Ubuntu
ca-certificates package

Go Daddy Root Certficate Authority G2 missing in lucid

Bug #1271357 reported by David Ames
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

We recently installed a new Go Daddy certificate on a lucid machine.

On the lucid machine the following shows 20 (unable to get local issuer certificate)
openssl s_client -tls1 -connect 127.0.0.1:443 -CApath /etc/ssl/certs -servername graphite.ubunet.canical.com

Certificate chain
 0 s:/OU=Domain Control Validated/CN=graphite.ubunet.canonical.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=https://certs.godaddy.com/repository//CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

Verify return code: 20 (unable to get local issuer certificate)

The certificate chain file from Go Daddy contains:
        Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
        Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=https://certs.godaddy.com/repository/, CN=Go Daddy Root Certificate Authority - G2
        Subject: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority

openssl s_client from any host with the Go_Daddy_Root_Certificate_Authority_-_G2.pem (including a lucid host with it manually added) succeeds.

Can we have The precise version backported to lucid? Or Go_Daddy_Root_Certificate_Authority_-_G2.pem added?

Browsers work just fine. But we may have non-browser access needs from lucid hosts.

David Ames (thedac)
tags: added: canonical-sysadmins
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ca-certificates (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20130906ubuntu0.10.04.1

---------------
ca-certificates (20130906ubuntu0.10.04.1) lucid-security; urgency=medium

  * Update ca-certificates database to 20130906 (LP: #1257265, LP: #1271357):
    - backport changes from the Ubuntu 14.04 20130906ubuntu1 package
    - No longer ship cacert.org certificates (LP: #1258286)
    - No longer ship obsolete debconf.org certificates
    - No longer ship expired brasil.gov.br certificates
    - No longer ship expired signet.pl certificates
    - No longer ship gouv.fr certificates, now part of mozilla bundle
    - No longer ship telesec.de certificates, now part of mozilla bundle
    - mozilla/certdata2pem.py: Work around openssl issue by shipping both
      versions of the same signed roots. Previously, the script would
      simply overwrite the first one found in the certdata.txt with the
      later one since they both have the same CKA_LABEL, resulting in
      identical filenames. (LP: #1014640, LP: #1031333)
 -- Marc Deslauriers <email address hidden> Fri, 07 Feb 2014 13:58:53 -0500

Changed in ca-certificates (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.