The openssl tools in Ubuntu 14.04 never did use the system CA file by default. That was fixed in later releases. So it's normal that you don't need to specify it manually when using 15.10 for example, but do need to specify it in 14.04.
The path to it has always been /etc/ssl/certs/ca-certificates.crt. Are you still having issues after updating openssl and restarting your services? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1549709 Title: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1 Status in ca-certificates package in Ubuntu: Incomplete Bug description: Several 14.04 servers were reporting problems connecting to different sites and APIs this morning. I'm not entirely sure, but looking at /var/log/apt/history (showing ca-certificates:amd64 (20141019ubuntu0.14.04.1, 20160104ubuntu0.14.04.1)) in combination with what I believe is causing the connection problems made me file this bug. If I'm right this is probably pretty bad, since all connections initiated by this server checking a SSL certificate will fail and actually that's exactly what happened here. Here is an example where I check a valid ssl domain like www.google.com resulting in an Verify return code: 20 (unable to get local issuer certificate) while my non 14.04LTS-machines kept accepting it: echo | openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEgDCCA2igAwIBAgIIXDR9H6fDVBgwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwMjE3MTAyMDE3WhcNMTYwNTE3MDAwMDAw WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8+Ugs pBXm3zFVRCA6k8DEXqpCf4Zw79y1dbgPuGHdw1NXawEvy8M4K3slQAwRBbGJO34Y mVQEeJRK98kJ+dBAajlKGbOkqfk7ZdPpl50zSb+OmM5As4+w1K6gWo9CPt525PyS /g/vdSj81XgCFQPNSLeTP2Uj6ZlXZpSyc1Ti+P6QZ/omOHtC/Lo1b9baQyQf7E7h MOyTh8TAqJjTeVwg50SKhjzTRiY8t94JBXMknDL0eczEMtZRt5+Fwxe0li3xg5Aw 0bESlWU7qGluvjz+GFbSTdHfAIzYXxp86+zVvdyDTWGC5344GGtYCr5PRDNalV5o wBxUVe6l1VYXBKDVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G A1UdDgQWBBTiRG9FdyKQOTNltPaXqgJRKlSlPjAMBgNVHRMBAf8EAjAAMB8GA1Ud IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAIUTrfaaB+cJSk20L RHqDwaLWe8cyLR8Ks4Vee/ZxLQDcPuxItvlho0N+/j5ZUnU1XseyiE9yD6ezmY7e ChyXUlzKzMdLyvjy7/EzTViW28Czbnp/JepBUipMDhJz7EMLdvqkw2cs0BwevRkU 6jzbQoYzOCalmWs1Mt4S8AyklbMHUjo/vOcs4+RePG9evxV0yWxCDNgLZbMckxcg vL4S5P8C4cY96+qhRwR/ErYHFRkuniQleLz1tEMkei5sK3tY5Sae0uTGH2Z30fs0 RViv9SFdfjMQDMFmEabPoNermhUx9hjENfMvWqJ1r+dbDTl3ANt/feNa+d6Z3Zpz MUtO9Q== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3727 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 6635C1B245005CBE38B6B857F422476F6CE8963462561E0A8AA926AEE25CA711 Session-ID-ctx: Master-Key: 89C73689FE905D803AB2589FF70FA5B0466DB3EC372333B7A22EFF03A6D60314C84AA9B6DAAF7D1D64F4882E1B463838 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 82 ef b9 02 2c a1 b6 6f-a0 6c cd 1f 87 ff 3a 83 ....,..o.l....:. 0010 - 6c 27 c3 3c 9b 00 91 90-72 a4 8c 34 ca 6a 45 fd l'.<....r..4.jE. 0020 - 51 5d 8d 50 56 77 d2 48-d7 9a dc ce be 67 8e ca Q].PVw.H.....g.. 0030 - 9d 59 94 8c a4 2f 23 75-09 db b7 c2 f8 9f 71 38 .Y.../#u......q8 0040 - 05 b2 8b 8f 4e f5 6b d9-e8 dd ae 6e f8 17 92 c4 ....N.k....n.... 0050 - 04 14 52 91 58 b9 92 a6-8f f2 5d 60 70 f5 3b ab ..R.X.....]`p.;. 0060 - a9 3b 8c 69 d5 67 44 2b-0b da 1c 90 58 0e 9b a8 .;.i.gD+....X... 0070 - 90 fe 41 1a 82 77 ab 44-23 2a 1a 13 fa 5d 00 54 ..A..w.D#*...].T 0080 - cd c4 ac 7b 4a 21 8a 59-e7 7a dc e0 d3 13 9b 16 ...{J!.Y.z...... 0090 - 2f 61 24 5f 3d 9e d7 d0-81 e5 1e fb 93 78 09 60 /a$_=........x.` 00a0 - a3 79 10 35 .y.5 Start Time: 1456391908 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- DONE thanks in advance - max To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1549709/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
