Breaks certs with DOS-style line endings

before:
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 01234567
verify return:1
depth=0 O = f.q.d.n, OU = Domain Control Validated, CN = f.q.d.n
verify return:1
---
Certificate chain
 0 s:/O=f.q.d.n/OU=Domain Control Validated/CN=f.q.d.n
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287

after:
depth=0 O = f.q.d.n, OU = Domain Control Validated, CN = f.q.d.n
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = f.q.d.n, OU = Domain Control Validated, CN = f.q.d.n
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = f.q.d.n, OU = Domain Control Validated, CN = f.q.d.n
verify error:num=21:unable to verify the first certificate
verify return:1

Missed this part in the after bits:
Certificate chain
 0 s:/O=f.q.d.n/OU=Domain Control Validated/CN=f.q.d.n
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287

From upgrade log:
Paramétrage de libglib2.0-0:i386 (2.29.92-0ubuntu1) ...
Paramétrage de ca-certificates (20110502+nmu1ubuntu3) ...
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs... WARNING: Skipping duplicate certificate UbuntuOne-Go_Daddy_Class_2_CA.pem
WARNING: Skipping duplicate certificate UbuntuOne-Go_Daddy_Class_2_CA.pem
WARNING: Skipping duplicate certificate IGC_A.pem
WARNING: Skipping duplicate certificate IGC_A.pem
155 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Replacing debian:brasil.gov.br.pem
Replacing debian:cacert.org.pem
Replacing debian:ca.pem
Replacing debian:cert_igca_dsa.pem
Replacing debian:cert_igca_rsa.pem
Replacing debian:AOL_Time_Warner_Root_Certification_Authority_1.pem
Replacing debian:AOL_Time_Warner_Root_Certification_Authority_2.pem
Replacing debian:AddTrust_External_Root.pem
Replacing debian:AddTrust_Low-Value_Services_Root.pem
Replacing debian:AddTrust_Public_Services_Root.pem
Replacing debian:AddTrust_Qualified_Certificates_Root.pem
Replacing debian:America_Online_Root_Certification_Authority_1.pem
Replacing debian:America_Online_Root_Certification_Authority_2.pem
Replacing debian:Baltimore_CyberTrust_Root.pem
Replacing debian:COMODO_Certification_Authority.pem
Replacing debian:Camerfirma_Chambers_of_Commerce_Root.pem
Replacing debian:Camerfirma_Global_Chambersign_Root.pem
Replacing debian:Certplus_Class_2_Primary_CA.pem
Replacing debian:Certum_Root_CA.pem
Replacing debian:Comodo_AAA_Services_root.pem
Replacing debian:Comodo_Secure_Services_root.pem
Replacing debian:Comodo_Trusted_Services_root.pem
Replacing debian:DST_ACES_CA_X6.pem
Replacing debian:DST_Root_CA_X3.pem
Replacing debian:DigiCert_Assured_ID_Root_CA.pem
Replacing debian:DigiCert_Global_Root_CA.pem
Replacing debian:DigiCert_High_Assurance_EV_Root_CA.pem
Replacing debian:Digital_Signature_Trust_Co._Global_CA_1.pem
Replacing debian:Digital_Signature_Trust_Co._Global_CA_3.pem
Replacing debian:Entrust.net_Premium_2048_Secure_Server_CA.pem
Replacing debian:Entrust.net_Secure_Server_CA.pem
Replacing debian:Entrust_Root_Certification_Authority.pem
Replacing debian:Equifax_Secure_CA.pem
Replacing debian:Equifax_Secure_eBusiness_CA_1.pem
Replacing debian:Equifax_Secure_eBusiness_CA_2.pem
Replacing debian:Firmaprofesional_Root_CA.pem
Replacing debian:GTE_CyberTrust_Global_Root.pem
Replacing debian:GeoTrust_Global_CA.pem
Replacing debian:GeoTrust_Global_CA_2.pem
Replacing debian:GeoTrust_Primary_Certification_Authority.pem
Replacing debian:GeoTrust_Universal_CA.pem
Replacing debian:GeoTrust_Universal_CA_2.pem
Replacing debian:GlobalSign_Root_CA.pem
Replacing debian:GlobalSign_Root_CA_-_R2.pem
Replacing debian:Go_Daddy_Class_2_CA.pem
Replacing debian:NetLock_Business_=Class_B=_Root.pem
Replacing debian:NetLock_Express_=Class_C=_Root.pem
Replacing debian:NetLock_Notary_=Class_A=_Root.pem
Replacing debian:NetLock_Qualified_=Class_QA=_Root.pem
Replacing debian:QuoVadis_Root_CA.pem
Replacing debian:QuoVadis_Root_CA_2.pem
Replacing debian:QuoVadis_Root_CA_3.pem
Replacing debian:RSA_Root_Certificate_1.pem
Replacing debian:RSA_Security_2048_v3.pem
Replacing debian:SecureTrust_CA.pem
Replacing debi...

