Hide Forgot
Description of problem: /etc/pki/tls/certs/ca-bundle.crt is missing at least this certificate: (from https://www.verisign.com/support/roots.html) ### VeriSign Class 3 Primary CA - G5 Description: This root CA is the root used for VeriSign Extended validation Certificates and should be included in root stores. During Q4 2010 this root will also be the primary root used for all VeriSign SSL and Code Signing certificates. Country = US Organization = VeriSign, Inc. Organizational Unit = VeriSign Trust Network Organizational Unit = (c) 2006 VeriSign, Inc. - For authorized use only Common Name = VeriSign Class 3 Public Primary Certification Authority - G5 Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a Operational Period: Tue, November 07, 2006 to Wed, July 16, 2036 Certificate SHA1 Fingerprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5 Key Size: RSA(2048Bits) Signature Algorithm: sha1RSA ### Version-Release number of selected component (if applicable): openssl-0.9.8e-12.el5_5.7 How reproducible: 100% Steps to Reproduce - approach A 1. grep -i 'VeriSign Class 3 Public Primary Certification Authority - G5' /etc/pki/tls/certs/ca-bundle.crt Actual results: No match Expected results: Match Steps to Reproduce - approach B 1. wget https://www.cern.ch Actual results: Download fails: --2011-02-07 10:27:19-- https://www.cern.ch/ Resolving www.cern.ch... 137.138.144.168 Connecting to www.cern.ch|137.138.144.168|:443... connected. ERROR: cannot verify www.cern.ch's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA': Unable to locally verify the issuer's authority. To connect to www.cern.ch insecurely, use `--no-check-certificate'. Unable to establish SSL connection. Expected results: Download succeeds: --2011-02-07 10:28:43-- https://www.cern.ch/ Resolving www.cern.ch... 137.138.144.168 Connecting to www.cern.ch|137.138.144.168|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://user.web.cern.ch/user/ [following] --2011-02-07 10:28:43-- https://user.web.cern.ch/user/ Resolving user.web.cern.ch... 137.138.144.161 Connecting to user.web.cern.ch|137.138.144.161|:443... connected. HTTP request sent, awaiting response... 302 Object moved Location: https://public.web.cern.ch/public [following] --2011-02-07 10:28:43-- https://public.web.cern.ch/public Resolving public.web.cern.ch... 137.138.144.161 Connecting to public.web.cern.ch|137.138.144.161|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://public.web.cern.ch/public/ [following] --2011-02-07 10:28:44-- https://public.web.cern.ch/public/ Reusing existing connection to public.web.cern.ch:443. HTTP request sent, awaiting response... 200 OK Length: 10553 (10K) [text/html] Saving to: “index.html” 100%[======================================>] 10,553 --.-K/s in 0s 2011-02-07 10:28:44 (151 MB/s) - “index.html” saved [10553/10553] Additional info: This certificate is included in ca-certificates-2010.63-3.el6.noarch on RHEL6.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1010.html