DigiCert certificates should be included in Ubuntu

Bug #742889 reported by Ken Sharp on 2011-03-26
386
This bug affects 110 people
Affects Status Importance Assigned to Milestone
ca-certificates (Debian)
Fix Released
Unknown
ca-certificates (Ubuntu)
Medium
Marco Trevisan (Treviño)
Natty
Medium
Unassigned
Oneiric
Medium
Unassigned

Bug Description

Binary package hint: ca-certificates

See http://bugs.winehq.org/show_bug.cgi?id=17842

The lack of DigiCert certificates means that any application that relies on them for authentication (such as the PopCap games) will fail without error. A workaround is to export the certificates from Firefox.

Related branches

Changed in ca-certificates (Ubuntu):
status: New → Confirmed
Ryan Steele (rgsteele) wrote :

This issue is also causing users of Empathy who are connecting to Facebook Chat to receive a certificate error. See http://askubuntu.com/questions/27752/untrusted-connection-warning-in-empathy for discussion.

Changed in ca-certificates (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
tags: removed: certificate certificates popcap ssl wine

https://www.facebook.com/#!/liliana.martinezlopez.li
facebook

Servicio de acceso de Launchpad
No puede utilizar este código de confirmación mientras está autenticado

Ha intentado confirmar una cuenta mientras estás autenticado como alguien más. Hemos cancelado el pedido. Por favor cierre su cuenta para crear la nueva cuenta.

Changed in ca-certificates (Ubuntu):
status: Triaged → New
Changed in ca-certificates (Ubuntu):
status: New → Triaged
Changed in ca-certificates (Ubuntu):
status: Triaged → Fix Committed
assignee: nobody → Treviño (Marco Trevisan) (3v1n0)
Changed in ca-certificates (Ubuntu Natty):
status: Fix Committed → Fix Released
Ken Sharp (kennybobs) wrote :

So what about Maverick, and other supported versions? There's no real reason why they shouldn't be included.

Carey Underwood (cwillu) wrote :

Marco, I still see this on a fully updated natty; are you sure the fix made it in?

Also, what's the status of this on Maverick and Lucid?

The fix isn't in. I've sent the merge request, but it hasn't been approved yet. In fact I just set this bug as "Fix Committed", not as "Fix Relased". That will be possible just once that the merge proposal has been accepted!

Changed in ca-certificates (Ubuntu Natty):
status: Fix Released → Fix Committed
Jamie Strandboge (jdstrand) wrote :

I have NAK'd the merge request (see my review in the merge). This needs to be in Debian first. Once it is there, it can be syncd for Oneiric and backported to natty or farther. Marking back to 'In Progress'.

Changed in ca-certificates (Ubuntu Natty):
milestone: none → natty-updates
status: Fix Committed → In Progress
Jamie Strandboge (jdstrand) wrote :

Also, please add the Debian bug to this bug after it is filed. Thanks

Changed in ca-certificates (Ubuntu Oneiric):
status: New → Confirmed
importance: Undecided → Medium
Ken Sharp (kennybobs) wrote :

Digicert certificates are in /usr/share/ca-certificates/mozilla/ in Debian. I don't know enough about Debian to know if these are therefore accessible to all applications or not.

Does anyone have a Debian installation to confirm this one way or the other?

Jamie Strandboge (jdstrand) wrote :

Ken, Ubuntu has had ca-certificates 20090814 since Ubuntu 9.10 and this is the same version that was in Debian until recent non-maintainer-uploads (NMUs): http://packages.debian.org/changelogs/pool/main/c/ca-certificates/ca-certificates_20090814+nmu3/changelog. I checked the newer Debian versions already and I don't see anything in the changelogs to indicate added DigiCert certificates. Ubuntu has these in /usr/share/ca-certificates/mozilla/ already:
DigiCert_Assured_ID_Root_CA.crt
DigiCert_Global_Root_CA.crt
DigiCert_High_Assurance_EV_Root_CA.crt

What needs to happen is a bug needs to be filed with Debian stating that mozilla now has additional certificates for DigiCert, and which ones are new, and that they should add them. At that point, that bug should be added to this one. When it is fixed in Debian, we can perform a sync into the development release of Ubuntu (Oneiric), and then perform an SRU using https://wiki.ubuntu.com/StableReleaseUpdates.

Ken Sharp (kennybobs) on 2011-04-19
description: updated
Jamie Strandboge (jdstrand) wrote :

ca-certificates 20110421 in Oneiric has in its changelog: "Update mozilla certdata.txt file to the latest version." I'm going to mark this bug as closed in Oneiric.

Changed in ca-certificates (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in ca-certificates (Ubuntu Natty):
assignee: Treviño (Marco Trevisan) (3v1n0) → nobody
status: In Progress → Triaged
Ken Sharp (kennybobs) wrote :

The Debian bug is now fixed and closed.

Changed in ca-certificates (Debian):
status: Unknown → Fix Released
Shahar Or (mightyiam) wrote :

Excellent!

I am using oneric and am hitting this bug with version 20110502+nmu1 .

