12.04.4 server can't verify common SSL certificates, usual fixes failing
Solution 1
This problem stopped happening after a couple updates. It looks like the ca-certificates file provided in the Ubuntu repos was missing an intermediate cert for GeoTrust.
Solution 2
I also have this problem, try this:
openssl s_client -host google.com -port 443
this command will also print a cert chain, the last one is:
s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
so you also need https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem.
This cert path is different with cert path showed in browser (IE, Firefox, Chrome), I don't know why, but this fix my problem.
Related videos on Youtube
Mikey T.K.
Updated on September 18, 2022Comments
-
Mikey T.K. over 1 year
The Problem
I've got one server in a farm which is suddenly unable to correctly handle SSL certificates. Attempting to do a curl command like
curl -v https://google.com
results in:curl -v https://google.com * About to connect() to google.com port 443 (#0) * Trying 74.125.137.101... connected * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Using
openssl s_client
is a little more detailed.# openssl s_client -host google.com -port 443 CONNECTED(00000003) depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA verify error:num=20:unable to get local issuer certificate
Things Tried So Far
Reinstalling
ca-certificates
- already have the latest available version, according toaptitude
,Version: 20130906ubuntu0.12.04.1
.Reconfiguring
ca-certificates
viadpkg-reconfigure
. This appears to rehash the/etc/ssl/certs
folder but has no effect on the problem.Using
update-ca-certificates --fresh
to regenerate the symbolic links in that folderGrabbing the latest Mozilla ca bundle from
curl.haxx.se
- by putting that .pem file in/etc/ssl/certs
and running the update command.
Weirdness
The certificate that
curl
claims it cannot find is indeed in the certification path.# ls -l /etc/ssl/certs/*Geo* lrwxrwxrwx 1 root root 57 Apr 7 15:57 /etc/ssl/certs/GeoTrust_Global_CA.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt ...
The certificate file referenced has the same permissions as every other box on my network, namely 644.
# ls -l /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt -rw-r--r-- 1 root root 1216 Feb 20 11:49 /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt
Other secure sites such as Github show identical issues with different certificates. I am running the absolute latest version available of all packages for Ubuntu 12.04.4, including
curl
,openssl
, andca-certificates
.What's going on here?
-
gertvdijk over 9 yearsNope. Last change for
ca-certificates
was February 2014. See its changelog. Are you sure you are still seeing the same certificate chain offered by the Google server? Google tends to rotate certificates, change support for ECC now and then, etc.