Bug#812708: Also affected: Baltimore CyberTrust Root used by Mailchimp

[Miguel Jacq]

Confirming that I too had to re-add the Thawte_Premium_Server_CA.crt and 
GTE_CyberTrust_Global_Root.crt before I could make requests to Twilio and 
Mailchimp APIs (respectively) again on Debian 8.3.


signature.asc
Description: Digital signature

Bug#812708: Also affected: Baltimore CyberTrust Root used by Mailchimp

[Rich Lott - Artful Robot]

Hi Michael,

Thanks for getting back. Good you did as I was wrong!

Here's what's failing under Debian Jessie:

echo GET | openssl s_client -CApath /etc/ssl/certs/ -connect 
us9.api.mailchimp.com:443  2>&1  | head -n5
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore 
CyberTrust Root

verify error:num=20:unable to get local issuer certificate
verify return:0


I tracked this down to the following change in ca-certificates.conf:

Was:
mozilla/GTE_CyberTrust_Global_Root.crt

Is:
#!mozilla/GTE_CyberTrust_Global_Root.crt

By adding that certificate back in (from a local Ubuntu), adding it back 
to /etc/ca-certificates.conf and running update-ca-certificates, 
Mailchimp's API works again.


Hope this is useful, I have to admit I'm at the limit of my 
understanding on this!


Thanks,

Rich




On 05/02/16 15:40, Michael Shuler wrote:

On 02/05/2016 05:49 AM, Rich wrote:

subject says it all.


Please provide a specific URL to test. The "Baltimore CyberTrust Root" 
CA may be a different issue, looking at several mozilla bugzilla 
tickets, but I can't tell without any detail.


Thanks, Michael

Bug#812708: Also affected: Baltimore CyberTrust Root used by Mailchimp

[Michael Shuler]

On 02/05/2016 05:49 AM, Rich wrote:

subject says it all.


Please provide a specific URL to test. The "Baltimore CyberTrust Root" 
CA may be a different issue, looking at several mozilla bugzilla 
tickets, but I can't tell without any detail.


Thanks, Michael

Bug#812708: Also affected: Baltimore CyberTrust Root used by Mailchimp

[Rich]

subject says it all.