StartCom Certification Authority G2 CA cert missing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ca-certificates (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Won't Fix
|
Wishlist
|
Unassigned | ||
Precise |
Won't Fix
|
Wishlist
|
Unassigned | ||
Quantal |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
I'm getting this on a Lucid Lynx server:
$ wget https:/
--2013-11-27 10:48:12-- https:/
Resolving www.sourceware.
Connecting to www.sourceware.
ERROR: cannot verify www.sourceware.
Self-signed certificate encountered.
To connect to www.sourceware.org insecurely, use `--no-check-
Similarly with curl:
$ curl https:/
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:
More details here: http://
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
I presume the certificates are just too old, but there might be a problem with openssl, or something, I suppose.
Since Lucid is still supported for another 17 months, on the server, I think this ought to be fixed.
I'm marking it as a security issue even though it is the user's security that is vulnerable, not the system, so apologies if that's not appropriate.
affects: | ssl-cert (Ubuntu) → ca-certificates (Ubuntu) |
Changed in ca-certificates (Ubuntu Quantal): | |
status: | Confirmed → Won't Fix |
Looks like Ubuntu 12.10 and older don't have the "StartCom Certification Authority G2" CA cert.
A workaround is to install that CA cert into /usr/local/ share/ca- certificates, and run "sudo update- ca-certificates ".