Description of problem: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US appears to be missing from cert.pem Version-Release number of selected component (if applicable): ca-certificates-2015.2.4-1.0.fc22.noarch How reproducible: Always Steps to Reproduce: 1. wget -O - https://publicsuffix.org Actual results: Resolving publicsuffix.org (publicsuffix.org)... 63.245.217.20 Connecting to publicsuffix.org (publicsuffix.org)|63.245.217.20|:443... connected. ERROR: cannot verify publicsuffix.org's certificate, issued by ‘CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US’: Unable to locally verify the issuer's authority. To connect to publicsuffix.org insecurely, use `--no-check-certificate'. Expected results: Successful connection. Additional info: firefox-40.0.3-1.fc22.x86_64 has no issues validating publicsuffix.org's certificate.
Thanks for your report. I don't understand why you get this error, I cannot reproduce it. I'm using Fedora 22 with ca-certificates-2015.2.5-1.0.fc22 Running your "steps to reproduce" prints the website source code, and I don't see an error message. As reported on this server test page: https://www.ssllabs.com/ssltest/analyze.html?d=publicsuffix.org&s=63.245.217.20 the "missing certificate" that you have mentioned is actually an "intermediate certificate" that is sent by the server, for the purpose of finding another trusted root CA. This is the intermediate sent by the server: Serial Number:01:fd:a3:eb:6e:ca:75:c8:88:43:8b:72:4b:cf:bc:91 Subject: "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US" Issuer: "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US" This means, the software will search for a root CA certificate as described in the above "Issuer" field. That root CA certificate should have been already included in the ca-certificate package version that you have installed.
With ca-certificates-2015.2.5-1.0.fc22.noarch, publicsuffix.org seems to verify ok, now. It's also possible that this was a transient issue with publicsuffix.org; but as I noted, at that time Firefox had no issues. Which seems to point the finger at the local CA store.