Red Hat Bugzilla – Bug 1259871
Missing DigiCert certificate
Last modified: 2015-09-22 18:05:30 EDT
Description of problem:
CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
appears to be missing from cert.pem
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. wget -O - https://publicsuffix.org
Resolving publicsuffix.org (publicsuffix.org)... 188.8.131.52
Connecting to publicsuffix.org (publicsuffix.org)|184.108.40.206|:443... connected.
ERROR: cannot verify publicsuffix.org's certificate, issued by ‘CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US’:
Unable to locally verify the issuer's authority.
To connect to publicsuffix.org insecurely, use `--no-check-certificate'.
firefox-40.0.3-1.fc22.x86_64 has no issues validating publicsuffix.org's certificate.
Thanks for your report.
I don't understand why you get this error, I cannot reproduce it.
I'm using Fedora 22 with ca-certificates-2015.2.5-1.0.fc22
Running your "steps to reproduce" prints the website source code, and I don't see an error message.
As reported on this server test page:
the "missing certificate" that you have mentioned is actually an "intermediate certificate" that is sent by the server, for the purpose of finding another trusted root CA.
This is the intermediate sent by the server:
Subject: "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"
Issuer: "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"
This means, the software will search for a root CA certificate as described in the above "Issuer" field.
That root CA certificate should have been already included in the ca-certificate package version that you have installed.
With ca-certificates-2015.2.5-1.0.fc22.noarch, publicsuffix.org seems to verify ok, now.
It's also possible that this was a transient issue with publicsuffix.org; but as I noted, at that time Firefox had no issues. Which seems to point the finger at the local CA store.