Package: ca-certificates Version: 20180409 Severity: important Dear Maintainer,
https://www.youtube.com/ is inaccessible in Debian due to there being no local copy of the Cisco Umbrella CA certificate(s). Youtube appears to have updated their SSL certificate on the 24th of September 2018 to use this new CA. I have all certificates enabled from the Sid version of this package. $ openssl s_client -showcerts -connect www.youtube.com:443 CONNECTED(00000003) depth=2 CN = Cisco Umbrella Primary SubCA, O = Cisco verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com i:/CN=Cisco Umbrella Secondary SubCA syd-SG/O=Cisco -----BEGIN CERTIFICATE----- MIIDRDCCAiygAwIBAgIEW6hwwDANBgkqhkiG9w0BAQsFADBAMS4wLAYDVQQDDCVD aXNjbyBVbWJyZWxsYSBTZWNvbmRhcnkgU3ViQ0Egc3lkLVNHMQ4wDAYDVQQKDAVD aXNjbzAeFw0xODA5MjIwNTA1NTBaFw0xODA5MjcwNTA1NTBaMGoxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv MRYwFAYDVQQKDA1PcGVuRE5TLCBJbmMuMRYwFAYDVQQDDA0qLm9wZW5kbnMuY29t MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxAeKOlfM0rVDGznvoxC/ w0oXlZQBLSj/CqC6XRTsuyAJoT9A3HkIU4HcHq9GZLoQfLdjf/8jqIfTZWshxYbx x5vaqjKMHuDJPHCY+pYGjhEeykU3zgMUWp12sZxcU/KQc3yZjdiXZO8veDCrYcSZ 1l37KCU9a//Q+aqXfOBpWXe2Y2xvXRj/6K6MtfXdFkuca42zhXJz67tjVwoqQIgY PLP9jR+QRCj7d5HF6WzGoow6Vf/ySHVkKGTRVgVTExSCShw4g82NpS27G6mg5ot2 bHhnmzRZB7L4wl5oxYHfOnTKstZw78+OjTX7iMa0J/I5qwTLbGtWz4G2Pt8KzrUa nwIDAQABoxwwGjAYBgNVHREEETAPgg0qLm9wZW5kbnMuY29tMA0GCSqGSIb3DQEB CwUAA4IBAQCuU98KuTUmhwmE43qfeZvl8p4Vzlho5YcZT9OIVNLeDxBzlPIyW6d4 6pKFDTZW76+3B/ITVKFU8WA+ZDDkHts6xV0plFa4GbPH2uzirPYxK7odmsI5uA02 kamOh3I3BEgFTQ2lM/or+hXT9FgzctF49N/BlgVpCmdkx273v0krE7CluhZlVWSS 3V5bDLHsZLIAcvBm92SWD4aMxq3Rw/yAsZmdOBZ5JKAV0Sd+93suwXx8H5ysCJHO oyCw/ZVYiHuAUNloK33czu3vl4cvPuIu4fAQ7YOyp+WZp/ofFVammg80aN6TnH7e mfoIWh8yBddXi8kifMriaFZFpwUVtVSb -----END CERTIFICATE----- 1 s:/CN=Cisco Umbrella Secondary SubCA syd-SG/O=Cisco i:/CN=Cisco Umbrella Primary SubCA/O=Cisco -----BEGIN CERTIFICATE----- MIID3TCCAsWgAwIBAgIRAJQWOl4qSUQghc++yagk3u4wDQYJKoZIhvcNAQELBQAw NzElMCMGA1UEAwwcQ2lzY28gVW1icmVsbGEgUHJpbWFyeSBTdWJDQTEOMAwGA1UE CgwFQ2lzY28wHhcNMTgwOTIyMjAwMTM4WhcNMTgxMDAzMjAwMTM4WjBAMS4wLAYD VQQDDCVDaXNjbyBVbWJyZWxsYSBTZWNvbmRhcnkgU3ViQ0Egc3lkLVNHMQ4wDAYD VQQKDAVDaXNjbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQHijpX zNK1Qxs576MQv8NKF5WUAS0o/wqgul0U7LsgCaE/QNx5CFOB3B6vRmS6EHy3Y3// I6iH02VrIcWG8ceb2qoyjB7gyTxwmPqWBo4RHspFN84DFFqddrGcXFPykHN8mY3Y l2TvL3gwq2HEmdZd+yglPWv/0Pmql3zgaVl3tmNsb10Y/+iujLX13RZLnGuNs4Vy c+u7Y1cKKkCIGDyz/Y0fkEQo+3eRxelsxqKMOlX/8kh1ZChk0VYFUxMUgkocOIPN jaUtuxupoOaLdmx4Z5s0WQey+MJeaMWB3zp0yrLWcO/Pjo01+4jGtCfyOasEy2xr Vs+Btj7fCs61Gp8CAwEAAaOB2jCB1zAfBgNVHSMEGDAWgBQ3QZhaPSAuZ8oNMssn yeDF7bqf6TASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNV HQ4EFgQUw/XAWEmud+XAetLKwpcvBALZRDwwcQYIKwYBBQUHAQEEZTBjMCMGCCsG AQUFBzABhhdodHRwOi8vb2NzcC5vcGVuZG5zLmNvbTA8BggrBgEFBQcwAoYwaHR0 cDovL2NhY2VydHMub3BlbmRucy5jb20vNDQ4NjNBQjE1NDY0NThENzIuY3J0MA0G CSqGSIb3DQEBCwUAA4IBAQBAMymo8jxfN5267wqVmx4L9D6QcWH0/0gpbB8NSvm/ AX1JvCoIpS7LTt/45ikQz/RwUKY4oP+GCfnwSMtl888sZXTmYuotWwJyDAVU2DiD