Seems I tried to be clever in providing a bundle without the original CA certificate (we're using almost everywhere else). Unfortunately, pollinate is calling curl with --capath /dev/null so we need to include this.
I've created MP:239160 to fix this. Tested as follows: $ curl -A 'pollinate/4.8-0ubuntu1 curl/7.37.1-1ubuntu3 Ubuntu/14.10 GNU/Linux/3.16.0-23-generic/x86_64' -o- -v --trace-time --connect-timeout 3 --max-time 3 --cacert missing-ca-certificate/entropy.ubuntu.com.pem --capath /dev/null https://entropy.ubuntu.com/ | 09:16:55.592055 * Hostname was NOT found in DNS cache | 09:16:55.596308 * Trying 91.189.94.50... | 09:16:55.925350 * Connected to entropy.ubuntu.com (91.189.94.50) port 443 (#0) | 09:16:55.925950 * successfully set certificate verify locations: | 09:16:55.926012 * CAfile: missing-ca-certificate/entropy.ubuntu.com.pem | CApath: /dev/null | 09:16:55.926126 * SSLv3, TLS handshake, Client hello (1): | 09:16:56.261897 * SSLv3, TLS handshake, Server hello (2): | 09:16:56.273468 * SSLv3, TLS handshake, CERT (11): | 09:16:56.274152 * SSLv3, TLS handshake, Server key exchange (12): | 09:16:56.274321 * SSLv3, TLS handshake, Server finished (14): | 09:16:56.284401 * SSLv3, TLS handshake, Client key exchange (16): | 09:16:56.284483 * SSLv3, TLS change cipher, Client hello (1): | 09:16:56.284605 * SSLv3, TLS handshake, Finished (20): | 09:16:56.628377 * SSLv3, TLS change cipher, Client hello (1): | 09:16:56.628494 * SSLv3, TLS handshake, Finished (20): | 09:16:56.628555 * SSL connection using TLSv1.2 / DHE-RSA-AES128-GCM-SHA256 | 09:16:56.628606 * Server certificate: | 09:16:56.628656 * subject: OU=Domain Control Validated; CN=entropy.ubuntu.com | 09:16:56.628702 * start date: 2014-10-14 23:21:25 GMT | 09:16:56.628748 * expire date: 2015-10-15 16:10:53 GMT | 09:16:56.628807 * subjectAltName: entropy.ubuntu.com matched | 09:16:56.628863 * issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2 | 09:16:56.628909 * SSL certificate verify ok. | 09:16:56.628981 > GET / HTTP/1.1 | 09:16:56.628981 > User-Agent: pollinate/4.8-0ubuntu1 curl/7.37.1-1ubuntu3 Ubuntu/14.10 GNU/Linux/3.16.0-23-generic/x86_64 | 09:16:56.628981 > Host: entropy.ubuntu.com | 09:16:56.628981 > Accept: */* | 09:16:56.628981 > | 09:16:56.968210 * HTTP 1.0, assume close after body | 09:16:56.968290 < HTTP/1.0 400 Bad Request | 09:16:56.968334 < Content-Type: text/plain; charset=utf-8 | 09:16:56.968375 < Content-Length: 162 | 09:16:56.968417 < Date: Tue, 21 Oct 2014 22:16:57 GMT | 09:16:56.968459 < X-Cache: MISS from localhost | 09:16:56.968501 < X-Cache-Lookup: MISS from localhost:3128 | 09:16:56.968544 < Via: 1.0 localhost (squid/3.1.19) | 09:16:56.968587 * HTTP/1.0 connection set to keep alive! | 09:16:56.968628 < Connection: keep-alive | 09:16:56.968670 < Please use the pollinate client. 'sudo apt-get install pollinate' or download from: https://bazaar.launchpad.net/~pollinate/pollinate/trunk/view/head:/pollinate | 09:16:56.968739 * Connection #0 to host entropy.ubuntu.com left intact Once again, I am really sorry. ** Branch linked: lp:~hloeung/pollinate/missing-ca-certificate -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to pollinate in Ubuntu. https://bugs.launchpad.net/bugs/1381359 Title: [SRU] ship new public cert To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/1381359/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs