Summary: | app-misc/ca-certificates: Thawte DV SSL CA not included | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Anton Bolshakov <anton.bugs> |
Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED UPSTREAM | ||
Severity: | normal | CC: | eugene.shalygin, whissi, zerochaos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=505956 https://bugs.gentoo.org/show_bug.cgi?id=544276 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Correct chained certificate for www.cgran.org |
Description
Anton Bolshakov
2013-09-20 10:22:52 UTC
unable to reproduce What is your version of app-misc/ca-certificates? (In reply to Chí-Thanh Christopher Nguyễn from comment #2) > What is your version of app-misc/ca-certificates? I am using app-misc/ca-certificates-20130119 and it works fine. Ok, it certainly good to know "it works" for you, but there are at least 2 users with the error. I'm using the same 20130119 and i'm getting the same error with wget: wget https://www.cgran.org/svn/projects/multimode/trunk ERROR: cannot verify www.cgran.org's certificate, issued by ‘/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA’: Unable to locally verify the issuer's authority. equery f ca-certificates | grep -i thawte /etc/ssl/certs/Thawte_Premium_Server_CA.pem /etc/ssl/certs/Thawte_Server_CA.pem /etc/ssl/certs/thawte_Primary_Root_CA.pem /etc/ssl/certs/thawte_Primary_Root_CA_-_G2.pem /etc/ssl/certs/thawte_Primary_Root_CA_-_G3.pem /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt /usr/share/ca-certificates/mozilla/Thawte_Server_CA.crt /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt grep -i thawte /etc/ca-certificates.conf mozilla/Thawte_Premium_Server_CA.crt mozilla/Thawte_Server_CA.crt mozilla/thawte_Primary_Root_CA.crt mozilla/thawte_Primary_Root_CA_-_G2.crt mozilla/thawte_Primary_Root_CA_-_G3.crt /etc/ssl/certs $ ll | grep -i thawte lrwxrwxrwx 1 root root 26 Sep 21 07:19 2e4eed3c.0 -> thawte_Primary_Root_CA.pem lrwxrwxrwx 1 root root 20 Sep 21 07:19 6cc3c4c3.0 -> Thawte_Server_CA.pem lrwxrwxrwx 1 root root 28 Sep 21 07:19 98ec67f0.0 -> Thawte_Premium_Server_CA.pem lrwxrwxrwx 1 root root 63 Sep 21 07:19 Thawte_Premium_Server_CA.pem -> /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt lrwxrwxrwx 1 root root 55 Sep 21 07:19 Thawte_Server_CA.pem -> /usr/share/ca-certificates/mozilla/Thawte_Server_CA.crt lrwxrwxrwx 1 root root 31 Sep 21 07:19 ba89ed3b.0 -> thawte_Primary_Root_CA_-_G3.pem lrwxrwxrwx 1 root root 31 Sep 21 07:19 c089bbbd.0 -> thawte_Primary_Root_CA_-_G2.pem lrwxrwxrwx 1 root root 61 Sep 21 07:19 thawte_Primary_Root_CA.pem -> /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt lrwxrwxrwx 1 root root 66 Sep 21 07:19 thawte_Primary_Root_CA_-_G2.pem -> /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt lrwxrwxrwx 1 root root 66 Sep 21 07:19 thawte_Primary_Root_CA_-_G3.pem -> /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt I've regenerated all certs with "update-ca-certificates -f" but the error is still there. So please tell me what is wrong with my setup. Not necessarily a ca-certificates problem. Do you have any dangling symlinks in /etc/ssl/certs? was openssl built with or without bindist flag? no dead links in /etc/ssl, bindist is not enabled: [ebuild R ] dev-libs/openssl-1.0.1e-r1 USE="(sse2) zlib -bindist -gmp -kerberos -rfc3779 -static-libs {-test} -vanilla" emerge --info Portage 2.2.1 (hardened/linux/amd64, gcc-4.6.3, glibc-2.15-r3, 3.9.9-pentoo x86_64) ================================================================= System uname: Linux-3.9.9-pentoo-x86_64-Intel-R-_Core-TM-_i5-3320M_CPU_@_2.60GHz-with-gentoo-2.2 KiB Mem: 7980692 total, 4321664 free KiB Swap: 4194300 total, 4194300 free Timestamp of tree: Wed, 18 Sep 2013 23:45:01 +0000 ld GNU ld (GNU Binutils) 2.23.1 app-shells/bash: 4.2_p45 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.5-r2, 3.2.5-r2 dev-util/cmake: 2.8.10.2-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8::pentoo sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.4_p6-r1, 1.11.6, 1.12.6, 1.13.4 sys-devel/binutils: 2.23.1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.15-r3 ABI="amd64" ABI_X86="32 64" ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA PUEL AdobeFlash-11.x Google-TOS dlj-1.1 google-chrome Oracle-BCLA-JavaSE Intel-SDP skype-4.0.0.7-copyright" ACCEPT_PROPERTIES="*" ACCEPT_RESTRICT="*" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ANDROID_SWT="/usr/share/swt-3.7/lib" ANT_HOME="/usr/share/ant" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ARCH="amd64" AUTOCLEAN="yes" BOOTSTRAP_USE="cxx unicode python_targets_python3_2 python_targets_python2_7 multilib hardened pax_kernel pic -jit -orc multilib" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -mtune=generic -O2 -pipe" CFLAGS_amd64="-m64" CFLAGS_x32="-mx32" CFLAGS_x86="-m32" CHOST="x86_64-pc-linux-gnu" CHOST_amd64="x86_64-pc-linux-gnu" CHOST_x32="x86_64-pc-linux-gnux32" CHOST_x86="i686-pc-linux-gnu" CLEAN_DELAY="5" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" COLLISION_IGNORE="/lib/modules/* *.py[co] *$py.class */dropin.cache" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=core2 -mtune=generic -O2 -pipe" Created attachment 359174 [details] Correct chained certificate for www.cgran.org According to http://ftp-master.metadata.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20130906_changelog there wasn't a change in (related) certificates. It looks like a server configuration issue for me. www.cgran.org:443 is not sending the correct cert chain: $ openssl s_client -CApath /etc/ssl -connect www.cgran.org:443 CONNECTED(00000003) depth=0 OU = Go to https://www.thawte.com/repository/index.html, OU = Thawte SSL123 certificate, OU = Domain Validated, CN = www.cgran.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Go to https://www.thawte.com/repository/index.html, OU = Thawte SSL123 certificate, OU = Domain Validated, CN = www.cgran.org verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Go to https://www.thawte.com/repository/index.html, OU = Thawte SSL123 certificate, OU = Domain Validated, CN = www.cgran.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=www.cgran.org i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com GoDaddy? ValiCert? That's wrong. I created the correct chained certificate for you (basically 'cat www.cgran.org.crt > chain.crt && cat ThawteDVSSLCA.crt >> chain.crt', nothing else). [ebuild R ] dev-libs/openssl-1.0.1e-r1 USE="(sse2) zlib -bindist -gmp -kerberos -rfc3779 -static-libs {-test} -vanilla" 0 kB no dangling symlinks here yes, www.cgran.org is misconfigured (as others have pointed out here). you can also see it using a site like: https://www.ssllabs.com/ssltest/analyze.html?d=cgran.org look at the chain issues section. that said, is it expected that ca-certificates include intermediate CA certs like "Thawte DV SSL CA" ? i'm not sure ... that'd be a question for Debian really. we've been punting these bugs to http://bugs.debian.org/ because we're lazy :). |