With the Digistar mess, which caused ca-certificates-20110502 to be stabilized, something went wrong ca-certificates. This causes Konqueror to show warning for a lot of websites, such as https://signin.ebay.com. The reason is likely the ROOT certificate "VeriSign Class 3 Public Primary Certification Authority - G5", for which the serial changes, which makes it invalid: With ca-certificates-20110502-r1: 3e:a2:cb:6b:ac:5b:de:d6:26:a5:ae:a6:d9:14:e3:0c With ca-certificates-20090709: 58:f3:9e:5c:01:2b:19:47:21:a9:8e:e4:ee:e0:f8:bf Ebay signin works fine in Firefox 3.6.20 and if I downgrade ca-certificates to ca-certificates-20090709, the last stable version, all is back to normal again (both in openssl command line and Konqueror 4.6.5. Reproducible: Always Steps to Reproduce: 1. openssl s_client -host signin.ebay.com -port 443 -CApath /etc/ssl/certs/ Alternatively: 2. konqueror https://signin.ebay.com Actual Results: [...] Verify return code: 20 (unable to get local issuer certificate) Alternatively: Konqueror complains with "The server failed the authenticity check (signin.ebay.com). The certificate authority's certificate is invalid. The root certificate authority's certificate is not trusted for this purpose Expected Results: [...] Verify return code: 0 (ok) Alternatively: Konqueror redirects to the proper Ebay signin page.
Reassigning to maintainer.
next try...
A similar report can be found here: http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg938770.html . That report attributes it to VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt which got updated in ca-certificates 20110421, while some servers still send the older version of the certificate in their bundle causing a conflict in openssl.
I'm experiencing the same issue here. Konqueror claims that the certificate mentioned above is invalid. I'm using ca-certificates20110502-r1. I don't know if it is helpful, but I will include the output of below openssl x509 -text -in /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt Cheers Certificate: Data: Version: 3 (0x2) Serial Number: 18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Validity Not Before: Nov 8 00:00:00 2006 GMT Not After : Jul 16 23:59:59 2036 GMT Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b: 4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57: 08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8: 2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe: 8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d: a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59: 54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49: d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69: 7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96: bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5: f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02: ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6: f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19: 21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d: 63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95: ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f: 9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8: 25:15 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign 1.3.6.1.5.5.7.1.12: 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif X509v3 Subject Key Identifier: 7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33 Signature Algorithm: sha1WithRSAEncryption 93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77: f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5: e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a: 47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e: d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9: cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd: 25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e: 82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd: 86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d: 0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05: 32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72: 8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f: 0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18: 3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6: a8:ed:63:6a -----BEGIN CERTIFICATE----- MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1 nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+ rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/ NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y 5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ 4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq -----END CERTIFICATE-----
I also have this problem, with =app-misc/ca-certificates-20130119 and rekonq.
seems to be fine w/ca-certificates-20140223
here's the test: $ openssl s_client -host signin.ebay.com -port 443 -CApath /etc/ssl/certs \ </dev/null >/dev/null depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 2871352, C = US, postalCode = 95125, ST = California, L = San Jose, street = 2145 Hamilton Ave, O = "eBay, Inc.", OU = Site Operations, CN = signin.ebay.com verify return:1 DONE