Oddly enough:
/etc/ssl/certs/UbuntuOne-Go_Daddy_CA.pem
        Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
        Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287

/etc/ssl/certs/UbuntuOne-Go_Daddy_Class_2_CA.pem
        Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
        Subject: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority

so the intermediate cert is there, but is considered a duplicate.

Also, the target host should be fixed to serve the intermediate CA.

UbuntuOne-Go_Daddy_Class_2_CA.pem is a duplicate of Go_Daddy_Class_2_CA.pem

/etc/ssl/certs/UbuntuOne-Go_Daddy_CA.pem has DOS CRLF line endings; after I converted it to UNIX line endings and ran c_rehash in /etc/ssl/certs, things worked.

This is due to changes in the last openssl merge from Debian, presumably themselves coming from upstream, where openssl's tools/c_rehash.in got an updated check_file to validate certs before processing them. Apparently this broke support for DOS-style line endings.

NB: I've contacted the site's owner to add the intermediate CA to their SSL setup.

This bug was fixed in the package ubuntuone-storage-protocol - 2.0.0-0ubuntu1

---------------
ubuntuone-storage-protocol (2.0.0-0ubuntu1) oneiric; urgency=low

  * New upstream release.
    - Use UNIX-style line endings in certs (LP: #855454)
 -- Rodney Dawes <email address hidden> Mon, 26 Sep 2011 16:01:33 -0400

This bug was fixed in the package openssl - 1.0.0e-2ubuntu2

---------------
openssl (1.0.0e-2ubuntu2) oneiric; urgency=low

  * Unapply patch c_rehash-multi and comment it out in the series as it breaks
    parsing of certificates with CRLF line endings and other cases (see
    Debian #642314 for discussion), it also changes the semantics of c_rehash
    directories by requiring applications to parse hash link targets as files
    containing potentially *multiple* certificates rather than exactly one.
    LP: #855454.
 -- Loic Minier <email address hidden> Tue, 27 Sep 2011 18:13:07 +0200

This bug was fixed in the package ca-certificates - 20110502+nmu1ubuntu4

---------------
ca-certificates (20110502+nmu1ubuntu4) oneiric; urgency=low

  * Run update-ca-certificates --fresh on upgrades from versions older than
    this one as to remove links created by patched c_rehash or add missing
    links; depend on fixed openssl; drop after oneiric; see Debian #642314;
    LP: #855454.
 -- Loic Minier <email address hidden> Tue, 27 Sep 2011 21:26:40 +0200

Does any of this need to be backported to Lucid (LTS)? I'm not sure I quite understand the exact implications of this ticket but I have noticed on my LTS machine postfix complains:

Dec 15 10:53:32 linux postfix/smtp[5608]: certificate verification failed for example.domain.com[192.168.0.1]:25: untrusted issuer /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority