Ubuntu cannot verify Sectigo certificate

jdm

12/21/23, 3:05 PM

On a server we adminster for a customer, no application can access certain HTTPS URLs, for example:

$ wget https://open-data.bielefeld.de/sites/default/files/alters_und_geschlechtsstruktur_ende2011bismitte2022.csv
--2022-12-21 15:59:58--  https://open-data.bielefeld.de/sites/default/files/alters_und_geschlechtsstruktur_ende2011bismitte2022.csv
Resolving open-data.bielefeld.de (open-data.bielefeld.de)... 194.8.223.72
Connecting to open-data.bielefeld.de (open-data.bielefeld.de)|194.8.223.72|:443... connected.
ERROR: cannot verify open-data.bielefeld.de's certificate, issued by ‘CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB’:
  Unable to locally verify the issuer's authority.
To connect to open-data.bielefeld.de insecurely, use `--no-check-certificate'.

Multiple programs (including R and Python scripts) have this problem, but I can access the URL from my desktop browser just fine. I assume there is a problem with the root certificates or the certificate chain. The server is running Ubuntu 20.04 LTS, and all packages are up to date. What could cause this problem, and is there a way I can fix it (safely and simply) on my side?

1694

1 + 3

ubuntu

ssl

ssl-certificate-errors

Steffen Ullrich

12/21/23, 3:52 PM

This question [seems to be off-topic](https://serverfault.com/help/on-topic) at serverfault.com. But in short: the server setup is broken, i.e. it is not server a needed chain certificates. See [the SSLLabs report](https://www.ssllabs.com/ssltest/analyze.html?d=open-data.bielefeld.de) for details.

jdm

12/21/23, 4:15 PM

Well, I am "managing information technology systems in a business environment" and since I didn't know the problem was on the remote server's side, the solution might as well have been to update my certificate store, so I think the question is very much on topic (even though the clean solution is not :-)). Also, I still prefer a solution on my side, since I cannot contact every admin on whose server this problem occurs (e.g. fetch the intermediate certificates like a browser does and install them on my server in an automated fashion).

Steffen Ullrich

12/21/23, 4:21 PM

*"Well, I am "managing information technology systems in a business environment""* - no such context was given. All what was states is the OS and that you used wget - both are widely used outside of the scope of this site. As for the solution: you can fetch the missing intermediate CA (just google the fingerprint shown in SSLLabs) and install it on your system like you would do with a root CA. In theory this could be automatized: follow the URL in "CA Issuers" given in the AIA section of the certificate. But I don't know of a tool which does this for you.

Score:0

Server

jdm

12/22/23, 9:59 AM

Indeed a certificate was missing, not a root certificate but an intermediate certificate. HTTPS servers are supposed to send all certs in the chain (minus the root) with their response, but some servers don't. Web browsers can cope with this by using a technique called AIA (Authority Information Access) chasing*, however many other clients don't implement this.

As Steffen Ulrich mentioned in his comment, you can find the missing certificate and install it on your system.

First get the certificate. You can do it manually by checking the site on SSLLabs, and googling the fingerprint of the missing cert. The certificate should be in PEM format (base64 encoded with BEGIN and END CERTIFICATE). I've also written a script to fetch the certificate via AIA before I realized one can do it manually: https://github.com/jdmansour/fetch-intermediate-certs

Then, to import the cert on Ubuntu/Debian, place it into /usr/share/ca-certificates/extra (create the directory if neccessary) and run sudo dpkg-reconfigure ca-certificates. It will ask you if it should trust new certificates on system updates - choose any option you like, I think "yes" is the default. In the next screen, you can enable your new certificate. It should be picked up by most tools that use OpenSSL immediately.

*) As far as I know, Firefox doesn't implement AIA, but it somehow works there too.

+ 1

zifot

5/10/24, 4:35 PM

Context for Firefox: https://blog.mozilla.org/security/2020/11/13/preloading-intermediate-ca-certificates-into-firefox/

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Ubuntu cannot verify Sectigo certificate

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.