Public bug reported: I started seeing certificate errors in curl recently on Ubuntu 16.04. Here's an example:
$ curl -svo /dev/null --resolve ngrok.com:443:34.211.12.31 https://ngrok.com/ * Added ngrok.com:443:34.211.12.31 to DNS cache * Hostname ngrok.com was found in DNS cache * Trying 34.211.12.31... * Connected to ngrok.com (34.211.12.31) port 443 (#0) * found 148 certificates in /etc/ssl/certs/ca-certificates.crt * found 596 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none * Closing connection 0 I have latest version of ca-certificates installed. On Ubuntu 20.04 everything works fine: $ curl -svo /dev/null --resolve ngrok.com:443:34.211.12.31 https://ngrok.com/ * Added ngrok.com:443:34.211.12.31 to DNS cache * Hostname ngrok.com was found in DNS cache * Trying 34.211.12.31:443... * TCP_NODELAY set * Connected to ngrok.com (34.211.12.31) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [106 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [4439 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [300 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [37 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=*.ngrok.com * start date: Mar 10 00:00:00 2020 GMT * expire date: Mar 10 23:59:59 2021 GMT * subjectAltName: host "ngrok.com" matched cert's "ngrok.com" * issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA * SSL certificate verify ok. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: ca-certificates 20170717~16.04.2 ProcVersionSignature: Ubuntu 4.15.0-101.102~16.04.1-generic 4.15.18 Uname: Linux 4.15.0-101-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.23 Architecture: amd64 Date: Mon Jun 1 13:51:14 2020 InstallationDate: Installed on 2011-04-14 (3336 days ago) InstallationMedia: Ubuntu-Server 10.04.2 LTS "Lucid Lynx" - Release amd64 (20110211.1) PackageArchitecture: all ProcEnviron: TERM=screen.xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: ca-certificates UpgradeStatus: Upgraded to xenial on 2016-07-30 (1401 days ago) ** Affects: ca-certificates (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881582 Title: ca-certificates missing some root CA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1881582/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
