12.04/openssl refusing some verisign certified sites
Summary: SSL refuses to work with some https sites on both 12.04, 13.04, 13.10, for fresh and updated installations. It is an issue with OpenSSL's handling of certificates..
Fixed in Ubuntu 14.04 apparently.
Openssl upstream, see http://
1) Copy the Root CA from Symantec's website https:/
2) Paste the contents into a file under "/usr/local/
$ sudo vi /usr/local/
$ sudo update-
# You should see output similar to this:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-
---- Original post ----
After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
curl -v https:/
works fine, on 12.04 it says:
This happens on some very well know bank sites , another example is https:/
Hence I think
- test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
- curl/7.22.0 (x86_64-
- Calling ssl directly:
openssl s_client -host cs.directnet.com -port 443
says "self signed certificate in certificate chain", and the chain shown is:
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Now there are lots of certificates in /usr/share/
Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
Since this affects well know sites it would seems to be quite an important issue?
|Changed in openssl:|
|status:||Unknown → Confirmed|
|Changed in ca-certificates (Ubuntu):|
|status:||New → Fix Released|
|Changed in openssl (Ubuntu):|
|status:||Confirmed → Invalid|