kjotte@daedalus:~$ openssl s_client -CApath /etc/ssl/certs -connect api-v1.weather.gov:443 CONNECTED(00000003) depth=0 OU = Domain Control Validated, CN = nws.noaa.gov verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, CN = nws.noaa.gov verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=nws.noaa.gov i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 --- Server certificate ... subject=/OU=Domain Control Validated/CN=nws.noaa.gov issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 --- No client certificate CA names sent --- SSL handshake has read 2604 bytes and written 647 bytes ---
Does the i: line in that output mean the server is sending that intermediate cert or that it is expected? I want to make absolutely certain I've got this right before I go telling the federal government they've messed up. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1656054 Title: Unable to validate GoDaddy signed certs Status in ca-certificates package in Ubuntu: Invalid Bug description: I am updating a script to use a new version of the US National Weather Service API and am running into a certificate problem. kjotte@daedalus:/tmp$ curl https://api-v1.weather.gov/ curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none ... I have run update-ca-certificates to ensure the master bundle is current. This URL is accessible in Firefox with correct validation. Workaround: kjotte@daedalus:/tmp$ curl -sO https://certs.godaddy.com/repository/gd_bundle-g2.crt kjotte@daedalus:/tmp$ curl --cacert ./gd_bundle-g2.crt https://api-v1.weather.gov/ {"status":"OK"} Please update the system certificate store so I don't have to load the GoDaddy cert bundle on every machine I'll be running my scripts on. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: ca-certificates 20160104ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-59.80-generic 4.4.35 Uname: Linux 4.4.0-59-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.4 Architecture: amd64 CurrentDesktop: XFCE Date: Thu Jan 12 12:43:45 2017 EcryptfsInUse: Yes InstallationDate: Installed on 2011-12-09 (1861 days ago) InstallationMedia: Xubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012) PackageArchitecture: all SourcePackage: ca-certificates UpgradeStatus: Upgraded to xenial on 2016-05-31 (226 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1656054/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
