Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#39707 - [ca-certificates] Certificate verify failed

Attached to Project: Arch Linux
Opened by Tarqi Kazan (Tarqi) - Tuesday, 01 April 2014, 09:19 GMT
Last edited by Dave Reisner (falconindy) - Thursday, 24 April 2014, 14:05 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:
Several Tools fail to verify root certificates.

Additional info:
core/ca-certificates 20140223-2
core/curl 7.36.0-1
community/ddclient 3.8.2-1

Steps to reproduce:
curl https://members.dyndns.org:
curl: (60) SSL certificate problem: unable to get local issuer certificate

ddclient (https://members.dyndns.org)
WARNING: cannot connect to members.dyndns.org:443 socket: IO::Socket::SSL: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed IO::Socket::INET configuration failed SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Notes:
Certificate on client side is the same as before.
Root-CA is DigiCert
Firefox succesfully connects
This task depends upon

Closed by  Dave Reisner (falconindy)
Thursday, 24 April 2014, 14:05 GMT
Reason for closing:  Fixed
Additional comments about closing:  ca-certificates 20140325-1
Comment by Tarqi Kazan (Tarqi) - Tuesday, 01 April 2014, 11:40 GMT
Correction: Certificate on the *SERVER* side is the same as before (not the client side as proposed in the bug report).
Comment by kyak (kyak) - Friday, 04 April 2014, 11:45 GMT
I was able to workaround this issue by setting server=members.dyndns.com, instead of members.dyndns.org in /etc/ddclient/ddclient.conf.
Comment by Tarqi Kazan (Tarqi) - Friday, 04 April 2014, 15:21 GMT
I can confirm this, members.dyndns.com works. However, i compared the certs of .com / .org and they look both good and identical (beside CN and so on). Also, Firefox on Linux and Windows opens both sites without problems. Since the certificates are not new and worked before, I suppose it has something to do with the latest ca-certificates update.
Comment by Jens Adam (byte) - Sunday, 06 April 2014, 02:00 GMT
Verified.
core/ca-certificates -> curl -vI http://members.dyndns.org -> fails, "curl: (60) SSL certificate problem: unable to get local issuer certificate"

testing/ca-certificates works.

[edit: Gruß aus Düsseldorf ;]
Comment by Tarqi Kazan (Tarqi) - Monday, 07 April 2014, 23:22 GMT
OT: Seems the bugtracker is going to be a social network, see comment https://bugs.archlinux.org/task/39742#comment121387 and below. I will stop this now, because I fear the admins will not like it :) (Gruß zurück, vom Rhein und nicht der Mosel... ;))

Loading...