Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#11284 closed Bug/Something is broken (fixed)

Upgrade /etc/ssl/certs/ca-certificates.crt on stallman?

Reported by: https://id.mayfirst.org/srevilak Owned by: https://id.mayfirst.org/srevilak
Priority: Low Component: Tech
Keywords: ca-certificates.crt, stallman Cc:
Sensitive: no

Description

While upgrading roundcube-dev on stallman, I ran into a certificate error. The error was reported via composer, but I can reproduce it directly with git.

0 stallman:/tmp/foo# git clone https://git.kolab.org/diffusion/PNL/php-net_ldap.git
Cloning into 'php-net_ldap'...
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.kolab.org/diffusion/PNL/php-net_ldap.git/info/refs
fatal: HTTP request failed

Attempting the same on my home machine (SuSE 13.2) doesn't produce a validation error

0 sunny:tmp$ git clone https://git.kolab.org/diffusion/PNL/php-net_ldap.git
Cloning into 'php-net_ldap'...
remote: Counting objects: 428, done.
remote: Compressing objects: 100% (247/247), done.
remote: Total 428 (delta 98), reused 384 (delta 82)
Receiving objects: 100% (428/428), 113.94 KiB | 0 bytes/s, done.
Resolving deltas: 100% (98/98), done.
Checking connectivity... done.

I looked at git.kolab.org's certificate

0 sunny:tmp$ openssl s_client -connect git.kolab.org:443 </dev/null | openssl x509 -text -noout
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.kolab.org
verify return:1
DONE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            38:4c:29:50:c4:08:ab:77:14:c2:27:03:97:3e:23:d1
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
        Validity
            Not Before: Sep 10 00:00:00 2012 GMT
            Not After : Sep  9 23:59:59 2017 GMT
        Subject: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.kolab.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d7:64:1f:46:83:46:b9:5c:a3:4f:f0:75:1f:96:
                    07:da:b9:a5:61:8f:ad:e3:fb:1b:db:8b:4c:8f:de:
                    ee:ee:8d:3a:91:b4:52:f9:72:39:72:4f:59:f7:7f:
                    97:2b:e2:ac:37:e9:8d:58:1c:67:b3:4c:ad:93:8e:
                    fa:0f:4b:04:4f:2c:52:b5:7e:5f:74:15:b4:a3:1a:
                    34:d6:1f:76:97:98:72:98:a7:c1:69:b7:10:f0:63:
                    e5:02:47:3a:ad:b8:e8:96:4e:ec:c9:f4:9e:bf:16:
                    8c:be:b2:9e:d0:06:10:21:ec:9f:cd:6c:a8:92:66:
                    f3:10:3a:bc:ea:3c:7d:cf:26:e3:0d:6a:56:70:93:
                    2e:ae:51:75:51:1b:11:85:fc:d8:5d:2f:c3:14:94:
                    e6:66:53:ca:24:79:c9:69:db:2b:8a:3e:b8:1f:b2:
                    79:fb:c0:99:96:04:13:25:d9:06:1b:bc:65:15:e3:
                    49:22:b7:49:69:fe:d9:4b:77:fa:af:1f:91:d8:61:
                    e6:f9:b6:1e:91:2a:70:19:f4:8b:43:3e:21:9b:5f:
                    d3:20:c7:15:21:23:97:1c:6e:16:8c:bf:f4:87:27:
                    90:ab:39:6a:da:5d:28:cf:6a:09:28:69:cc:a6:a9:
                    e5:5b:26:9e:e6:3d:1d:15:dc:74:4b:73:65:a4:ce:
                    e8:1b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

            X509v3 Subject Key Identifier: 
                52:46:5B:EB:85:8F:6F:80:B6:5D:D0:C4:41:66:AA:6D:01:BF:6A:BA
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://secure.comodo.com/CPS
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

            Authority Information Access: 
                CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name: 
                DNS:*.kolab.org, DNS:kolab.org
    Signature Algorithm: sha256WithRSAEncryption
         62:d6:15:74:c9:2d:55:44:68:4f:e0:94:b0:69:66:ae:b2:98:
         05:da:62:24:4e:06:87:94:dc:32:dd:b0:4a:a3:72:0a:b4:8d:
         a3:a2:61:85:85:a4:d2:5f:e5:1d:10:6d:e5:8c:3c:dd:a1:bc:
         0e:11:39:67:e3:b3:b2:3c:50:1a:4c:1d:3d:88:3e:95:a9:6c:
         7d:0a:14:21:6c:07:e7:da:7f:d6:9b:9f:ed:39:ab:69:c3:a8:
         1b:a8:86:c4:1d:cb:4f:bb:09:79:e6:87:20:72:54:98:bb:15:
         82:c9:87:81:a9:be:65:d5:71:44:9d:76:b0:9e:07:a1:83:f2:
         7c:5b:fe:32:d2:f4:93:ba:21:be:7c:20:b9:2e:e8:35:d4:f0:
         0c:f3:b2:11:ef:33:5c:13:ff:37:e1:17:8e:cf:65:c6:ce:01:
         87:39:15:97:fb:48:1c:e0:04:d5:d6:e2:6d:b9:95:1c:fd:0f:
         9a:09:ea:c6:c5:86:d2:a1:4d:5a:b6:55:e9:d6:91:3b:2f:4b:
         99:ea:d4:62:ce:55:b6:58:ca:b3:2a:64:7d:4e:80:df:e6:23:
         e5:24:93:cd:b1:20:d8:fb:24:07:51:83:7c:e5:66:f4:7c:48:
         43:77:bb:e9:5d:3a:cf:d1:f2:a9:c9:11:7a:0e:ad:33:b6:1a:
         34:29:e5:65

This may be as simple as adding http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt to our CAfile. Or, we can just not worry about it.

Change History (6)

comment:1 Changed 3 years ago by https://id.mayfirst.org/srevilak

The CA certificate is

1 sunny:tmp$ openssl x509 -in COMODORSADomainValidationSecureServerCA.crt -inform DER
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----

I don't see anything in our puppet repository that looks like a ca-certificates.crt.

Any objections to adding the CA directly on stallman?

comment:2 Changed 3 years ago by https://id.mayfirst.org/srevilak

  • Owner set to https://id.mayfirst.org/srevilak
  • Status changed from new to assigned

comment:3 Changed 3 years ago by https://id.mayfirst.org/jamie

I've noticed some certificates have been added in Debian Jessie - so I suspect this one may be similar.

I think the best long term strategy would be to upgrade stallman.

Adding it to ca-certificates.crt in the short term is perfectly fine. I'm pretty sure that file is auto-generated by the ca-certificate package so it will get replaced when we upgrade automatically.

jamie

comment:4 Changed 3 years ago by https://id.mayfirst.org/srevilak

I'll try to follow debian's workflow.

According to update-ca-certificates(8) .crt files in /usr/local/share/ca-certificates are implicitly trusted. update-ca-certificates updates the contents of the /etc/ssl/certs directory. Man page implies that update-ca-certificates constructs /etc/ssl/certs/ca-certificates.crt.

create a backup

0 stallman:/etc/ssl# tar -zcpvf /tmp/certs.tgz certs

created this .crt file

0 stallman:/usr/local/share/ca-certificates# ls -l /usr/local/share/ca-certificates/COMODORSADomainValidationSecureServerCA.crt 
-rw-r--r-- 1 root root 2151 Dec 21 21:51 /usr/local/share/ca-certificates/COMODORSADomainValidationSecureServerCA.crt

Now, let's try the update

0 stallman:/usr/local/share/ca-certificates# update-ca-certificates -v
Updating certificates in /etc/ssl/certs... Doing .
NetLock_Express_=Class_C=_Root.pem => 2ab3b959.0
NetLock_Express_=Class_C=_Root.pem => 635ccfd5.0
Certigna.pem => e113c810.0
Certigna.pem => fde84897.0
COMODO_ECC_Certification_Authority.pem => eed8c118.0
COMODO_ECC_Certification_Authority.pem => 89c02a45.0
  ...
Root_CA_Generalitat_Valenciana.pem => 0810ba98.0
Root_CA_Generalitat_Valenciana.pem => fb126c6d.0
COMODORSADomainValidationSecureServerCA.pem => 8d28ae65.0  <<<<<<<<<<< NEW
COMODORSADomainValidationSecureServerCA.pem => 01017373.0
CA_Disig.pem => b6c5745d.0
CA_Disig.pem => d64f06f3.0
A-Trust-nQual-03.pem => 9c472bf7.0
A-Trust-nQual-03.pem => c3a6a9ad.0
  ...
Certum_Root_CA.pem => 442adcac.0
Certum_Root_CA.pem => 6e8bf996.0
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

As far as I can tell, the new certificate took, but that doesn't solve my validation warnings.

0 stallman:/tmp/foo# git clone https://git.kolab.org/diffusion/PNL/php-net_ldap.git
Cloning into 'php-net_ldap'...
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.kolab.org/diffusion/PNL/php-net_ldap.git/info/refs
fatal: HTTP request failed

Will try again tomorrow.

comment:5 Changed 3 years ago by https://id.mayfirst.org/srevilak

  • Resolution set to fixed
  • Status changed from assigned to closed

Comodo has a list of their intermediate CAs here https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/108

I needed to add one more intermediate CA to stallman's CA certificates.

$ mv comodorsaaddtrustca.crt /usr/local/share/ca-certificates/

Update ca certificates

0 stallman:~# update-ca-certificates -v
 ...
1 added, 0 removed; done.

Now, we can validate git.kolab.org

0 stallman:/tmp/foo# git clone https://git.kolab.org/diffusion/PNL/php-net_ldap.git
Cloning into 'php-net_ldap'...
remote: Counting objects: 428, done.
remote: Compressing objects: 100% (247/247), done.
remote: Total 428 (delta 98), reused 384 (delta 82)
Receiving objects: 100% (428/428), 113.94 KiB, done.
Resolving deltas: 100% (98/98), done.

comment:6 Changed 3 years ago by https://id.mayfirst.org/jaimev

Thanks for resolving this and for the great documentation srevilak.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.