Public bug reported: I think that package is missing the one intermediate certificate from DigiCert that is being used for websites.
DigiCert Sha2 Secure Server CA Located at https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt For example harpers.org uses that CA. If you execute this from cli: curl -v https://harpers.org/wp- content/themes/harpers/images/logoBlack.png This is the output * Hostname was NOT found in DNS cache * Trying 54.243.234.21... * Connected to harpers.org (54.243.234.21) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate Workaround is this: wget -P /tmp/ -nv https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt openssl x509 -in /tmp/DigiCertSHA2SecureServerCA.crt -inform DER \ -out /tmp/DigiCertSHA2SecureServerCA.pem -outform PEM sudo cp -uv /tmp/DigiCertSHA2SecureServerCA.pem /etc/ssl/certs sudo c_rehash It affects all versions of Ubuntu starting from 14.04 ** Affects: ca-certificates (Ubuntu) Importance: Undecided Status: New ** Tags: trusty xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1700757 Title: Missing intermediate certificate from Digicert - "DigiCert Sha2 Secure Server CA" Status in ca-certificates package in Ubuntu: New Bug description: I think that package is missing the one intermediate certificate from DigiCert that is being used for websites. DigiCert Sha2 Secure Server CA Located at https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt For example harpers.org uses that CA. If you execute this from cli: curl -v https://harpers.org/wp- content/themes/harpers/images/logoBlack.png This is the output * Hostname was NOT found in DNS cache * Trying 54.243.234.21... * Connected to harpers.org (54.243.234.21) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate Workaround is this: wget -P /tmp/ -nv https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt openssl x509 -in /tmp/DigiCertSHA2SecureServerCA.crt -inform DER \ -out /tmp/DigiCertSHA2SecureServerCA.pem -outform PEM sudo cp -uv /tmp/DigiCertSHA2SecureServerCA.pem /etc/ssl/certs sudo c_rehash It affects all versions of Ubuntu starting from 14.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1700757/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
