Public bug reported: Some Let's Encrypt Root CA (ISRG Root X1) is missing from ca- certificates package. It's easy to confirm:
$ curl -svo /dev/null https://natashamoroz.com * Host natashamoroz.com:443 was resolved. * IPv6: (none) * IPv4: 188.242.141.254 * Trying 188.242.141.254:443... * Connected to natashamoroz.com (188.242.141.254) port 443 * ALPN: curl offers h2,http/1.1 } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs { [5 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [122 bytes data] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): { [21 bytes data] * TLSv1.3 (IN), TLS handshake, Certificate (11): { [2056 bytes data] * TLSv1.3 (OUT), TLS alert, unknown CA (560): } [2 bytes data] * SSL certificate problem: unable to get local issuer certificate * Closing connection $ openssl s_client -connect natashamoroz.com:443 -showcerts CONNECTED(00000003) depth=0 CN = natashamoroz.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = natashamoroz.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = natashamoroz.com verify return:1 --- Certificate chain 0 s:CN = natashamoroz.com i:C = US, O = Let's Encrypt, CN = E5 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384 v:NotBefore: Aug 9 12:48:02 2024 GMT; NotAfter: Nov 7 12:48:01 2024 GMT -----BEGIN CERTIFICATE----- MIIDlzCCAx2gAwIBAgISBHHFUn5199cYVg5s4AbDFGiMMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF NTAeFw0yNDA4MDkxMjQ4MDJaFw0yNDExMDcxMjQ4MDFaMBsxGTAXBgNVBAMTEG5h dGFzaGFtb3Jvei5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATQWyHUiZx/ QlngiDCEFqa4MUCaX63vTIeMpq/pd3eH1WWNu3n6esazgKE6dyy2AVxJCiWQA7WU a++caH3C0xUvo4ICKDCCAiQwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTDqKJxFz10 63UDZBA6bg9d1ATHNjAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZwi9LXDTBV BggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxlbmNyLm9y ZzAiBggrBgEFBQcwAoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzAxBgNVHREEKjAo ghBuYXRhc2hhbW9yb3ouY29tghR3d3cubmF0YXNoYW1vcm96LmNvbTATBgNVHSAE DDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AO7N0GTV2xrO xVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABkTdkGywAAAQDAEcwRQIgMUjSGkuN +vx6PNq9jzGJbP5dKgfs5K7/wxVAWWIQcmgCIQC3EVMlI0TzMAkKyZEJ6K7cfFp0 aQ5FatPnW4j8egNqjwB2AN/hVuuqBa+1nA+GcY2owDJOrlbZbqf1pWoB0cE7vlJc AAABkTdkG+gAAAQDAEcwRQIhAL7ZuYjCN/QfLb5PvmmEQ/+34Xjw5nsCOZk+t8XC SPYJAiAH+ZVke25hv/jCO4jmGwZHVLmnOq0VCbNOVqMc6JvvTzAKBggqhkjOPQQD AwNoADBlAjARhAZ9+bKg0oGS9Sr0704OB4CiauuM5WTtdU2wGRRG5M/5NsQjxgRF s3CkoL937ngCMQCMzai0sFnQ7cioVZEk62n2U/9zIMFHWJ5IVui0PEdPp6J8yo18 TU5JS3IYQyDeJTM= -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = E6 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT -----BEGIN CERTIFICATE----- MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV 6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY Ig46v9mFmBvyH04= -----END CERTIFICATE----- --- Server certificate subject=CN = natashamoroz.com issuer=C = US, O = Let's Encrypt, CN = E5 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2415 bytes and written 398 bytes Verification error: unable to verify the first certificate $ sudo grep -i -r 'ISRG Root X1' /etc/ssl/certs/ | wc -l 0 ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: ca-certificates 20240203 Uname: Linux 5.15.153.1-microsoft-standard-WSL2 x86_64 ApportVersion: 2.28.1-0ubuntu3.1 Architecture: amd64 CasperMD5CheckResult: unknown Date: Fri Sep 27 03:08:28 2024 PackageArchitecture: all ProcEnviron: LANG=C.