Ubuntu
ca-certificates package

ca-certificates missing some root CA

Bug #1881582 reported by Vasya Pupkin on 2020-06-01

This bug report is a duplicate of: Bug #1881533: Remove expired AddTrust_External_Root.crt because it breaks software. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ca-certificates (Ubuntu)	New	Undecided	Unassigned

Bug Description

I started seeing certificate errors in curl recently on Ubuntu 16.04. Here's an example:

$ curl -svo /dev/null --resolve ngrok.com:443:34.211.12.31 https://ngrok.com/
* Added ngrok.com:443:34.211.12.31 to DNS cache
* Hostname ngrok.com was found in DNS cache
* Trying 34.211.12.31...
* Connected to ngrok.com (34.211.12.31) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0

I have latest version of ca-certificates installed. On Ubuntu 20.04 everything works fine:

$ curl -svo /dev/null --resolve ngrok.com:443:34.211.12.31 https://ngrok.com/
* Added ngrok.com:443:34.211.12.31 to DNS cache
* Hostname ngrok.com was found in DNS cache
* Trying 34.211.12.31:443...
* TCP_NODELAY set
* Connected to ngrok.com (34.211.12.31) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4439 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.ngrok.com
* start date: Mar 10 00:00:00 2020 GMT
* expire date: Mar 10 23:59:59 2021 GMT
* subjectAltName: host "ngrok.com" matched cert's "ngrok.com"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
* SSL certificate verify ok.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: ca-certificates 20170717~16.04.2
ProcVersionSignature: Ubuntu 4.15.0-101.102~16.04.1-generic 4.15.18
Uname: Linux 4.15.0-101-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.23
Architecture: amd64
Date: Mon Jun 1 13:51:14 2020
InstallationDate: Installed on 2011-04-14 (3336 days ago)
InstallationMedia: Ubuntu-Server 10.04.2 LTS "Lucid Lynx" - Release amd64 (20110211.1)
PackageArchitecture: all
ProcEnviron:
TERM=screen.xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: ca-certificates
UpgradeStatus: Upgraded to xenial on 2016-07-30 (1401 days ago)

Tags:

Revision history for this message

Vasya Pupkin (shadowlmd) wrote on 2020-06-01:

Dependencies.txt Edit (1.6 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.3 KiB, text/plain; charset="utf-8")

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1881533 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuca-certificates package