[Bug 854927] Re: wget, curl can't verify certificates

Tue Sep 20 19:38:55 UTC 2011

This has been traced to a broken hash directory:

11:40 < kirkland> lrwxrwxrwx 1 root root 19 2011-09-20 01:34 /usr/lib/ssl/certs/55a10908.0 -> ca-certificates.crt
11:40 < kirkland> -rw-r--r-- 1 root root 240312 2011-09-20 01:32 /usr/lib/ssl/certs/ca-certificates.crt

This is expected to point to the specific certificate file,
ValiCert_Class_2_VA.pem, instead; but on new installs since the latest
upload of the new upstream version of openssl, c_rehash is giving
preference to the ca-certificates bundle file over the individual cert
files, and libssl subsequently is unable to use ca-certificates.crt for
certificate validation.

I would definitely say there's a bug in openssl here, since c_rehash
shouldn't create symlinks that the library will be subsequently unable
to use; but I think we can work around it in ca-certificates by just
making sure the bundle file is moved out of the way at the time we're
calling c_rehash - since any time we call c_rehash we're regenerating
that bundle file anyway.

** Also affects: ca-certificates (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: ca-certificates (Ubuntu Oneiric)
       Status: New => In Progress

** Changed in: ca-certificates (Ubuntu Oneiric)
   Importance: Undecided => High

** Changed in: ca-certificates (Ubuntu Oneiric)
     Assignee: (unassigned) => Steve Langasek (vorlon)

** Changed in: ca-certificates (Ubuntu Oneiric)
    Milestone: None => ubuntu-11.10-beta-2

** Changed in: openssl (Ubuntu Oneiric)
    Milestone: ubuntu-11.10-beta-2 => ubuntu-11.10

** Changed in: openssl (Ubuntu Oneiric)
       Status: In Progress => Triaged

** Changed in: openssl (Ubuntu Oneiric)
     Assignee: (unassigned) => Colin Watson (cjwatson)

** Bug watch added: Debian Bug tracker #628780
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628780

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/854927

Title:
  c_rehash creating bogus links to ca-certificates.crt

Status in “ca-certificates” package in Ubuntu:
  In Progress
Status in “openssl” package in Ubuntu:
  Triaged
Status in “ca-certificates” source package in Oneiric:
  In Progress
Status in “openssl” source package in Oneiric:
  Triaged

Bug description:
  $ wget https://www.google.com
  --2011-09-20 18:12:46--  https://www.google.com/
  Resolving www.google.com... 209.85.169.105, 209.85.169.106, 209.85.169.147, ...
  Connecting to www.google.com|209.85.169.105|:443... connected.
  ERROR: cannot verify www.google.com's certificate, issued by `/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA':
    Unable to locally verify the issuer's authority.
  To connect to www.google.com insecurely, use `--no-check-certificate'.

  $ curl -sS https://launchpad.net 
  curl: (35) error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: openssl 1.0.0e-2ubuntu1
  ProcVersionSignature: User Name 3.0.0-11.18-virtual 3.0.4
  Uname: Linux 3.0.0-11-virtual i686
  ApportVersion: 1.23-0ubuntu1
  Architecture: i386
  Date: Tue Sep 20 18:11:11 2011
  Ec2AMI: ami-00000090
  Ec2AMIManifest: FIXME
  Ec2AvailabilityZone: nova
  Ec2InstanceType: m1.small
  Ec2Kernel: unavailable
  Ec2Ramdisk: unavailable
  ProcEnviron:
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: openssl
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions