Digicert certificate is not included

Bug #1795242 reported by Stan Janssen on 2018-09-30
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Undecided
Unassigned

Bug Description

EDIT: This post originally mentioned the "DigiCert High Assurance EV Root CA", which was the wrong name. The "DigiCert SHA2 Secure Server" was intended. This post has been edited for clarity.

-------------

The "DigiCert SHA2 Secure Server" certificate is missing, which means that the system does not trust web sites that are using SSL certificates signed by that root. An example is a popular website in the Netherlands https://marktplaats.nl. The result is that no resources other that the text-only homepage is loaded.

Installing the Digicert root certificte manually from Digicert solves the problem:

```
wget https://dl.cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
mv DigiCertSHA2SecureServerCA.crt DigiCertSHA2SecureServerCA.der
openssl x509 -inform DER -outform PEM -in DigiCertSHA2SecureServerCA.der -out DigicertSHA2SecureServerCA.pem.crt
sudo mkdir -p /usr/share/ca-certificates/extra
sudo cp DigicertSHA2SecureServerCA.pem.crt /usr/share/ca-certificates/extra/
sudo dpkg-reconfigure ca-certificates
```

Maybe there is a valid reason for not including this certificate by default, or maybe this certificate can be included by default, since it seems like it's assumed to be included on every machine.

Changed in ca-certificates (Ubuntu):
status: New → Incomplete
Seth Arnold (seth-arnold) wrote :

This certificate does appear to be installed by default in the ca-certificates package:

$ dpkg -L ca-certificates | grep DigiCert
/usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
/usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt
/usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt
/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt
/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G2.crt
/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G3.crt
/usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
/usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt

$ sha256sum /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
d98f681c3a7dce812b90bf7c68046827f3bf5607357f1e4918c5dc813b359bf1 /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
$ ls -l /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
-rw-r--r-- 1 root root 1367 Apr 9 16:43 /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
$ ls -l /etc/ssl/certs/DigiCert*EV*
lrwxrwxrwx 1 root root 73 Oct 17 2012 /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem -> /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt

Does this file exist on your system? Does this symlink exist on your system?

Thanks

Thanks, Seth, for looking into this. You're right; that certificate is
indeed installed by default.

I seem to have misstated the name of the certificate in my original bug
report and post. It should have been the "DigiCert SHA2 Secure Server CA"
certificate, which is the one I describe in the steps to resolve the
problem. I apologize for having you look into the wrong certificate.

Should the "DigiCert SHA2 Secure Server CA" be included in ca-certificates?

A test site can be the static resources on https://www.marktplaats.nl,
which is the largest second-hand market in the Netherlands. They use it
for the static resources (not the main page, which is using a different
certificate). A direct test URL might be
https://s.marktplaats.com/z/dist/bower_components/gdpr-consent-banner/index.8e80894f.js,
which is not trusted on a clean install.

Stan Janssen (finetuned) wrote :

This is on ElementaryOS 0.4.1, which is based on Ubuntu 16.04:

    sudo dpkg -s ca-certificates | grep Version:
    Version: 20170717~16.04.1

And also on ElementaryOS 5 Beta 2, which is based on Ubuntu 18.04:

    sudo dpkg -s ca-certificates | grep Version:
    Version: 20180409

I was directed here from the ElementaryOS bug tracker.

Changed in ca-certificates (Ubuntu):
status: Incomplete → Confirmed
Seth Arnold (seth-arnold) wrote :

Aha! https://s.marktplaats.com/ indeed gives different results on Qualys:

"This server's certificate chain is incomplete. Grade capped to B."

https://www.ssllabs.com/ssltest/analyze.html?d=s.marktplaats.com

At the moment I think this is a misconfigured server at marktplaats.com.

Probably we're not going to perform an update to include this certificate unless Mozilla decides to include it in their certificate bundle.

Thanks

Stan Janssen (finetuned) on 2018-10-03
description: updated
Stan Janssen (finetuned) wrote :

I have reported this to Marktplaats.nl, suggesting they include the certificate in the chain that is being sent out by the server.

(I wonder why DigiCert has not been able to convice Mozilla to include this certificate, yet they still sign certificates that are intended for public verification using this. And, to make matters worse, why most other browsers do seem to include the certificate by default or a least trust the certificate chain enough to load the pages.)

Thanks for your help.

Seth Arnold (seth-arnold) wrote :

On Wed, Oct 03, 2018 at 05:55:59AM -0000, Stan Janssen wrote:
> (I wonder why DigiCert has not been able to convice Mozilla to include
> this certificate, yet they still sign certificates that are intended for

Most CAs have multiple levels of certificates. The ones that the browsers
include in trust bundles are normally stored off-line in locked vaults in
multiple shards and are only reconstructed once every few years for use,
to sign intermediary certificates.

The intermediary certificates are the ones that are used to sign end-user
certificates. These are not included in the browser bundles. Every site
that uses them is expected to include them in their certificate chains.

> public verification using this. And, to make matters worse, why most
> other browsers do seem to include the certificate by default or a least
> trust the certificate chain enough to load the pages.)

The trouble is, browser authors have seen incomplete chains before, and
have gone to some efforts to try to remediate the problem themselves. They
will *store* intermediate certificates as they discover them around the
wider web. If a misconfigured site forgets to include the full chain of
certificates, quite often site admins won't even notice because the
intermediate certs will be in their *local* user configuration.

This is what makes a service like Qualys's TLS checker so wonderful: it's
a well-written neutral third-party that knows how to diagnose a suprising
number of deployment and implementation mistakes.

Thanks

Schroeffu (david-schroff) wrote :

@seth-arnold more and more intermediate certificates are also included in Chrome/Firefox, because a lot of website admins forget to include them in their .pem file of their domain certificate. To prevent showing an ugly error message, browsers are integrate all the intermediates too. thats what i saw the last year.

Another example of required intermediate missing in ca-certificats: Thawte EV RSA CA 2018

When using Ubuntu as Proxy Server with SSL MITM, this is a huge problem. We need the official intermediate certifications also in this package.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers