While updating my workstation, suddenly the SSL-handshake of my web clients (firefox, owncloud-client) started to fail. The certificate for the concerning server are signed with the Cacert.org class 3 root certificate. I noticed that the ca-certificates package had just been emerged from version 20130906-r1 to version 20140927.3.17.2 In the file /var/log/portage/app-misc:ca-certificates-20140927.3.17.2:20150401-183814.log I noticed these lines: * Broken symlink for a certificate at /etc/ssl/certs/20d096ba.0 * Broken symlink for a certificate at /etc/ssl/certs/9b353c9a.0 * Broken symlink for a certificate at /etc/ssl/certs/5f267794.0 * Broken symlink for a certificate at /etc/ssl/certs/03f0efa4.0 * Broken symlink for a certificate at /etc/ssl/certs/9af9f759.0 * Broken symlink for a certificate at /etc/ssl/certs/55a10908.0 * Broken symlink for a certificate at /etc/ssl/certs/2cfc4974.0 * Broken symlink for a certificate at /etc/ssl/certs/590d426f.0 * Broken symlink for a certificate at /etc/ssl/certs/ce026bf8.0 * Removing the following broken symlinks: * //etc/ssl/certs/20d096ba.0 -> ValiCert_Class_1_VA.pem * //etc/ssl/certs/9b353c9a.0 -> TDC_Internet_Root_CA.pem * //etc/ssl/certs/5f267794.0 -> Entrust.net_Secure_Server_CA.pem * //etc/ssl/certs/03f0efa4.0 -> Wells_Fargo_Root_CA.pem * //etc/ssl/certs/9af9f759.0 -> RSA_Root_Certificate_1.pem * //etc/ssl/certs/55a10908.0 -> ValiCert_Class_2_VA.pem * //etc/ssl/certs/2cfc4974.0 -> TDC_OCES_Root_CA.pem * //etc/ssl/certs/590d426f.0 -> cacert.org_class3.pem * //etc/ssl/certs/ce026bf8.0 -> Firmaprofesional_Root_CA.pem
Apologies, I forgot to mention something very important: The problem disappeared after I downgraded the ca-certificates package on my workstation to version app-misc/ca-certificates-20130906-r1.
This might be a dumb question, but do you have the cacert USE flag enabled? The cacert USE flag is new as of app-misc/ca-certificates-20140223.3.15.5-r1 and is disabled by default.
Hi, it is not a dumb question as well. Er... actually I thought it was, but the use flag got removed someway. I added the flag again and emerged the latest stable release of ca-certificates. Firefox works now, but the Linux client for owncloud keeps complaining: The issuer certificate of a locally looked up certificate could not be found The root CA certificate is not trusted for this purpose No certificates could be verified Anyway, as firefox accepts the server certificate perfectly, my bug report for ca-certificates now appears to be invalid. You may close it. Thanks for your time. Toon.
Hi, one additional comment after closure. The cacert class 3 intermediate certificate IS missing from the ca-certificates package. Firefox uses its own certificate repository. The repository of my firefox contains BOTH the cacert class 1 root certificate and the cacert class 3 intermediate certificate. This explaines why firefox worked perfectly with CAcert-issued server certificates. Now, the ownCloud desktop client app does not have its own repository. Instead, it makes use of the central repository which is provided by the ca-certificates package. This package only provides the cacert class 1 root certificate, while my cacert server certificates are signed by the cacert class 3 intermediate certificate. This explaines why the ownCloud desktop client app kept complaining about the server certificate being untrusted. To prove this, I storeded the cacert class 3 intermediate certificate in /usr/local/share/ca-certificates and ran /usr/sbin/update-ca-certificates # /usr/sbin/update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. After this exercise the ownCloud app stopped complaining. My desktop machine has installed app-misc/ca-certificates-20141019.3.17.4 Regards, Toon.
*** This bug has been marked as a duplicate of bug 521462 ***