Will this issue also be fixed in Focal? It's currently not possible to connect to Apple Push servers in Ubuntu 20.04 due to the removal of the GeoTrust Global Root which Apple returns in their certificate chain from api.push.apple.com.
``` ~cat /etc/issue Ubuntu 20.04.2 LTS \n \l ~ apt list ca-certificates -a Listing... Done ca-certificates/focal-updates,focal-updates,focal-security,focal-security,now 20210119~20.04.1 all [installed] ca-certificates/focal,focal 20190110ubuntu1 all ~ echo "Q" | openssl s_client -connect api.push.apple.com:443 CONNECTED(00000003) depth=1 CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = api.push.apple.com, OU = management:idms.group.533599, O = Apple Inc., ST = California, C = US verify return:1 --- Certificate chain 0 s:CN = api.push.apple.com, OU = management:idms.group.533599, O = Apple Inc., ST = California, C = US i:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US 1 s:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US i:C = US, O = GeoTrust Inc., CN = GeoTrust Global CA --- Server certificate -----BEGIN CERTIFICATE----- MIIIljCCB36gAwIBAgIQdSHfCVs4iuOJe4Ja2rbxdjANBgkqhkiG9w0BAQsFADBi MRwwGgYDVQQDExNBcHBsZSBJU1QgQ0EgMiAtIEcxMSAwHgYDVQQLExdDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTETMBEGA1UEChMKQXBwbGUgSW5jLjELMAkGA1UEBhMC VVMwHhcNMTkwMzE0MTc1MDEwWhcNMjEwNDEyMTc1MDEwWjB7MRswGQYDVQQDDBJh cGkucHVzaC5hcHBsZS5jb20xJTAjBgNVBAsMHG1hbmFnZW1lbnQ6aWRtcy5ncm91 cC41MzM1OTkxEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3Ju aWExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA tWbNpQnuwvVCjPhif9E3mYASUhteM5FWWFDIjkZ8dHPuhXnk8NX46My2VTQeEHS8 OGgfG8ruloU7syiRZSkCkq6WaosPXMJ+eBRbHVqGAIClBE/LdCd6uMoMYbMOX3W2 ch9Q5mDrO0IOCOEnGhzFQNwF0xfRcRwG1+tw7CQpIfR9XoKkyxBZ8LQfCX7NNcmH DHS26F9jFaCrS/CnK/rzTl31PBJOhq42VsqfYo9vGp0JQxJgN9R6/EAvEDwCmc5L U5ZBxMVo2LvH9mXn3J7+VuZz1yEsLSQfLhWiH9mDuEAWn5MGJU9CjnY8zdvEAxk7 OVfwhcn6L/SrMAZlHja2VwIDAQABo4IFLTCCBSkwDAYDVR0TAQH/BAIwADAfBgNV HSMEGDAWgBTYepREfJBwkBae3RecAUQDhtYqKTB+BggrBgEFBQcBAQRyMHAwNAYI KwYBBQUHMAKGKGh0dHA6Ly9jZXJ0cy5hcHBsZS5jb20vYXBwbGVpc3RjYTJnMS5k ZXIwOAYIKwYBBQUHMAGGLGh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBw bGVpc3RjYTJnMTIwMHwGA1UdEQR1MHOCEmFwaS5wdXNoLmFwcGxlLmNvbYIYYXBp LWNhcnJ5LnB1c2guYXBwbGUuY29tghVtci1hcGkucHVzaC5hcHBsZS5jb22CFXB2 LWFwaS5wdXNoLmFwcGxlLmNvbYIVc3QtYXBpLnB1c2guYXBwbGUuY29tMIH/BgNV HSAEgfcwgfQwgfEGCiqGSIb3Y2QFCwQwgeIwgaQGCCsGAQUFBwICMIGXDIGUUmVs aWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBh Y2NlcHRhbmNlIG9mIGFueSBhcHBsaWNhYmxlIHRlcm1zIGFuZCBjb25kaXRpb25z IG9mIHVzZSBhbmQvb3IgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRz LjA5BggrBgEFBQcCARYtaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVh dXRob3JpdHkvcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA3BgNV HR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmFwcGxlLmNvbS9hcHBsZWlzdGNhMmcx LmNybDAdBgNVHQ4EFgQUrKXVnJ+gzUh8UQ2Yfz/rnudZxT4wDgYDVR0PAQH/BAQD AgWgMIICbwYKKwYBBAHWeQIEAgSCAl8EggJbAlkAdQCkuQmQtBhYFIe7E6LMZ3AK PDWYBPkb37jjd80OyA3cEAAAAWl9XIxaAAAEAwBGMEQCID+yu2PPyWszJnLFzyue exKgs0Id8nTEUE6GSyNx/VBjAiBB13SWmcPE95+UFdQ7VHP6gi9K2afgIUVtAXXF RM72dgB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABaX1cjFsA AAQDAEgwRgIhAPewM38VBwGeNFF711tlWb7fB7n7DmVyiTdLfsVQIWtWAiEA80WF wc7XZECdkDCDcGT/mCYalBNqwvTi4vKQiI/iTdwAdgBVgdTCFpA2AUrqC5tXPFPw wOQ4eHAlCBcvo6odBxPTDAAAAWl9XI8OAAAEAwBHMEUCIQCax8e/z0tOEV8rP/nX AC6suCycpuNqXQYLE8ps7S1n4gIgZl/3/my5AzCV1FfGcx1qCAAomJkAmfob4o2J qwNkscoAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAWl9XI9+ AAAEAwBHMEUCIAaCMiskTWo2MxgG1BDte1DHNwS4zAz6BuLzTf4oioshAiEA1IE2 NicxAfkVjHXe9mnDjBrm8m+ZBcUeM8RlgL+BmqwAdwBElGUusO7Or8RAB9io/ijA 2uaCvtjLMbU/0zOWtbaBqAAAAWl9XIxEAAAEAwBIMEYCIQCtgJpEU7feE/rovZN4 k93/zvhwVuUTkjOtFoKB0vkWvgIhALw0Pj/zdWLrax7wBInSqLVHWwERi7+kOsV/ GJrOuHKXMA0GCSqGSIb3DQEBCwUAA4IBAQB1iPfHUYVmVSlCXF1V06Z5Zr/Cualz JGaLKm31trj7xS4+uQOU0pXRcecyKrpB+NgAQY2E+hlf83boXGlFytvgBuM9j3H/ tAb2S5HNum/AqP1VcYpUp6g46wpH1Fhau+XqVjjxD0xwC+CyAgUENGqMav1ly9A1 ZOGzDVGnNDb5EDx/Qbe6mxqp6Ls5NncAJ2cSlDKv4yhmqRA/sUf+xop9uLwAoOVz 8ykBTuJ904ys1gYTYem57o3kfFy3kpMMReUlTbt53zxY1/7v90UBoQzkqnegqD+N Ygw1YsWvv4tTXCMGApjBxB+QMksN1OD7wpOl6NQZVtOG7T31COPQ4X+M -----END CERTIFICATE----- subject=CN = api.push.apple.com, OU = management:idms.group.533599, O = Apple Inc., ST = California, C = US issuer=CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US --- Acceptable client certificate CA names C = US, O = Apple Inc., OU = Apple Certification Authority, CN = Apple Root CA CN = Apple Application Integration 2 Certification Authority, OU = Apple Certification Authority, O = Apple Inc., C = US CN = Apple Corporate Authentication CA 1, OU = Certification Authority, O = Apple Inc., C = US C = US, O = Apple Inc., OU = Apple Worldwide Developer Relations, CN = Apple Worldwide Developer Relations Certification Authority CN = Apple Corporate Root CA, OU = Certification Authority, O = Apple Inc., C = US C = US, O = Apple Inc., OU = Apple Certification Authority, CN = Apple Application Integration Certification Authority Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4599 bytes and written 420 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 20 (unable to get local issuer certificate) --- DONE ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
