ca-certificates missing some root CA
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ca-certificates (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I started seeing certificate errors in curl recently on Ubuntu 16.04. Here's an example:
$ curl -svo /dev/null --resolve ngrok.com:
* Added ngrok.com:
* Hostname ngrok.com was found in DNS cache
* Trying 34.211.12.31...
* Connected to ngrok.com (34.211.12.31) port 443 (#0)
* found 148 certificates in /etc/ssl/
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_
* server certificate verification failed. CAfile: /etc/ssl/
* Closing connection 0
I have latest version of ca-certificates installed. On Ubuntu 20.04 everything works fine:
$ curl -svo /dev/null --resolve ngrok.com:
* Added ngrok.com:
* Hostname ngrok.com was found in DNS cache
* Trying 34.211.12.31:443...
* TCP_NODELAY set
* Connected to ngrok.com (34.211.12.31) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4439 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.ngrok.com
* start date: Mar 10 00:00:00 2020 GMT
* expire date: Mar 10 23:59:59 2021 GMT
* subjectAltName: host "ngrok.com" matched cert's "ngrok.com"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: ca-certificates 20170717~16.04.2
ProcVersionSign
Uname: Linux 4.15.0-101-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.23
Architecture: amd64
Date: Mon Jun 1 13:51:14 2020
InstallationDate: Installed on 2011-04-14 (3336 days ago)
InstallationMedia: Ubuntu-Server 10.04.2 LTS "Lucid Lynx" - Release amd64 (20110211.1)
PackageArchitec
ProcEnviron:
TERM=screen.
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: ca-certificates
UpgradeStatus: Upgraded to xenial on 2016-07-30 (1401 days ago)