Score:11

Ubuntu

How to install latest ca-certificates on Ubuntu 14

user1389892

1/30/23, 3:33 PM

I have an Ubuntu 14.04.5 LTS installation. It just recently became unable to verify modern Let's Encrypt certificates. The current version of ca-certificates is 20160104ubuntu0.14.04.1. apt search ca-certificates tells me that the package is upgradeable to 20170717~14.04.2 from trusty-updates, but I think that's probably not modern enough.

I see ca-certificates version 20210119~18.04.2 in bionic-updates. Is it possible to install this without disrupting the system? Is there a better way? Thanks.

5753

0 + 0

ssl

14.04

letsencrypt

matigo

1/30/23, 3:37 PM

Unfortunately 14.04 is not supported on this site. If you have [ESM with Canonical](https://ubuntu.com/blog/ubuntu-14-04-and-16-04-lifecycle-extended-to-ten-years) then they may be able to provide an accurate answer

guiverc

1/30/23, 10:12 PM

Only supported releases of Ubuntu (*standard or public support*) are on-topic for this site. Ubuntu 14.04 LTS is EOL (*end-of-life*) thus off-topic, and Ubuntu 14.04 ESM is in *extended* support and only supported by Canonical via Ubuntu Advantage thus also off-topic here. Refer https://askubuntu.com/help/on-topic https://help.ubuntu.com/community/EOLUpgrades https://fridge.ubuntu.com/2019/05/02/ubuntu-14-04-trusty-tahr-reached-end-of-life-on-april-25-2019-esm-available/

Score:11

Ubuntu

jaygooby

1/30/23, 5:06 PM

You can install the latest stable certs from source (you'll need a working wget and unxz or at least a way of copying the uncompressed .tar file or its contents onto your target server (perhaps just scp -r once you've extracted it locally):

# Ensure dependencies
sudo apt -y install make tar xz-utils wget

# Make a place to build it in
mkdir -p ~/src
cd ~/src
wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ca-certificates/20210119~20.04.2/ca-certificates_20210119~20.04.2.tar.xz    
tar -xJf ca-certificates_20210119~20.04.2.tar.xz

# Now build and install
cd ca-certificates-20210119~20.04.1
make
sudo make install

# You might want to run this interactively to ensure
# you can select the ISRG Root X1
# in which case, just run: sudo dpkg-reconfigure ca-certificates
sudo dpkg-reconfigure -fnoninteractive ca-certificates
sudo update-ca-certificates
/usr/bin/c_rehash /etc/ssl/certs

0 + 0

Daniel Buckmaster

2/1/23, 12:10 AM

I ran through this and it generated a lot of new certificates in `/usr/share/ca-certificates/mozilla`, as well as `/etc/ssl/certs/ca-certificates.crt`. But `curl` still fails to validate certificates, even with `--cacert /etc/ssl/certs/ca-certificates.crt`

user1389892

2/1/23, 8:29 AM

This answer was very helpful. First, in `sbin/update-ca-certificates`, I had to change `openssl rehash` to `c_rehash` (I studied an older version of `ca-certificates`). I also had to do `dpkg-reconfigure ca-certificates` (interactively) to enable the Let's Encrypt ISRG X1 certs. Then I did `update-ca-certificates --fresh --verbose`. Make sure `/etc/ssl/certs` has some `ISRG Root X1` symlinks.

jaygooby

2/1/23, 8:47 AM

@daniel-buckmaster; check a couple of things... Do you have `ls -l /etc/ssl/certs/ISRG_Root_X1.pem` if you don't, then try the interactive `dpkg-reconfigure` suggested above. If you do, ensure you *don't* have `/etc/ssl/certs/DST_Root_CA_X3.pem` (the expired cert) - again you can interactively deselect it in `dpkg-reconfigure ca-certificates`. What openssl library is curl using? Run `curl -V` and it will show you. Hopefully it's a 1.0.x like `OpenSSL/1.0.1f` and not a `OpenSSL/0.9.7`

ttk

2/1/23, 7:52 PM

I followed all the steps above, but `curl` was still complaining. In my case, `openssl c_rehash` command was failing in the `update-ca-certificates` script. I tried force reinstalling the `openssl` apt package but that didn't help. What finally solved my problem is `cd /etc/ssl/certs` then running the rehash script directly: `/usr/bin/c_rehash`.

Ariel Kogan

2/12/23, 11:35 AM

Thanks @user1389892 for this question.

Ariel Kogan

2/12/23, 11:41 AM

Let's Encrypt have an announcement [page](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/) with links to resources.

Ariel Kogan

2/12/23, 11:41 AM

If you want to make less changes and only remove the expired certificate ([workaround 1](https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/) suggested by OpenSSL), you can run these commands: `cp /etc/ca-certificates.conf /etc/ca-certificates.conf.orig` `cat /etc/ca-certificates.conf.orig | sed 's|mozilla/DST_Root_CA_X3.crt|!mozilla//DST_Root_CA_X3.crt|g' > /etc/ca-certificates.conf` `dpkg-reconfigure -fnoninteractive ca-certificates`

Arcobaleno

2/13/23, 10:01 AM

@ArielKogan's comment should be a valid answer.

alexw

2/16/23, 3:53 AM

I've tried all of these steps but I still get a `verify error:num=20:unable to get local issuer certificate` error when I run `openssl s_client` on my client server, trying to verify with another remote server.

jaygooby

2/16/23, 4:42 PM

@alexw what version does `openssl version` show?

alexw

2/17/23, 1:26 AM

@jaygooby I upgraded to 1.1.1k, which it now shows. Apparently [this message is to be expected](https://community.letsencrypt.org/t/struggling-to-get-new-isrg-root-certificate-to-be-recognized-in-ubuntu-16/163251), and I just had to wait a little while for the alternate/short chain to kick in.

questionto42standswithUkraine

4/23/23, 1:34 PM

Works also in a Dockerfile (no sudo, add RUN at each line start, perhaps add `WORKDIR /src` after mkdir.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to install latest ca-certificates on Ubuntu 14

TH: วิธีติดตั้งใบรับรอง ca ล่าสุดบน Ubuntu 14

RO: Cum se instalează cele mai recente certificate ca pe Ubuntu 14

RU: Как установить последние ca-сертификаты на Ubuntu 14

VI: Cách cài đặt chứng chỉ ca mới nhất trên Ubuntu 14

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.