zg+5avwUMbMRtOVWl8i1noAuPRcx1BTDd+0DcizFQk0FgbMCLjdUjEALtGe+VTiK eQkZR4AvG1tKdopdoUx23yVNHozGZTGAIgbmWKqG6AR6xak3BIM894EIQvb+jju+ LhmYCl4jcfMJkvRHJUI+wLCfE1grYdEgCLIUMsboKOWulxZWEyvlNG8Tx38QRLKd 7UJpVcBAydatGdalj3fOZa4zvNCrWCYotLXHju2k1uWB -----END CERTIFICATE----- 2 s:/CN=Cisco Umbrella Primary SubCA/O=Cisco i:/O=Cisco/CN=Cisco Umbrella Root CA -----BEGIN CERTIFICATE----- MIIEgTCCA2mgAwIBAgIJBEhjqxVGRY1yMA0GCSqGSIb3DQEBCwUAMDExDjAMBgNV BAoTBUNpc2NvMR8wHQYDVQQDExZDaXNjbyBVbWJyZWxsYSBSb290IENBMB4XDTE2 MDYyODE1NDAxMVoXDTIxMDYyODE1NDAxMVowNzElMCMGA1UEAwwcQ2lzY28gVW1i cmVsbGEgUHJpbWFyeSBTdWJDQTEOMAwGA1UECgwFQ2lzY28wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCvR/Tm+U0VahUptIKAkU7BwSKgO1HO0CMdZXCO OLFh9+pCoG1Ly7UiudFAumlfA4kzs1SS9xR2ax0TYIQG84hJsoOPSaZU6wkWWJDq mZVD4+LSPZLUuMWbgWy8/BuqKKL32JjInU/LRXF3AaapHT6eprR5vv5MYSWzFv4r QzhMXy8i8eK48EKsQyf3UBUHdUmOQFBYuRkYlKdave0ipxjMUYKh6DwJX+5psl7S lwHxzKxppwBqZhI5GiuWIs4RhuB+1hOr1zuAb9Oy8WNryXTijXQJ+thl74oo0CoV XS2nZQyDk1X2CUOpTy2Kj4W4ucd4Y1jRp37FkWQwivWq5DU5AgMBAAGjggGUMIIB kDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATBSBgNVHSAESzBJ MEcGCisGAQQBCRUBHQAwOTA3BggrBgEFBQcCARYraHR0cDovL3d3dy5jaXNjby5j b20vc2VjdXJpdHkvcGtpL3BvbGljaWVzLzAdBgNVHQ4EFgQUN0GYWj0gLmfKDTLL J8ngxe26n+kwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL3d3dy5jaXNjby5jb20v c2VjdXJpdHkvcGtpL2NybC9jaXNjb3VtYnJlbGxhcm9vdC5jcmwwgYcGCCsGAQUF BwEBBHsweTBJBggrBgEFBQcwAoY9aHR0cDovL3d3dy5jaXNjby5jb20vc2VjdXJp dHkvcGtpL2NlcnRzL2Npc2NvdW1icmVsbGFyb290LmNlcjAsBggrBgEFBQcwAYYg aHR0cDovL3BraWN2cy5jaXNjby5jb20vcGtpL29jc3AwHwYDVR0jBBgwFoAUQ3MA 3iS6QBpAVCx9fNUASIkMcKQwDQYJKoZIhvcNAQELBQADggEBAAhlqdX9AAHOyNPv KA44ulyoprNnXp62XeYnlKRgCPvShWW2eDIMOePS8+RvuPGJdtAm1YoPa9hn0WO2 L+jHmnob7so2yc3c02uio9Q4VqPCuA1T/RmmXerpvHtxx1FfUhboBoiGvP/dnFTX DF0lzLEllP3tYZOH0wjsTjhPERN60zR29lKHludW9ZRc5Fkxj5ZwALvAZ2Iqb0HG DwIhJJjXUpJjZXQPRGQ8N+VDx2UqTf74g/rpKcALUERGFrrJMO0Z7yaiqVsVQ9/J 4FAJCjB6fkivL5SvmDWCB1ZeiRc2ud5qm/II0OuGdtX+mo0/Lo9Lh9Tdg2LxUxEn 7cAtMK0= -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com issuer=/CN=Cisco Umbrella Secondary SubCA syd-SG/O=Cisco --- No client certificate CA names sent --- SSL handshake has read 3304 bytes and written 494 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.2, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: 44A45E2041BFAF055C258AB477ECF487182F5F2AC19889D581140F0687F20AA9 Session-ID-ctx: Master-Key: 3F27C4570C9AEB398AC6549DE78DF2EE7DDBCE8893E08B1408A20D85C88AF9E74B5CD08175FE2EDBE3A0D51C6F9DED56 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - e5 96 cd e4 b3 05 0c 5b-cd 4f 55 74 d5 5e 7e 66 .......[.OUt.^~f 0010 - 54 e9 55 25 6c cc 35 cc-ac bc 8a 7b 36 e4 6a 39 T.U%l.5....{6.j9 0020 - f7 51 53 c0 c1 47 d8 49-81 67 ff 8b 44 f4 c9 7d .QS..G.I.g..D..} 0030 - a9 db a5 19 fc bb af 98-52 23 bc 8d cb d9 7f 80 ........R#...... 0040 - e1 08 68 07 74 94 27 8b-dc d4 75 09 6b b4 fa 48 ..h.t.'...u.k..H 0050 - ef c6 13 34 e7 c5 3b ef-9b f8 32 42 6f 83 41 e8 ...4..;...2Bo.A. 0060 - a6 e5 86 05 94 d6 f0 f1-99 c8 42 8f ca 31 24 ef ..........B..1$. 