Rohan Garg on 2015-12-22
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Wishlist
Unassigned
Precise
Low
Marc Deslauriers
Trusty
Low
Marc Deslauriers
Wily
Low
Marc Deslauriers
Xenial
Wishlist
Unassigned

Bug Description

Hi
The ca-certificates package on Trusty is quite out of date, would it be possible for someone to update the package to the version from Xenial?

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: ca-certificates 20150426ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-18.22-generic 4.2.3
Uname: Linux 4.2.0-18-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
CurrentDesktop: KDE
Date: Tue Dec 22 18:57:08 2015
InstallationDate: Installed on 2015-10-05 (78 days ago)
InstallationMedia: Kubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150825.1)
PackageArchitecture: all
SourcePackage: ca-certificates
UpgradeStatus: No upgrade log present (probably fresh install)

Rohan Garg (rohangarg) wrote :
Changed in ca-certificates (Ubuntu):
milestone: none → trusty-updates
tags: added: trusty upgrade-software-version
removed: wily
Changed in ca-certificates (Ubuntu):
importance: Undecided → Wishlist
Changed in ca-certificates (Ubuntu Xenial):
status: New → Fix Released
Changed in ca-certificates (Ubuntu Precise):
status: New → Confirmed
Changed in ca-certificates (Ubuntu Trusty):
status: New → Confirmed
Changed in ca-certificates (Ubuntu Wily):
status: New → Confirmed
Changed in ca-certificates (Ubuntu Precise):
importance: Undecided → Low
Changed in ca-certificates (Ubuntu Trusty):
importance: Undecided → Low
Changed in ca-certificates (Ubuntu Wily):
importance: Undecided → Low
Changed in ca-certificates (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)
Marc Deslauriers (mdeslaur) wrote :

ca-certificates is now updated in all stable releases:

http://www.ubuntu.com/usn/usn-2913-1/

Changed in ca-certificates (Ubuntu Precise):
status: Confirmed → Fix Released
Changed in ca-certificates (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in ca-certificates (Ubuntu Wily):
status: Confirmed → Fix Released
Changed in ca-certificates (Ubuntu Trusty):
milestone: none → trusty-updates
Changed in ca-certificates (Ubuntu Xenial):
milestone: trusty-updates → none
Greg (longbeakedechidna1) wrote :

This update seems to have broken our web app that uses some popular libraries that depend on curl() and use their cacert.pem files (provided with the given library) to verify the connection.

Please note that it can be that effectively running an "apt-get update; apt-get upgrade" (or having autoupdates enabled) breaks web apps that use these popular libraries (and maybe other libraries with similar age / setup).

Exact reason unknown. Surprising problem, seeing that the libraries try to use their own cacerts. Restoring the last known good ca-certificates package and holding it fixes the problem (I guess disabling the check in PHP would also do) but I reckon these are just temporary solutions.

$ uname -a
Linux [REDACTED] 3.2.0-88-generic #126-Ubuntu SMP Mon Jul 6 21:33:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

$ php -v
PHP 5.3.10-1ubuntu3.21 with Suhosin-Patch (cli) (built: Oct 28 2015 01:43:56)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

$ curl -V
curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

(excerpt from /var/log/apt/history.log)
Start-Date: 2016-02-26 06:36:41
Upgrade: libgnutls26:amd64 (2.12.14-5ubuntu3.11, 2.12.14-5ubuntu3.12), libssl-dev:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), libssl-doc:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), openssl:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), ca-certificates:amd64 (20141019ubuntu0.12.04.1, 20160104ubuntu0.12.04.1), libssl1.0.0:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34)
End-Date: 2016-02-26 06:36:52

Error message: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Libraries known to be affected:
- Mailchimp API library for PHP. Exact version unknown; Mailchimp.php probably as of March 2014, filesize 13593 bytes.
- Rackspace Cloud Files API library for PHP. Exact version unknown; cloudfiles.php probably as of May 2010, filesize 77154 bytes.

FTR, our hotfix was:
- Going on a machine that has the same OS version and does not have the patch installed yet
- sudo apt-get install dpkg-repack; sudo dpkg-repack ca-certificates
- Copying the generated .deb file to the affected server and installing it
- apt-mark hold ca-certificates

It'd be great if someone could identify the root cause of this and either provide a fix or communicate the effects of applying this patch to the community.

Marc Deslauriers (mdeslaur) wrote :

Did you restart your server after the update in order to use the new version of libssl?

Greg (longbeakedechidna1) wrote :

Ummm... no :) We'll test this, thanks!

Is a full OS reboot necessary or restarting the web server is enough?

Marc Deslauriers (mdeslaur) wrote :

You need to restart everything that uses libssl, perhaps only the web server, you'll see when you try it.

Greg (longbeakedechidna1) wrote :

Thanks for your quick response. We'll try it and report back.

Greg (longbeakedechidna1) wrote :

We've tested it and you were right, an Apache restart was needed after the patch is installed, and it fixed the problem.

Our service provider pointed out a couple of other services depending on libssl, restarting more services, and said a reboot is probably necessary to make sure syslog-ng is working well.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers