[SRU] ship new public cert

Bug #1381359 reported by Dustin Kirkland  on 2014-10-15
48
This bug affects 5 people
Affects Status Importance Assigned to Milestone
pollinate (Ubuntu)
Critical
Dustin Kirkland 
Trusty
Critical
Dustin Kirkland 
Utopic
Critical
Dustin Kirkland 

Bug Description

Pollinate ships entropy.ubuntu.com's public certificate for tighter security.

This certificate has been updated and pollinate needs to be updated.

[Impact]
Any new 14.04 (Trusty) cloud instance with a down-level version of pollinate will fail to seed their PRNG from entropy.ubuntu.com.

[Test Case]
Run:
 $ sudo pollinate -r
to reseed your PRNG. If you have the old version of pollinate, you'll get certificate errors (See Comment #1), and it will exit non-zero. If you have the new version (already uploaded to ppa:pollinate/ppa, utopic, trusty-proposed), it will work again and exit zero (see Comment #2).

[Regression Potential]
Negligible. A single file is updated with a new public SSL certificate for https://entropy.ubuntu.com, in /etc/pollinate/entropy.ubuntu.com.pem

Changed in pollinate (Ubuntu Trusty):
status: New → In Progress
Changed in pollinate (Ubuntu Utopic):
status: New → In Progress
Changed in pollinate (Ubuntu Trusty):
importance: Undecided → Critical
Changed in pollinate (Ubuntu Utopic):
importance: Undecided → Critical
Changed in pollinate (Ubuntu Trusty):
assignee: nobody → Dustin Kirkland  (kirkland)
Changed in pollinate (Ubuntu Utopic):
assignee: nobody → Dustin Kirkland  (kirkland)
Changed in pollinate (Ubuntu Trusty):
milestone: none → trusty-updates
Changed in pollinate (Ubuntu Utopic):
milestone: none → ubuntu-14.10
Dustin Kirkland  (kirkland) wrote :

kirkland@living:~$ sudo pollinate -r
[sudo] password for kirkland:
Oct 15 02:38:54 living pollinate[16662]: client sent challenge to [https://entropy.ubuntu.com/]
Oct 15 02:38:54 living pollinate[16686]: ERROR: Network communication failed [60]\n02:38:54.681268 * Hostname was NOT found in DNS cache
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 002:38:54.934551 * Trying 91.189.94.50...
02:38:55.123359 * Connected to entropy.ubuntu.com (91.189.94.50) port 443 (#0)
02:38:55.125788 * successfully set certificate verify locations:
02:38:55.125863 * CAfile: /etc/pollinate/entropy.ubuntu.com.pem
  CApath: /dev/null
02:38:55.126186 * SSLv3, TLS handshake, Client hello (1):
02:38:55.126308 } [data not shown]
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 002:38:55.321488 * SSLv3, TLS handshake, Server hello (2):
02:38:55.321577 { [data not shown]
02:38:55.321707 * SSLv3, TLS handshake, CERT (11):
02:38:55.321752 { [data not shown]
02:38:55.322811 * SSLv3, TLS alert, Server hello (2):
02:38:55.322895 } [data not shown]
02:38:55.323092 * SSL certificate problem: unable to get local issuer certificate
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
02:38:55.323292 * Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Changed in pollinate (Ubuntu Trusty):
status: In Progress → Fix Committed
Changed in pollinate (Ubuntu Utopic):
status: In Progress → Fix Committed
summary: - [SRU] ship new public key
+ [SRU] ship new public cert
Dustin Kirkland  (kirkland) wrote :

After updated package:

kirkland@x230:~⟫ sudo pollinate -r
[sudo] password for kirkland:
Oct 15 09:40:38 x230 pollinate[7392]: system was previously seeded at [2014-10-15 09:36:58.285035647 +0200]
Oct 15 09:40:38 x230 pollinate[7402]: client sent challenge to [https://entropy.ubuntu.com/]
Oct 15 09:40:39 x230 pollinate[7426]: client verified challenge/response with [https://entropy.ubuntu.com/]
Oct 15 09:40:39 x230 pollinate[7436]: client hashed response from [https://entropy.ubuntu.com/]
Oct 15 09:40:39 x230 pollinate[7438]: client successfully seeded [/dev/urandom]

description: updated
Haw Loeung (hloeung) wrote :

Seems I tried to be clever in providing a bundle without the original CA certificate (we're using almost everywhere else). Unfortunately, pollinate is calling curl with --capath /dev/null so we need to include this.

I've created MP:239160 to fix this.

Tested as follows:

$ curl -A 'pollinate/4.8-0ubuntu1 curl/7.37.1-1ubuntu3 Ubuntu/14.10 GNU/Linux/3.16.0-23-generic/x86_64' -o- -v --trace-time --connect-timeout 3 --max-time 3 --cacert missing-ca-certificate/entropy.ubuntu.com.pem --capath /dev/null https://entropy.ubuntu.com/
| 09:16:55.592055 * Hostname was NOT found in DNS cache
| 09:16:55.596308 * Trying 91.189.94.50...
| 09:16:55.925350 * Connected to entropy.ubuntu.com (91.189.94.50) port 443 (#0)
| 09:16:55.925950 * successfully set certificate verify locations:
| 09:16:55.926012 * CAfile: missing-ca-certificate/entropy.ubuntu.com.pem
| CApath: /dev/null
| 09:16:55.926126 * SSLv3, TLS handshake, Client hello (1):
| 09:16:56.261897 * SSLv3, TLS handshake, Server hello (2):
| 09:16:56.273468 * SSLv3, TLS handshake, CERT (11):
| 09:16:56.274152 * SSLv3, TLS handshake, Server key exchange (12):
| 09:16:56.274321 * SSLv3, TLS handshake, Server finished (14):
| 09:16:56.284401 * SSLv3, TLS handshake, Client key exchange (16):
| 09:16:56.284483 * SSLv3, TLS change cipher, Client hello (1):
| 09:16:56.284605 * SSLv3, TLS handshake, Finished (20):
| 09:16:56.628377 * SSLv3, TLS change cipher, Client hello (1):
| 09:16:56.628494 * SSLv3, TLS handshake, Finished (20):
| 09:16:56.628555 * SSL connection using TLSv1.2 / DHE-RSA-AES128-GCM-SHA256
| 09:16:56.628606 * Server certificate:
| 09:16:56.628656 * subject: OU=Domain Control Validated; CN=entropy.ubuntu.com
| 09:16:56.628702 * start date: 2014-10-14 23:21:25 GMT
| 09:16:56.628748 * expire date: 2015-10-15 16:10:53 GMT
| 09:16:56.628807 * subjectAltName: entropy.ubuntu.com matched
| 09:16:56.628863 * issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
| 09:16:56.628909 * SSL certificate verify ok.
| 09:16:56.628981 > GET / HTTP/1.1
| 09:16:56.628981 > User-Agent: pollinate/4.8-0ubuntu1 curl/7.37.1-1ubuntu3 Ubuntu/14.10 GNU/Linux/3.16.0-23-generic/x86_64
| 09:16:56.628981 > Host: entropy.ubuntu.com
| 09:16:56.628981 > Accept: */*
| 09:16:56.628981 >
| 09:16:56.968210 * HTTP 1.0, assume close after body
| 09:16:56.968290 < HTTP/1.0 400 Bad Request
| 09:16:56.968334 < Content-Type: text/plain; charset=utf-8
| 09:16:56.968375 < Content-Length: 162
| 09:16:56.968417 < Date: Tue, 21 Oct 2014 22:16:57 GMT
| 09:16:56.968459 < X-Cache: MISS from localhost
| 09:16:56.968501 < X-Cache-Lookup: MISS from localhost:3128
| 09:16:56.968544 < Via: 1.0 localhost (squid/3.1.19)
| 09:16:56.968587 * HTTP/1.0 connection set to keep alive!
| 09:16:56.968628 < Connection: keep-alive
| 09:16:56.968670 < Please use the pollinate client. 'sudo apt-get install pollinate' or download from: https://bazaar.launchpad.net/~pollinate/pollinate/trunk/view/head:/pollinate
| 09:16:56.968739 * Connection #0 to host entropy.ubuntu.com left intact

Once again, I am really sorry.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pollinate - 4.9-0ubuntu1

---------------
pollinate (4.9-0ubuntu1) utopic; urgency=medium

  * entropy.ubuntu.com.pem:
    - add original CA certificate, LP: #1381359
 -- Dustin Kirkland <email address hidden> Wed, 15 Oct 2014 09:28:22 +0200

Changed in pollinate (Ubuntu Utopic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pollinate - 4.7-0ubuntu1.2

---------------
pollinate (4.7-0ubuntu1.2) trusty-security; urgency=medium

  * debian/patches/1381359.patch: LP: #1381359
    - update expiring SSL certificate
 -- Dustin Kirkland <email address hidden> Tue, 21 Oct 2014 16:12:43 -0700

Changed in pollinate (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers