This update seems to have broken our web app that uses some popular
libraries that depend on curl() and use their cacert.pem files (provided
with the given library) to verify the connection.

Please note that it can be that effectively running an "apt-get update;
apt-get upgrade" (or having autoupdates enabled) breaks web apps that
use these popular libraries (and maybe other libraries with similar age
/ setup).

Exact reason unknown. Surprising problem, seeing that the libraries try
to use their own cacerts. Restoring the last known good ca-certificates
package and holding it fixes the problem (I guess disabling the check in
PHP would also do) but I reckon these are just temporary solutions.

$ uname -a
Linux [REDACTED] 3.2.0-88-generic #126-Ubuntu SMP Mon Jul 6 21:33:03 UTC 2015 
x86_64 x86_64 x86_64 GNU/Linux

$ php -v
PHP 5.3.10-1ubuntu3.21 with Suhosin-Patch (cli) (built: Oct 28 2015 01:43:56)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

$ curl -V
curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 
libidn/1.23 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp 
rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

(excerpt from /var/log/apt/history.log)
Start-Date: 2016-02-26  06:36:41
Upgrade: libgnutls26:amd64 (2.12.14-5ubuntu3.11, 2.12.14-5ubuntu3.12), 
libssl-dev:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), libssl-doc:amd64 
(1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), openssl:amd64 (1.0.1-4ubuntu5.33, 
1.0.1-4ubuntu5.34), ca-certificates:amd64 (20141019ubuntu0.12.04.1, 
20160104ubuntu0.12.04.1), libssl1.0.0:amd64 (1.0.1-4ubuntu5.33, 
1.0.1-4ubuntu5.34)
End-Date: 2016-02-26  06:36:52

Error message: SSL certificate problem, verify that the CA cert is OK.
Details: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Libraries known to be affected: 
- Mailchimp API library for PHP. Exact version unknown; Mailchimp.php probably 
as of March 2014, filesize 13593 bytes.
- Rackspace Cloud Files API library for PHP. Exact version unknown; 
cloudfiles.php probably as of May 2010, filesize 77154 bytes.

FTR, our hotfix was:
- Going on a machine that has the same OS version and does not have the patch 
installed yet
- sudo apt-get install dpkg-repack; sudo dpkg-repack ca-certificates
- Copying the generated .deb file to the affected server and installing it
- apt-mark hold ca-certificates

It'd be great if someone could identify the root cause of this and
either provide a fix or communicate the effects of applying this patch
to the community.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1528645

Title:
  Please update ca-certificates on Trusty

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1528645/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to