Bug 1259871 - Missing DigiCert certificate
Summary: Missing DigiCert certificate
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: ca-certificates
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-03 17:01 UTC by Sam Varshavchik
Modified: 2015-09-22 22:05 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-09-22 22:05:30 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Sam Varshavchik 2015-09-03 17:01:00 UTC
Description of problem:

CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US

appears to be missing from cert.pem

Version-Release number of selected component (if applicable):

ca-certificates-2015.2.4-1.0.fc22.noarch

How reproducible:

Always

Steps to Reproduce:
1. wget -O - https://publicsuffix.org

Actual results:

Resolving publicsuffix.org (publicsuffix.org)... 63.245.217.20
Connecting to publicsuffix.org (publicsuffix.org)|63.245.217.20|:443... connected.
ERROR: cannot verify publicsuffix.org's certificate, issued by ‘CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US’:
  Unable to locally verify the issuer's authority.
To connect to publicsuffix.org insecurely, use `--no-check-certificate'.

Expected results:

Successful connection.

Additional info:

firefox-40.0.3-1.fc22.x86_64 has no issues validating publicsuffix.org's certificate.

Comment 1 Kai Engert (:kaie) (inactive account) 2015-09-22 15:41:17 UTC
Thanks for your report.

I don't understand why you get this error, I cannot reproduce it.

I'm using Fedora 22 with ca-certificates-2015.2.5-1.0.fc22

Running your "steps to reproduce" prints the website source code, and I don't see an error message.


As reported on this server test page:
  https://www.ssllabs.com/ssltest/analyze.html?d=publicsuffix.org&s=63.245.217.20

the "missing certificate" that you have mentioned is actually an "intermediate certificate" that is sent by the server, for the purpose of finding another trusted root CA.


This is the intermediate sent by the server:

Serial Number:01:fd:a3:eb:6e:ca:75:c8:88:43:8b:72:4b:cf:bc:91
Subject: "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"
Issuer: "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"

This means, the software will search for a root CA certificate as described in the above "Issuer" field.

That root CA certificate should have been already included in the ca-certificate package version that you have installed.

Comment 2 Sam Varshavchik 2015-09-22 22:05:30 UTC
With ca-certificates-2015.2.5-1.0.fc22.noarch, publicsuffix.org seems to verify ok, now.

It's also possible that this was a transient issue with publicsuffix.org; but as I noted, at that time Firefox had no issues. Which seems to point the finger at the local CA store.


Note You need to log in before you can comment on or make changes to this bug.