This update seems to have broken our web app that uses some popular libraries that depend on curl() and use their cacert.pem files (provided with the given library) to verify the connection.
Please note that it can be that effectively running an "apt-get update; apt-get upgrade" (or having autoupdates enabled) breaks web apps that use these popular libraries (and maybe other libraries with similar age / setup). Exact reason unknown. Surprising problem, seeing that the libraries try to use their own cacerts. Restoring the last known good ca-certificates package and holding it fixes the problem (I guess disabling the check in PHP would also do) but I reckon these are just temporary solutions. $ uname -a Linux [REDACTED] 3.2.0-88-generic #126-Ubuntu SMP Mon Jul 6 21:33:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux $ php -v PHP 5.3.10-1ubuntu3.21 with Suhosin-Patch (cli) (built: Oct 28 2015 01:43:56) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies $ curl -V curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP (excerpt from /var/log/apt/history.log) Start-Date: 2016-02-26 06:36:41 Upgrade: libgnutls26:amd64 (2.12.14-5ubuntu3.11, 2.12.14-5ubuntu3.12), libssl-dev:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), libssl-doc:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), openssl:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), ca-certificates:amd64 (20141019ubuntu0.12.04.1, 20160104ubuntu0.12.04.1), libssl1.0.0:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34) End-Date: 2016-02-26 06:36:52 Error message: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Libraries known to be affected: - Mailchimp API library for PHP. Exact version unknown; Mailchimp.php probably as of March 2014, filesize 13593 bytes. - Rackspace Cloud Files API library for PHP. Exact version unknown; cloudfiles.php probably as of May 2010, filesize 77154 bytes. FTR, our hotfix was: - Going on a machine that has the same OS version and does not have the patch installed yet - sudo apt-get install dpkg-repack; sudo dpkg-repack ca-certificates - Copying the generated .deb file to the affected server and installing it - apt-mark hold ca-certificates It'd be great if someone could identify the root cause of this and either provide a fix or communicate the effects of applying this patch to the community. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1528645 Title: Please update ca-certificates on Trusty Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Precise: Fix Released Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Wily: Fix Released Status in ca-certificates source package in Xenial: Fix Released Bug description: Hi The ca-certificates package on Trusty is quite out of date, would it be possible for someone to update the package to the version from Xenial? ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: ca-certificates 20150426ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-18.22-generic 4.2.3 Uname: Linux 4.2.0-18-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu5 Architecture: amd64 CurrentDesktop: KDE Date: Tue Dec 22 18:57:08 2015 InstallationDate: Installed on 2015-10-05 (78 days ago) InstallationMedia: Kubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150825.1) PackageArchitecture: all SourcePackage: ca-certificates UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1528645/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
