8

I've ran into a strange problem where a server that's running Debian 7 won't connect to some websites using SSL. After debugging, it turns out that the root certificates for those sites are not known and therefore not trusted. The case I was debugging was from DigiCert "DigiCert Global Root G2".

Of course I tried updating the system and running sudo update-ca-certificates, but it didn't solve the problem. However, looking at Debian's git repository, it looks like ca-certificates is up-to-date. In fact, the one I was looking for is there.

Am I missing something? Do I need to do something special to keep up-to-date? Or is the version in git just not released yet? In that case, what can I do to be more up-to-date regardless? I'd rather not manually add root certificates.

Update

sudo apt-cache policy ca-certificates
ca-certificates:
  Installed: 20130119+deb7u1
  Candidate: 20130119+deb7u2
  Version table:
     20130119+deb7u2 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
 *** 20130119+deb7u1 0
        500 http://ftp.nl.debian.org/debian/ wheezy/main amd64 Packages
        100 /var/lib/dpkg/status

I'm not exactly sure what happened, but I'm only getting this after I changed my source list. Seeing as it is from security.debian.org, I'm worried that the repo didn't work before.

aross
  • 83
  • 1
  • 1
  • 9
  • do you have the wheezy backports repo added to you source list? – 13dimitar Jan 12 '18 at 08:40
  • 1
    @13dimitar No I don't. But isn't backports about new features, not keeping up-to-date? Anyway, [the package isn't even in backports](https://packages.debian.org/wheezy-backports/ca-certificates) – aross Jan 12 '18 at 08:55
  • Wheezy has not been the stable Debian for quite some time now. Do not expect a solution for this other than to upgrade to the current Debian stable. – Michael Hampton Jan 16 '18 at 16:48
  • 1
    @MichaelHampton Wheezy is in LTS support until june 2018. That explicitly includes security updates. – aross Jan 17 '18 at 08:26
  • 1
    That includes _only_ security updates. – Michael Hampton Jan 17 '18 at 08:34
  • 1
    @MichaelHampton trusting root certificates sounds like security related to me..... But like I said in my answer, the Wheezy ca-certificates Git repository is perfectly up-to-date. – aross Jan 17 '18 at 08:40
  • To anyone wanting to reproduce this issue for debugging and or feature improvement purposes, I found a way to reproduce it both quickly and securely (as in it automatically undoes itself.) Anytime you shift boot into grub and run an alternate version (on Debian GNU distros at least) you'll be in the same situation. I'm sure that errors/ commands will look different on the surface, issue is the same. One kernel installs then another tries to connect. Ca cert isn't good and refreshing won't help, as you're now a different client. This is what TLS is trying to stop in the first place. Ironic, no? – Nate T May 03 '21 at 02:14

2 Answers2

9

You can try and refresh your certificate links in /etc/ssl/certs with

update-ca-certificates --fresh

which redoes all the symlinks in /etc/ssl/certs. If that does not help, lets see if your packages are up-to-date

Make sure you have the security repos in your /etc/apt/sources.list looking like this (add contriband non-free as you wish)

deb http://security.debian.org/debian-security/ wheezy/updates main
deb http://deb.debian.org/debian/ wheezy-updates main

or in your case

deb http://ftp.nl.debian.org/debian-security/ wheezy/updates main
deb http://ftp.nl.debian.org/debian/ wheezy-updates main

then try

apt-get update && apt-get upgrade -y

verify it via

apt-cache policy ca-certificates

and compare installed with candidate while this is the latest version.

If you don't see the latest version, your repository might be outdated.

Off Topic

Debian has stated this about what LTS actually means to them, since 6.0.

Also, LTS is not done by the Debian security Team, that handles stable release security patches but by a "separate group of volunteers and companies interested". Also, they seem to pick-and-choose the packages, quote "The amount of packages which are properly supported depends directly on the level of support that we get"

As I understand it, for Wheezy, this means that since Jessie was release on April 25th 2016, you can actually expect timely security updates and patches until April 25th 2016 - especially since Stretch was released on June 17th of 2017.

But you can always contact them and ask for help with LTS here.

Robert Riedl
  • 337
  • 2
  • 11
2

I ran into the same problem on server still running Squeeze. I got it fixed by manually adding the required root certificate into the /usr/share/ca-certificates/cacert.org/cacert.org.crt file:

su -
mkdir -p /usr/share/ca-certificates/cacert.org/
curl https://www.tbs-certificats.com/issuerdata/DigiCert_Global_Root_G2.crt > /usr/share/ca-certificates/cacert.org/cacert.org.crt
update-ca-certificates --fresh

Sidenote: That's not being downloaded from an alternate location as its official location is giving DNS issues at the time of writing.

If that still doesn't work then you might want to check the contents of the /etc/ca-certificates.conf file. It should contain en entry cacert.org/cacert.org.crt (somewhere at the top) which references said file.

Bramus
  • 121
  • 3