Bug 1259871 - Missing DigiCert certificate
Missing DigiCert certificate
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: ca-certificates (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kai Engert (:kaie)
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-03 13:01 EDT by Sam Varshavchik
Modified: 2015-09-22 18:05 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-22 18:05:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sam Varshavchik 2015-09-03 13:01:00 EDT
Description of problem:

CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US

appears to be missing from cert.pem

Version-Release number of selected component (if applicable):

ca-certificates-2015.2.4-1.0.fc22.noarch

How reproducible:

Always

Steps to Reproduce:
1. wget -O - https://publicsuffix.org

Actual results:

Resolving publicsuffix.org (publicsuffix.org)... 63.245.217.20
Connecting to publicsuffix.org (publicsuffix.org)|63.245.217.20|:443... connected.
ERROR: cannot verify publicsuffix.org's certificate, issued by ‘CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US’:
  Unable to locally verify the issuer's authority.
To connect to publicsuffix.org insecurely, use `--no-check-certificate'.

Expected results:

Successful connection.

Additional info:

firefox-40.0.3-1.fc22.x86_64 has no issues validating publicsuffix.org's certificate.
Comment 1 Kai Engert (:kaie) 2015-09-22 11:41:17 EDT
Thanks for your report.

I don't understand why you get this error, I cannot reproduce it.

I'm using Fedora 22 with ca-certificates-2015.2.5-1.0.fc22

Running your "steps to reproduce" prints the website source code, and I don't see an error message.


As reported on this server test page:
  https://www.ssllabs.com/ssltest/analyze.html?d=publicsuffix.org&s=63.245.217.20

the "missing certificate" that you have mentioned is actually an "intermediate certificate" that is sent by the server, for the purpose of finding another trusted root CA.


This is the intermediate sent by the server:

Serial Number:01:fd:a3:eb:6e:ca:75:c8:88:43:8b:72:4b:cf:bc:91
Subject: "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"
Issuer: "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"

This means, the software will search for a root CA certificate as described in the above "Issuer" field.

That root CA certificate should have been already included in the ca-certificate package version that you have installed.
Comment 2 Sam Varshavchik 2015-09-22 18:05:30 EDT
With ca-certificates-2015.2.5-1.0.fc22.noarch, publicsuffix.org seems to verify ok, now.

It's also possible that this was a transient issue with publicsuffix.org; but as I noted, at that time Firefox had no issues. Which seems to point the finger at the local CA store.

Note You need to log in before you can comment on or make changes to this bug.