Looks like I can't close it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1549709
Title: getting "unable to get local issuer certificate" for valid domains after upgrading to 20160104ubuntu0.14.04.1 Status in ca-certificates package in Ubuntu: Invalid Bug description: Several 14.04 servers were reporting problems connecting to different sites and APIs this morning. I'm not entirely sure, but looking at /var/log/apt/history (showing ca-certificates:amd64 (20141019ubuntu0.14.04.1, 20160104ubuntu0.14.04.1)) in combination with what I believe is causing the connection problems made me file this bug. If I'm right this is probably pretty bad, since all connections initiated by this server checking a SSL certificate will fail and actually that's exactly what happened here. Here is an example where I check a valid ssl domain like www.google.com resulting in an Verify return code: 20 (unable to get local issuer certificate) while my non 14.04LTS-machines kept accepting it: echo | openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEgDCCA2igAwIBAgIIXDR9H6fDVBgwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwMjE3MTAyMDE3WhcNMTYwNTE3MDAwMDAw WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8+Ugs pBXm3zFVRCA6k8DEXqpCf4Zw79y1dbgPuGHdw1NXawEvy8M4K3slQAwRBbGJO34Y mVQEeJRK98kJ+dBAajlKGbOkqfk7ZdPpl50zSb+OmM5As4+w1K6gWo9CPt525PyS /g/vdSj81XgCFQPNSLeTP2Uj6ZlXZpSyc1Ti+P6QZ/omOHtC/Lo1b9baQyQf7E7h MOyTh8TAqJjTeVwg50SKhjzTRiY8t94JBXMknDL0eczEMtZRt5+Fwxe0li3xg5Aw 0bESlWU7qGluvjz+GFbSTdHfAIzYXxp86+zVvdyDTWGC5344GGtYCr5PRDNalV5o wBxUVe6l1VYXBKDVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G A1UdDgQWBBTiRG9FdyKQOTNltPaXqgJRKlSlPjAMBgNVHRMBAf8EAjAAMB8GA1Ud IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAIUTrfaaB+cJSk20L RHqDwaLWe8cyLR8Ks4Vee/ZxLQDcPuxItvlho0N+/j5ZUnU1XseyiE9yD6ezmY7e ChyXUlzKzMdLyvjy7/EzTViW28Czbnp/JepBUipMDhJz7EMLdvqkw2cs0BwevRkU 6jzbQoYzOCalmWs1Mt4S8AyklbMHUjo/vOcs4+RePG9evxV0yWxCDNgLZbMckxcg vL4S5P8C4cY96+qhRwR/ErYHFRkuniQleLz1tEMkei5sK3tY5Sae0uTGH2Z30fs0 RViv9SFdfjMQDMFmEabPoNermhUx9hjENfMvWqJ1r+dbDTl3ANt/feNa+d6Z3Zpz MUtO9Q== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3727 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 6635C1B245005CBE38B6B857F422476F6CE8963462561E0A8AA926AEE25CA711 Session-ID-ctx: Master-Key: 89C73689FE905D803AB2589FF70FA5B0466DB3EC372333B7A22EFF03A6D60314C84AA9B6DAAF7D1D64F4882E1B463838 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 82 ef b9 02 2c a1 b6 6f-a0 6c cd 1f 87 ff 3a 83 ....,..o.l....:. 0010 - 6c 27 c3 3c 9b 00 91 90-72 a4 8c 34 ca 6a 45 fd l'.<....r..4.jE. 0020 - 51 5d 8d 50 56 77 d2 48-d7 9a dc ce be 67 8e ca Q].PVw.H.....g.. 0030 - 9d 59 94 8c a4 2f 23 75-09 db b7 c2 f8 9f 71 38 .Y.../#u......q8 0040 - 05 b2 8b 8f 4e f5 6b d9-e8 dd ae 6e f8 17 92 c4 ....N.k....n.... 0050 - 04 14 52 91 58 b9 92 a6-8f f2 5d 60 70 f5 3b ab ..R.X.....]`p.;. 0060 - a9 3b 8c 69 d5 67 44 2b-0b da 1c 90 58 0e 9b a8 .;.i.gD+....X... 0070 - 90 fe 41 1a 82 77 ab 44-23 2a 1a 13 fa 5d 00 54 ..A..w.D#*...].T 0080 - cd c4 ac 7b 4a 21 8a 59-e7 7a dc e0 d3 13 9b 16 ...{J!.Y.z...... 0090 - 2f 61 24 5f 3d 9e d7 d0-81 e5 1e fb 93 78 09 60 /a$_=........x.` 00a0 - a3 79 10 35 .y.5 Start Time: 1456391908 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- DONE thanks in advance - max To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1549709/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp