TLDR summary: run "c_rehash" as root to fix this issue.
I just ran into this issue (symptoms: "wget https://ev-root.digicert.com/", "openssl c_client ev-root.digicert.com" would fail) .
The problem is that the symbolic links that are supposed to exist in /etc/ssl/certs aren't there. Running "c_rehash" command recreates the links . Reinstallling ca-certificates does not fix this issue, because /usr/sbin/update-ca-certificates only runs c_rehash when /etc/ssl/certs/ca-certificates.crt is out of date (ie. when you added or removed some certificates).
I don't know why an Ubuntu 12.04 LTS system would be in this state, perhaps it only happens on systems that were upgraded from earlier Ubuntu installs, and for some reason c_rehash never got run.
$ wget https://ev-root.digicert.com/
--2013-06-07 19:55:03-- https://ev-root.digicert.com/
Resolving ev-root.digicert.com (ev-root.digicert.com)... 64.58.225.123
Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... connected.
ERROR: cannot verify ev-root.digicert.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1':
Unable to locally verify the issuer's authority.
To connect to ev-root.digicert.com insecurely, use `--no-check-certificate'.
TLDR summary: run "c_rehash" as root to fix this issue.
I just ran into this issue (symptoms: "wget https:/ /ev-root. digicert. com/", "openssl c_client ev-root. digicert. com" would fail) .
The problem is that the symbolic links that are supposed to exist in /etc/ssl/certs aren't there. Running "c_rehash" command recreates the links . Reinstallling ca-certificates does not fix this issue, because /usr/sbin/ update- ca-certificates only runs c_rehash when /etc/ssl/ certs/ca- certificates. crt is out of date (ie. when you added or removed some certificates).
I don't know why an Ubuntu 12.04 LTS system would be in this state, perhaps it only happens on systems that were upgraded from earlier Ubuntu installs, and for some reason c_rehash never got run.
$ wget https:/ /ev-root. digicert. com/ /ev-root. digicert. com/ digicert. com (ev-root. digicert. com)... 64.58.225.123 digicert. com (ev-root. digicert. com)|64. 58.225. 123|:443. .. connected. digicert. com's certificate, issued by `/C=US/O=DigiCert Inc/OU= www.digicert. com/CN= DigiCert High Assurance EV CA-1': digicert. com insecurely, use `--no-check- certificate' .
--2013-06-07 19:55:03-- https:/
Resolving ev-root.
Connecting to ev-root.
ERROR: cannot verify ev-root.
Unable to locally verify the issuer's authority.
To connect to ev-root.
$ strace wget https:/ /ev-root. digicert. com/
write(2, "Connecting to ev-root. digicert. c"..., 80Connecting to ev-root. digicert. com (ev-root. digicert. com)|64. 58.225. 123|:443. .. ) = 80 htons(443) , sin_addr= inet_addr( "64.58. 225.123" )}, 16) = 0 usr/lib/ ssl/certs/ 244b5494. 0", 0x7fff22ff0b60) = -1 ENOENT (No such file or directory)
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=
.....
stat("/
$ c_rehash
....
$ ls -l /usr/lib/ ssl/certs/ 244b5494. 0 ssl/certs/ 244b5494. 0 -> DigiCert_ High_Assurance_ EV_Root_ CA.pem
lrwxrwxrwx 1 root root 38 Jun 7 20:20 /usr/lib/
$ wget https:/ /ev-root. digicert. com/ /ev-root. digicert. com/ digicert. com (ev-root. digicert. com)... 64.58.225.123 digicert. com (ev-root. digicert. com)|64. 58.225. 123|:443. .. connected.
--2013-06-07 20:20:10-- https:/
Resolving ev-root.
Connecting to ev-root.
HTTP request sent, awaiting response... 200 OK