Ubuntu
ca-certificates package

  1. Bug #1528645
  2. Comment #3

Comment 3 for bug 1528645

Revision history for this message
Greg (longbeakedechidna1) wrote :

This update seems to have broken our web app that uses some popular libraries that depend on curl() and use their cacert.pem files (provided with the given library) to verify the connection.

Please note that it can be that effectively running an "apt-get update; apt-get upgrade" (or having autoupdates enabled) breaks web apps that use these popular libraries (and maybe other libraries with similar age / setup).

Exact reason unknown. Surprising problem, seeing that the libraries try to use their own cacerts. Restoring the last known good ca-certificates package and holding it fixes the problem (I guess disabling the check in PHP would also do) but I reckon these are just temporary solutions.

$ uname -a
Linux [REDACTED] 3.2.0-88-generic #126-Ubuntu SMP Mon Jul 6 21:33:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

$ php -v
PHP 5.3.10-1ubuntu3.21 with Suhosin-Patch (cli) (built: Oct 28 2015 01:43:56)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

$ curl -V
curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

(excerpt from /var/log/apt/history.log)
Start-Date: 2016-02-26 06:36:41
Upgrade: libgnutls26:amd64 (2.12.14-5ubuntu3.11, 2.12.14-5ubuntu3.12), libssl-dev:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), libssl-doc:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), openssl:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), ca-certificates:amd64 (20141019ubuntu0.12.04.1, 20160104ubuntu0.12.04.1), libssl1.0.0:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34)
End-Date: 2016-02-26 06:36:52

Error message: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Libraries known to be affected:
- Mailchimp API library for PHP. Exact version unknown; Mailchimp.php probably as of March 2014, filesize 13593 bytes.
- Rackspace Cloud Files API library for PHP. Exact version unknown; cloudfiles.php probably as of May 2010, filesize 77154 bytes.

FTR, our hotfix was:
- Going on a machine that has the same OS version and does not have the patch installed yet
- sudo apt-get install dpkg-repack; sudo dpkg-repack ca-certificates
- Copying the generated .deb file to the affected server and installing it
- apt-mark hold ca-certificates

It'd be great if someone could identify the root cause of this and either provide a fix or communicate the effects of applying this patch to the community.