CaptainMark (imark-skinner) wrote :

+1 to Philipp Dreimann, i started getting the same error messages on 11.10 as Ryan Steele in comment #2 once the fix was marked as released

Maksym Chyrkov (mchirkov) wrote :

I also got this bug after update but with gmail.
Empathy shows warning that certificate is self signed for gmail.com

Paweł (paff) wrote :

Like Philipp Dreimann and CaptainMark, I have the same problem after today upgrade.

I manualy added, but didnt helped.

sudo cp /tmp/DigiCertHighAssuranceCA-3.crt /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_CA-3.crt
sudo dpkg-reconfigure ca-certificates

Paweł (paff) wrote :

Anyone?

In Oneric, bug comes up again.
Empathy is showing untrusted connection with facebook certifcat.

My guess: the observations wrt empathy reported in the last comments are due to Bug #828756.

Ken Sharp (kennybobs) wrote :

Is there a reason why this isn't nominated for currently supported versions of Ubuntu?
http://en.wikipedia.org/wiki/List_of_Ubuntu_releases#Version_timeline
It can't be that difficult to backport.

Ken Sharp (kennybobs) wrote :

Can this be ported to Natty? How about Hardy?

Igor Santos (igorsantos07) wrote :

The problem with empathy happens with Google Talk too (Google Certificate).

Sergio Benjamim (sergio-br2) wrote :

"Bug Watch Updater (bug-watch-updater) on 2011-08-11
Changed in ca-certificates (Debian):
status: Unknown → Fix Released"

How this fixed? This problem still in Ubuntu 12.04.1. Annoyng in Empathy.

Philip Hale (p-hale-09) wrote :

I believe this problem still exists in 12.10 as well. How come the fix didn't persist after Oneric?

The problem is also there with Telepathy in Kubuntu.

Should be re-opened for 12.10.

Brooks B (bmbeverst) wrote :

I can verify it is a problem in Telepathy on Kubuntu.

Trying out this fix: https://bugs.launchpad.net/ubuntu/+source/empathy/+bug/828756/comments/39

Joseph Wakeling (webdrake) wrote :

Also (newly?) affecting Empathy in Raring Ringtail.

Adam Porter (alphapapa) wrote :

Confirming on 12.10. Trying to load https://discovercard.com in Firefox works fine, but trying to load it in another browser, like QupZilla, says the root CA isn't trusted.

Adam Porter (alphapapa) wrote :

How can we get this marked for Precise and Quantal and Raring?

dino99 (9d9) wrote :
Changed in ca-certificates (Ubuntu Natty):
status: Triaged → Invalid
Adam Porter (alphapapa) wrote :

This still exists in Saucy! I can't even clone a repo from GitHub!

$ gnutls-cli -p 443 github.com
Resolving 'github.com'...
Connecting to '192.30.252.128:443'...
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
  - subject `businessCategory=Private Organization,jurisdictionOfIncorporationCountryName=US,jurisdictionOfIncorporationStateOrProvinceName=Delaware,serialNumber=5157550,STREET=548 4th Street,postalCode=94107,C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=github.com', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV CA-1', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-06-10 00:00:00 UTC', expires `2015-09-02 12:00:00 UTC', SHA-1 fingerprint `d712e96965dcf236c874c7037dc0b224a93bd233'
 - Certificate[1] info:
  - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV CA-1', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-11-09 12:00:00 UTC', expires `2021-11-10 00:00:00 UTC', SHA-1 fingerprint `dbc7e90b0da5d88a5535430eeb665d077859e8e8'
- The hostname in the certificate matches 'github.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA256
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
- Peer has closed the GnuTLS connection

Michael Shuler (mshuler) wrote :

You're doing it wrong.

$ gnutls-cli -p 443 github.com --x509cafile /etc/ssl/certs/ca-certificates.crt
Processed 159 CA certificate(s).
Resolving 'github.com'...
Connecting to '192.30.252.129:443'...
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
  - subject `businessCategory=Private Organization,jurisdictionOfIncorporationCountryName=US,jurisdictionOfIncorporationStateOrProvinceName=Delaware,serialNumber=5157550,STREET=548 4th Street,postalCode=94107,C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=github.com', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV CA-1', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-06-10 00:00:00 UTC', expires `2015-09-02 12:00:00 UTC', SHA-1 fingerprint `d712e96965dcf236c874c7037dc0b224a93bd233'
 - Certificate[1] info:
  - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV CA-1', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-11-09 12:00:00 UTC', expires `2021-11-10 00:00:00 UTC', SHA-1 fingerprint `dbc7e90b0da5d88a5535430eeb665d077859e8e8'
- The hostname in the certificate matches 'github.com'.
- Peer's certificate is trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA256
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

^C
--------------------------------------------------------------

The DigiCert CA certificates were added in 2008, folks. If you have software that has issues with validating certs for some reason, the issue is likely with that software or the environment the software is being run in.

ca-certificates (20080411) unstable; urgency=low
  (...)
  * Updated mozilla certificates from trunk, which led to the following
    adds (+) and removes (-):
    (...)
    + DigiCert Assured ID Root CA
    + DigiCert Global Root CA
    + DigiCert High Assurance EV Root CA
    (...)
 -- Philipp Kern <email address hidden> Sat, 12 Apr 2008 17:35:26 +0200

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.