[Bug 1014640] Re: 12.04/openssl refusing some verisign certified sites

Chris Bainbridge chris.bainbridge at gmail.com
Fri Jun 7 19:36:37 UTC 2013 

TLDR summary: run "c_rehash" as root to fix this issue.

I just ran into this issue (symptoms: "wget https://ev-
root.digicert.com/", "openssl c_client ev-root.digicert.com" would fail)
.

The problem is that the symbolic links that are supposed to exist in
/etc/ssl/certs aren't there. Running "c_rehash" command recreates the
links . Reinstallling ca-certificates does not fix this issue, because
/usr/sbin/update-ca-certificates only runs c_rehash when /etc/ssl/certs
/ca-certificates.crt is out of date (ie. when you added or removed some
certificates).

I don't know why an Ubuntu 12.04 LTS system would be in this state,
perhaps it only happens on systems that were upgraded from earlier
Ubuntu installs, and for some reason c_rehash never got run.

$ wget https://ev-root.digicert.com/
--2013-06-07 19:55:03--  https://ev-root.digicert.com/
Resolving ev-root.digicert.com (ev-root.digicert.com)... 64.58.225.123
Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... connected.
ERROR: cannot verify ev-root.digicert.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1':
  Unable to locally verify the issuer's authority.
To connect to ev-root.digicert.com insecurely, use `--no-check-certificate'.

$ strace wget https://ev-root.digicert.com/

write(2, "Connecting to ev-root.digicert.c"..., 80Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... ) = 80
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("64.58.225.123")}, 16) = 0
.....
stat("/usr/lib/ssl/certs/244b5494.0", 0x7fff22ff0b60) = -1 ENOENT (No such file or directory)


$ c_rehash
....

$ ls -l /usr/lib/ssl/certs/244b5494.0
lrwxrwxrwx 1 root root 38 Jun  7 20:20 /usr/lib/ssl/certs/244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem

$ wget https://ev-root.digicert.com/
--2013-06-07 20:20:10--  https://ev-root.digicert.com/
Resolving ev-root.digicert.com (ev-root.digicert.com)... 64.58.225.123
Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... connected.
HTTP request sent, awaiting response... 200 OK

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1014640

Title:
  12.04/openssl refusing some verisign certified sites

Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
  On 10.04,
  curl -v https://cs.directnet.com/dn/c/cls/auth?language=de
  works fine, on 12.04 it says:
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

  This happens on some very well know bank sites , another example is https://postfinance.ch.
  Hence I think

  Analysis:
  - test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
  - curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
  - Calling ssl directly:
  openssl s_client -host cs.directnet.com -port 443
   says "self signed certificate in certificate chain", and the chain shown is:

  Certificate chain
   0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com
     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
     i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
     i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

  Now there are lots of certificates in /usr/share/ca-
  certificates/mozilla (148 of them, there were 123 in Lucid 10.04).

  Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
  Since this affects well know sites it would seems to be quite an important issue?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1014640/+subscriptions

More information about the foundations-bugs mailing list