12.04.4 server can't verify common SSL certificates, usual fixes failing
Solution 1
This problem stopped happening after a couple updates. It looks like the ca-certificates file provided in the Ubuntu repos was missing an intermediate cert for GeoTrust.
Solution 2
I also have this problem, try this:
openssl s_client -host google.com -port 443
this command will also print a cert chain, the last one is:
s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
so you also need https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem.
This cert path is different with cert path showed in browser (IE, Firefox, Chrome), I don't know why, but this fix my problem.
Related videos on Youtube
![SSL Certificate Error Fix [Tutorial]](https://i.ytimg.com/vi/Xp5G8x3SNhE/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDbPsM9guRh7myRvKhCABz8ha1lOg)
04 : 12
08 : 57
06 : 14
21 : 00
01 : 20
Mikey T.K.
Updated on September 18, 2022Comments
-
Mikey T.K. over 1 year
The Problem
I've got one server in a farm which is suddenly unable to correctly handle SSL certificates. Attempting to do a curl command like
curl -v https://google.comresults in:curl -v https://google.com * About to connect() to google.com port 443 (#0) * Trying 74.125.137.101... connected * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failedUsing
openssl s_clientis a little more detailed.# openssl s_client -host google.com -port 443 CONNECTED(00000003) depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA verify error:num=20:unable to get local issuer certificateThings Tried So Far
Reinstalling
ca-certificates- already have the latest available version, according toaptitude,Version: 20130906ubuntu0.12.04.1.Reconfiguring
ca-certificatesviadpkg-reconfigure. This appears to rehash the/etc/ssl/certsfolder but has no effect on the problem.Using
update-ca-certificates --freshto regenerate the symbolic links in that folderGrabbing the latest Mozilla ca bundle from
curl.haxx.se- by putting that .pem file in/etc/ssl/certsand running the update command.
Weirdness
The certificate that
curlclaims it cannot find is indeed in the certification path.# ls -l /etc/ssl/certs/*Geo* lrwxrwxrwx 1 root root 57 Apr 7 15:57 /etc/ssl/certs/GeoTrust_Global_CA.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt ...The certificate file referenced has the same permissions as every other box on my network, namely 644.
# ls -l /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt -rw-r--r-- 1 root root 1216 Feb 20 11:49 /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crtOther secure sites such as Github show identical issues with different certificates. I am running the absolute latest version available of all packages for Ubuntu 12.04.4, including
curl,openssl, andca-certificates.What's going on here?
-
gertvdijk over 9 yearsNope. Last change for
ca-certificateswas February 2014. See its changelog. Are you sure you are still seeing the same certificate chain offered by the Google server? Google tends to rotate certificates, change support for ECC now and then, etc.
