Your message dated Tue, 11 Jan 2022 14:09:47 +0100
with message-id <Yd2BmzClkr5XytvR@jcristau-z4>
and subject line Re: Bug#993363: SectigoRSADomainValidationSecureServerCA.crt
absent from ca-certificates
has caused the Debian Bug report #993363,
regarding SectigoRSADomainValidationSecureServerCA.crt absent from
ca-certificates
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
993363: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993363
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ca-certificates
Version: 20210119
Hello
Intermediate CA certificate for Sectigo - "Sectigo RSA Domain Validation
Secure Server CA" - this one: https://crt.sh/?id=924467861 - is missing
from ca-certificates, resulting in errors while using CLI tools (but no
errors when using web browsers). I was able to confirm that Chrome and
Firefox actually have this certificate in their stores.
I found a lot of reports from year 2020, when this (or similar) certificate
was issued by "USERTrustRSAAddTrustCA" which was issued by
"AddTrustExternalCARoot" and that last one had expired in May 2020
But this certificate is now issued
by "USERTrust_RSA_Certification_Authority" which is already in
ca-certificates
I know that Namecheap for example, had issued us some certificates with
this SectigoRSADomainValidationSecureServerCA as the signing certificates,
and it's causing some problems during validation now.
Error in openssl:
------
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN
= Sectigo RSA Domain Validation Secure Server CA
Verification error: unable to verify the first certificate
------
Errors in curl:
------
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
------
Certificate info: https://crt.sh/?id=924467861
---------
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
Limited, CN = Sectigo RSA Domain Validation Secure Server CA
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.sectigo.com
------------
The cert that is missing is here, as exposed by the 1st level of cert that
failed:
-----
curl -s http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
| openssl x509 -text -inform DER | grep "Issuer\|Subject"
Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
Limited, CN = Sectigo RSA Domain Validation Secure Server CA
Subject Public Key Info:
X509v3 Subject Key Identifier:
CA Issuers - URI:
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
-----
I can confirm that adding the CA cert allowed curl to work (as root):
-----
curl -s http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
| openssl x509 -text -inform DER and adding it to
/etc/ssl/certs/ca-certificates.crt
-----
The same can be done for openssl (as root again):
----
curl -s http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
| openssl x509 -text -inform DER >
/usr/local/share/ca-certificates/SectigoRSADomainValidationSecureServerCA.crt
update-ca-certificates
----
--
Thank you
Piotr
--- End Message ---
--- Begin Message ---
On Tue, Aug 31, 2021 at 01:34:43PM +0100, Piotr Kierklo wrote:
> Package: ca-certificates
> Version: 20210119
>
> Hello
>
> Intermediate CA certificate for Sectigo - "Sectigo RSA Domain Validation
> Secure
> Server CA" - this one: https://crt.sh/?id=924467861 - is missing
> from ca-certificates, resulting in errors while using CLI tools (but no errors
> when using web browsers). I was able to confirm that Chrome and Firefox
> actually have this certificate in their stores.
>
> I found a lot of reports from year 2020, when this (or similar) certificate
> was
> issued by "USERTrustRSAAddTrustCA" which was issued by
> "AddTrustExternalCARoot"
> and that last one had expired in May 2020
>
> But this certificate is now issued by "USERTrust_RSA_Certification_Authority"
> which is already in ca-certificates
>
> I know that Namecheap for example, had issued us some certificates with
> this SectigoRSADomainValidationSecureServerCA as the signing certificates, and
> it's causing some problems during validation now.
>
ca-certificates does not include intermediate certs, it includes roots.
It's the responsibility of the TLS server to present the necessary
intermediates in the handshake.
Cheers,
Julien
--- End Message ---