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> SourcePackage: ca-certificates UpgradeStatus: Upgraded to noble on 2024-09-10 (17 days ago) mtime.conffile..etc.init.d.apport: 2024-07-22T22:59:07 ** Affects: ca-certificates (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug noble wayland-session -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/2082625 Title: Let's Encrypt Root CA is missing Status in ca-certificates package in Ubuntu: New Bug description: Some Let's Encrypt Root CA (ISRG Root X1) is missing from ca- certificates package. It's easy to confirm: $ curl -svo /dev/null https://natashamoroz.com * Host natashamoroz.com:443 was resolved. * IPv6: (none) * IPv4: 188.242.141.254 * Trying 188.242.141.254:443... * Connected to natashamoroz.com (188.242.141.254) port 443 * ALPN: curl offers h2,http/1.1 } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs { [5 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [122 bytes data] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): { [21 bytes data] * TLSv1.3 (IN), TLS handshake, Certificate (11): { [2056 bytes data] * TLSv1.3 (OUT), TLS alert, unknown CA (560): } [2 bytes data] * SSL certificate problem: unable to get local issuer certificate * Closing connection $ openssl s_client -connect natashamoroz.com:443 -showcerts CONNECTED(00000003) depth=0 CN = natashamoroz.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = natashamoroz.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = natashamoroz.com verify return:1 --- Certificate chain 0 s:CN = natashamoroz.com i:C = US, O = Let's Encrypt, CN = E5 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384 v:NotBefore: Aug 9 12:48:02 2024 GMT; NotAfter: Nov 7 12:48:01 2024 GMT -----BEGIN CERTIFICATE----- MIIDlzCCAx2gAwIBAgISBHHFUn5199cYVg5s4AbDFGiMMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF NTAeFw0yNDA4MDkxMjQ4MDJaFw0yNDExMDcxMjQ4MDFaMBsxGTAXBgNVBAMTEG5h dGFzaGFtb3Jvei5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATQWyHUiZx/ QlngiDCEFqa4MUCaX63vTIeMpq/pd3eH1WWNu3n6esazgKE6dyy2AVxJCiWQA7WU a++caH3C0xUvo4ICKDCCAiQwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTDqKJxFz10 63UDZBA6bg9d1ATHNjAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZwi9LXDTBV BggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxlbmNyLm9y ZzAiBggrBgEFBQcwAoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzAxBgNVHREEKjAo ghBuYXRhc2hhbW9yb3ouY29tghR3d3cubmF0YXNoYW1vcm96LmNvbTATBgNVHSAE DDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AO7N0GTV2xrO xVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABkTdkGywAAAQDAEcwRQIgMUjSGkuN +vx6PNq9jzGJbP5dKgfs5K7/wxVAWWIQcmgCIQC3EVMlI0TzMAkKyZEJ6K7cfFp0 aQ5FatPnW4j8egNqjwB2AN/hVuuqBa+1nA+GcY2owDJOrlbZbqf1pWoB0cE7vlJc AAABkTdkG+gAAAQDAEcwRQIhAL7ZuYjCN/QfLb5PvmmEQ/+34Xjw5nsCOZk+t8XC SPYJAiAH+ZVke25hv/jCO4jmGwZHVLmnOq0VCbNOVqMc6JvvTzAKBggqhkjOPQQD AwNoADBlAjARhAZ9+bKg0oGS9Sr0704OB4CiauuM5WTtdU2wGRRG5M/5NsQjxgRF s3CkoL937ngCMQCMzai0sFnQ7cioVZEk62n2U/9zIMFHWJ5IVui0PEdPp6J8yo18 TU5JS3IYQyDeJTM= -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = E6 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT -----BEGIN CERTIFICATE----- MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV 6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY Ig46v9mFmBvyH04= -----END CERTIFICATE----- --- Server certificate subject=CN = natashamoroz.com issuer=C = US, O = Let's Encrypt, CN = E5 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2415 bytes and written 398 bytes Verification error: unable to verify the first certificate $ sudo grep -i -r 'ISRG Root X1' /etc/ssl/certs/ | wc -l 0 ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: ca-certificates 20240203 Uname: Linux 5.15.153.1-microsoft-standard-WSL2 x86_64 ApportVersion: 2.28.1-0ubuntu3.1 Architecture: amd64 CasperMD5CheckResult: unknown Date: Fri Sep 27 03:08:28 2024 PackageArchitecture: all ProcEnviron: LANG=C.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> SourcePackage: ca-certificates UpgradeStatus: Upgraded to noble on 2024-09-10 (17 days ago) mtime.conffile..etc.init.d.apport: 2024-07-22T22:59:07 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/2082625/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