0070 - fd ee 73 8e a2 41 b2 62-e9 c2 52 dc 75 36 af d8 ..s..A.b..R.u6.. 0080 - 68 72 83 1e 2a ea 4c 9f-7c d8 0c 8d 26 08 93 c0 hr..*.L.|...&... 0090 - ae 2c d5 d3 0b 32 37 e3-11 ab 66 d0 62 d2 92 5f .,...27...f.b.._ Start Time: 1537784592 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: no --- closed -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ca-certificates depends on: ii debconf [debconf-2.0] 1.5.69 ii openssl 1.1.0h-4 ca-certificates recommends no packages. ca-certificates suggests no packages. -- debconf information: ca-certificates/new_crts: ca-certificates/title: * ca-certificates/trust_new_crts: yes * ca-certificates/enable_crts: mozilla/ACCVRAIZ1.crt, mozilla/AC_RAIZ_FNMT-RCM.crt, mozilla/Actalis_Authentication_Root_CA.crt, mozilla/AddTrust_External_Root.crt, mozilla/AffirmTrust_Commercial.crt, mozilla/AffirmTrust_Networking.crt, mozilla/AffirmTrust_Premium.crt, mozilla/AffirmTrust_Premium_ECC.crt, mozilla/Amazon_Root_CA_1.crt, mozilla/Amazon_Root_CA_2.crt, mozilla/Amazon_Root_CA_3.crt, mozilla/Amazon_Root_CA_4.crt, mozilla/Atos_TrustedRoot_2011.crt, mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt, mozilla/Baltimore_CyberTrust_Root.crt, mozilla/Buypass_Class_2_Root_CA.crt, mozilla/Buypass_Class_3_Root_CA.crt, mozilla/CA_Disig_Root_R2.crt, mozilla/Certigna.crt, mozilla/Certinomis_-_Root_CA.crt, mozilla/Certplus_Class_2_Primary_CA.crt, mozilla/Certplus_Root_CA_G1.crt, mozilla/Certplus_Root_CA_G2.crt, mozilla/certSIGN_ROOT_CA.crt, mozilla/Certum_Trusted_Network_CA_2.crt, mozilla/Certum_Trusted_Network_CA.crt, mozilla/CFCA_EV_ROOT.crt, mozilla/Chambers_of_Commerce_Root_-_2008.crt, mozilla/Comodo_AAA_Services_root.crt, mozilla/COMODO_Certification_Authority.crt, mozilla/COMODO_ECC_Certification_Authority.crt, mozilla/COMODO_RSA_Certification_Authority.crt, mozilla/Cybertrust_Global_Root.crt, mozilla/Deutsche_Telekom_Root_CA_2.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Assured_ID_Root_G2.crt, mozilla/DigiCert_Assured_ID_Root_G3.crt, mozilla/DigiCert_Global_Root_CA.crt, mozilla/DigiCert_Global_Root_G2.crt, mozilla/DigiCert_Global_Root_G3.crt, mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DigiCert_Trusted_Root_G4.crt, mozilla/DST_Root_CA_X3.crt, mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt, mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt, mozilla/EC-ACC.crt, mozilla/EE_Certification_Centre_Root_CA.crt, mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, mozilla/Entrust_Root_Certification_Authority.crt, mozilla/Entrust_Root_Certification_Authority_-_EC1.crt, mozilla/Entrust_Root_Certification_Authority_-_G2.crt, mozilla/ePKI_Root_Certification_Authority.crt, mozilla/E-Tugra_Certification_Authority.crt, mozilla/GDCA_TrustAUTH_R5_ROOT.crt, mozilla/GeoTrust_Global_CA.crt, mozilla/GeoTrust_Primary_Certification_Authority.crt, mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt, mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt, mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GeoTrust_Universal_CA.crt, mozilla/Global_Chambersign_Root_-_2008.crt, mozilla/GlobalSign_ECC_Root_CA_-_R4.crt, mozilla/GlobalSign_ECC_Root_CA_-_R5.crt, mozilla/GlobalSign_Root_CA.crt, mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/GlobalSign_Root_CA_-_R3.crt, mozilla/Go_Daddy_Class_2_CA.crt, mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt, mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt, mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt, mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt, mozilla/Hongkong_Post_Root_CA_1.crt, mozilla/IdenTrust_Commercial_Root_CA_1.crt, mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt, mozilla/Izenpe.com.crt, mozilla/LuxTrust_Global_Root_2.crt, mozilla/Microsec_e-Szigno_Root_CA_2009.crt, mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt, mozilla/Network_Solutions_Certificate_Authority.crt, mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt, mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt, mozilla/OpenTrust_Root_CA_G1.crt, mozilla/OpenTrust_Root_CA_G2.crt, mozilla/OpenTrust_Root_CA_G3.crt, mozilla/QuoVadis_Root_CA_1_G3.crt, mozilla/QuoVadis_Root_CA_2.crt, mozilla/QuoVadis_Root_CA_2_G3.crt, mozilla/QuoVadis_Root_CA_3.crt, mozilla/QuoVadis_Root_CA_3_G3.crt, mozilla/QuoVadis_Root_CA.crt, mozilla/Secure_Global_CA.crt, mozilla/SecureSign_RootCA11.crt, mozilla/SecureTrust_CA.crt, mozilla/Security_Communication_RootCA2.crt, mozilla/Security_Communication_Root_CA.crt, mozilla/Sonera_Class_2_Root_CA.crt, mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt, mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt, mozilla/SSL.com_Root_Certification_Authority_ECC.crt, mozilla/SSL.com_Root_Certification_Authority_RSA.crt, mozilla/Staat_der_Nederlanden_EV_Root_CA.crt, mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt, mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt, mozilla/Starfield_Class_2_CA.crt, mozilla/Starfield_Root_Certificate_Authority_-_G2.crt, mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt, mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/SZAFIR_ROOT_CA2.crt, mozilla/Taiwan_GRCA.crt, mozilla/TeliaSonera_Root_CA_v1.crt, mozilla/thawte_Primary_Root_CA.crt, mozilla/thawte_Primary_Root_CA_-_G2.crt, mozilla/thawte_Primary_Root_CA_-_G3.crt, mozilla/TrustCor_ECA-1.crt, mozilla/TrustCor_RootCert_CA-1.crt, mozilla/TrustCor_RootCert_CA-2.crt, mozilla/Trustis_FPS_Root_CA.crt, mozilla/T-TeleSec_GlobalRoot_Class_2.crt, mozilla/T-TeleSec_GlobalRoot_Class_3.crt, mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt, mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt, mozilla/TWCA_Global_Root_CA.crt, mozilla/TWCA_Root_Certification_Authority.crt, mozilla/USERTrust_ECC_Certification_Authority.crt, mozilla/USERTrust_RSA_Certification_Authority.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt, mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt, mozilla/VeriSign_Universal_Root_Certification_Authority.crt, mozilla/Visa_eCommerce_Root.crt, mozilla/XRamp_Global_CA_Root.crt