RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1276149 - Missing CA Certificate?
Summary: Missing CA Certificate?
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ca-certificates
Version: 6.7
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-28 21:28 UTC by Erinn Looney-Triggs
Modified: 2016-02-25 16:05 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-18 21:31:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Network Solutions Subordinate CA (1.63 KB, text/x-vhdl)
2015-10-28 21:28 UTC, Erinn Looney-Triggs 		no flags Details
Matrixcare Certificate (1.95 KB, text/x-vhdl)
2015-10-28 21:29 UTC, Erinn Looney-Triggs 		no flags Details
View All

Description Erinn Looney-Triggs 2015-10-28 21:28:14 UTC 
Created attachment 1087334 [details]
Network Solutions Subordinate CA

I have what appears to me to be a very weird problem. Weird enough that I am hesitant to believe it is an issue, but I need independent confirmation one way or another.

It appears that the certificate store that is included by default in /etc/pki/tls/certs/ca-bundle.crt, which is in turn derived from whatever magic update-ca-trust uses is missing a CA. 

I have attached a certificate for a company called matrixcare, they have an SSL secured website at https://user.matrixcare.com that is using this certificate, it is a valid and trusted certificate in Mozilla, Chrome (not sure how Chrome handles certificates on Linux, perhaps bundled, perhaps system), and in Microsoft's trust store in Windows. In short it is valid.

However, when using curl on a RHEL 6 system with the --cacert set to /etc/pki/tls/certs/ca-bundle.crt (this may not be necessary, but I wanted to be explicit) it fails with a certificate chain error.

Now there are four certificates in the chain, this ultimately comes from Comodo, they are: AddTrust External CA -> UTN- UserFirst - Hardware -> Network Solutions -> *.matrixcare.com 

If I add the attached Network Solutions subordinate to the ca-bundle via /etc/ca-trust/source/anchors and do the update thing everything just works.

So the problem may be, as near as I can tell, that the Network Solutions Subordinate, though present in the Mozilla Trust Store is not present in the ca-bundle despite the fact that, as far as I understand, the ca-bundle is derived from the Mozilla Trust store.

Anyway, independent confirmation would be much appreciated, this was kind of a pain to chase down.
Comment 1 Erinn Looney-Triggs 2015-10-28 21:29:13 UTC 
Created attachment 1087335 [details]
Matrixcare Certificate
Comment 3 Kai Engert (:kaie) (inactive account) 2015-10-30 13:56:52 UTC 
Erinn,

on RHEL 6.x, multiple configurations are possible. They are described in the manual page of 
  man update-ca-trust

If you're using the default configuration (which was used since RHEl 6.0), and if you had manually modified the CA bundle file in the past, then it won't get upgraded automatically.

Please tell me what the following commands print, for each of them:

(1)
rpm -q --verify ca-certificates

(2)
rpm -qv ca-certificates nspr nss nss-util nss-softokn-freebl nss-softokn \
  p11-kit-trust

(3)
ls -l /etc/pki/tls/certs/ca-bundle.crt

(4)
update-ca-trust check

(5)
curl --head https://user.matrixcare.com/

(6)
curl --head --cacert /etc/pki/tls/certs/ca-bundle.crt \
  https://user.matrixcare.com/


FYI, I just executed command (5) on an unmodified RHEL 6 system with the following packages installed, it worked.

On my system, it works regardless of the "enable" or "disable" configuration printed by (4) and as described in the man page.
Comment 4 Kai Engert (:kaie) (inactive account) 2016-01-18 21:31:06 UTC 
We never got a feedback to my questions.

I assume my explanations have clarified the issue and no further action is necessary, and I'm closing this bug report.
Comment 5 Jeremy 2016-02-24 20:08:27 UTC 
Erinn no longer works with our company I would like to update this ticket in his place. I have copied what the commands printed below.
(1) Nothing at all

(2) ca-certificates-2015.2.4-71.el7.noarch
nspr-4.10.8-2.el7_1.x86_64
nss-3.19.1-18.el7.x86_64
nss-util-3.19.1-4.el7_1.x86_64
package nss-softokn-freeb1 is not installed
package nss-softtokn is not installed
p11-kit-trust-0.20.7-3.el7.x86_64

(3)lrwxrwxrwx. 1 root root 49 Nov 19 06:46 /etc/pki/tls/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

(4)Nothing at all

(5)HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 20:06:26 GMT
Server: Microsoft-IIS/7.5
Content-Type: text/html
Last-Modified: Tue, 08 Oct 2013 17:33:12 GMT
Accept-Ranges: bytes
ETag: "aeb961764cc4ce1:0"
X-Powered-By: ASP.NET

(6)curl: (3) <url> malformed
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 20:07:12 GMT
Server: Microsoft-IIS/7.5
Content-Type: text/html
Last-Modified: Tue, 08 Oct 2013 17:33:12 GMT
Accept-Ranges: bytes
ETag: "aeb961764cc4ce1:0"
X-Powered-By: ASP.NET


Thanks,
Jeremy
Comment 6 Erinn Looney-Triggs 2016-02-25 16:05:40 UTC 
Jeremy, the issue is this:

If you're using the default configuration (which was used since RHEl 6.0), and if you had manually modified the CA bundle file in the past, then it won't get upgraded automatically.

The bundle didn't get upgraded and so the certificate is not present.

-Erinn
Note You need to log in before you can comment on or make changes to this bug.