Description of problem: SSIA Version-Release number of selected component (if applicable): ? How reproducible: always Steps to Reproduce: 1. openssl s_client -connect bugzilla.redhat.com:443 2. 3. Actual results: CONNECTED(00000003) depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.redhat.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.redhat.com verify error:num=27:certificate not trusted verify return:1 depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.redhat.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=*.redhat.com i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA -----BEGIN CERTIFICATE----- MIIFSTCCBDGgAwIBAgIQAdAb5fpgCqGXolS4CS4ZoTANBgkqhkiG9w0BAQsFADBw MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz dXJhbmNlIFNlcnZlciBDQTAeFw0xNTA1MjgwMDAwMDBaFw0xNzA2MTQxMjAwMDBa MGYxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UE BxMHUmFsZWlnaDEVMBMGA1UEChMMUmVkIEhhdCBJbmMuMRUwEwYDVQQDDAwqLnJl ZGhhdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCvaIbRvW/ 9P0GbUxvNdBonurMt5R6EhsxLsTD4yYNig2T9b7soy8w1jzO8cLfipDUOxKMHiJo mkKDgEOEDK5ePz8rqHCvMReP8zhT8S9Jz1C0dlvHPGdsdPrh1v3U9PTZ1f69tcfy VFDi/6qTH9bkYIi9q9u52xy5vZDXLrnfCiM4n+MWhlc95jWd4eYO53Yo2mqb8xaC GzTa/FiSsB6KmzrX7HqdgkIU5pbNK2ysd4elXjC4s8tiL8ouFafJMrzQT2jiROpm 4+d7zMwOT9ePKvyVAs4kK1StWrMss3EPGQRjAUzDuwZpE/cwWXIMKEFAjx6XvUVg 91FL1K5IbAD7AgMBAAGjggHnMIIB4zAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVk YqISuFlyOzAdBgNVHQ4EFgQUKr/rGEQQ7TCbBcvVsxHASEb2doQwIwYDVR0RBBww GoIMKi5yZWRoYXQuY29tggpyZWRoYXQuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0 cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc0LmNybDA0oDKg MIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc0LmNy bDBCBgNVHSAEOzA5MDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczov L3d3dy5kaWdpY2VydC5jb20vQ1BTMIGDBggrBgEFBQcBAQR3MHUwJAYIKwYBBQUH MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDov L2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VT ZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAWBfN vX3l5iwFoM3TxzCVAuvgDhQjo6nIPicgf4bg2WsXsMMl7HQFWGwBTOe5nUGUWc51 Tw8BBJmxwixyPDC4ZMH+XK2awun87V+QULbm+KeppwPkbs6Qa83t9CAO/O1sDXCr w2P/zT56adF9Kf3Z8Dx1cfY0RVnCRbDYUmJZ0yETDlGiANMyXVbMSJn9xp9MCh8n 470NiKEei0IQvo8EYpSDiigJxzta2NRmVy0YTM6GuTv6zWf0SlbjuPaPi4YO3ghK D3Phjz7olvAIsbDl/j8OP8WIVM6Jyd9EoaXk9uoX+qr4mdzmpLQoTcb2n2s2530f yKvUKl1/1JFb9J85jw== -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=*.redhat.com issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 2048 bytes and written 375 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: FE68EDDC8A17849752C7997FA229751B08C00D0A2A5423841054412837506CF9 Session-ID-ctx: Master-Key: 101CA87B59C39B7986CAF6CB4A23EC06D890C0F3F7FE99D25C3EC6EC232A18993037F5DA54DE9371A05845DD8A65EFB3 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 66 f2 65 60 df c5 a8 ae-e4 49 e2 5a b8 93 c7 e5 f.e`.....I.Z.... 0010 - 65 a2 7f cc 48 4d da d8-a2 2c 71 09 b0 c6 6a aa e...HM...,q...j. 0020 - 93 6e d4 8f 9e f3 36 7a-76 70 45 42 17 80 7f 8f .n....6zvpEB.... 0030 - ef cd 2c 3a 5b 7a df 36-b6 9d 25 ce 5b 0b ee 11 ..,:[z.6..%.[... 0040 - ed a3 1a 70 dc d9 23 ab-be c4 f1 4f 07 68 e1 7e ...p..#....O.h.~ 0050 - 4f 28 ac 04 9e c8 3f 3f-34 ea 7f f8 96 07 82 12 O(....??4....... 0060 - 76 ff 6c 83 9c b6 e1 65-06 12 97 56 cd 9c 9e 2a v.l....e...V...* 0070 - 9f e4 57 b6 dd 36 40 4f-6e 09 a2 5b 86 19 6c d5 ..W..6@On..[..l. 0080 - 87 5c 30 c5 31 1f 8c a4-44 56 89 37 a6 af d8 9b .\0.1...DV.7.... 0090 - f3 9d de 40 8a a0 00 d1-af 96 63 e2 63 ce ac 2e ...@......c.c... 00a0 - 6f 86 74 90 0c 46 11 c8-cd ed a0 e9 6d 2b 18 1d o.t..F......m+.. 00b0 - 15 b9 0c b1 fd 02 43 c2-8d 24 9f 80 5d 0e b1 ac ......C..$..]... Start Time: 1449146962 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) Expected results: whole certificate chain is sent Additional info:
I have the same problem with security-guard-cve script, which use bugzilla command: bugzilla query -b 244410 /usr/lib/python2.6/site-packages/requests/packages/urllib3/util/ssl_.py:100: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning SSL error: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed If you trust the remote server, you can work around this error with: bugzilla --nosslverify ... From my notebook, the same command returns correct result.
Seeing this with pkgdb-admin as well.
As a workaround: Put the following cert in /etc/pki/ca-trust/source/anchors/digicert-intermediate.pem and run update-ca-trust. (you can verify that this is the actual, correct, certificate that's issued by DigiCert). -----BEGIN CERTIFICATE----- MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2 4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1 itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn 4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly /D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF 0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae cPUeybQ= -----END CERTIFICATE-----
NOTE: This workaround has been verified by me personally on RHEL7 and Fedora 22. For other distros/versions, your mileage may vary.
This has now been fixed by the people responsible for this. Please re-open if the issue still occurs.