Problem since update ca-certificates

What do you mean they don't work? Have you checked the certificate chain on the websites?
What is the output of:

lsb_release -a; uname -a; apt-cache policy ca-certificates

Thanks

They just don't work anymore, I can't connect, but when I go to the website via proxy, it works again.

Anyway, this has something to do with the update, because everything was working before.

The website then shows:
ERR_CONNECTION_RESET

This is the output:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
Linux ubuntuN 4.15.0-101-generic #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
ca-certificates:
  Installiert: 20190110~18.04.1
  Installationskandidat: 20190110~18.04.1
  Versionstabelle:
 *** 20190110~18.04.1 500
        500 http://lu.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://lu.archive.ubuntu.com/ubuntu bionic-updates/main i386 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main i386 Packages
        100 /var/lib/dpkg/status
     20180409 500
        500 http://lu.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
        500 http://lu.archive.ubuntu.com/ubuntu bionic/main i386 Packages

I tried to update to ubuntu 20.04 myself, same problem:
Peer failed to perform TLS handshake: Error receiving data: Connection reset by peer

When I connect via VPN to the affected websites it works though, I have only had the problem since ca-certificates, some of which has been removed.

Removing the package and reinstalling it did not help either.

https://packagist.org/ even don't work

OUTPUT AGAIN:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
Linux ubuntuN 5.4.0-33-generic #37-Ubuntu SMP Thu May 21 12:53:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
ca-certificates:
  Installiert: 20190110ubuntu1.1
  Installationskandidat: 20190110ubuntu1.1
  Versionstabelle:
 *** 20190110ubuntu1.1 500
        500 http://lu.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://lu.archive.ubuntu.com/ubuntu focal-updates/main i386 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main i386 Packages
        100 /var/lib/dpkg/status
     20190110ubuntu1 500
        500 http://lu.archive.ubuntu.com/ubuntu focal/main amd64 Packages
        500 http://lu.archive.ubuntu.com/ubuntu focal/main i386 Packages

I just tried it on my laptop, same problem here.

Try:

sudo apt-get --reinstall install ca-certificates

I've done that a few times, didn't help.

The weird thing is on my mobile (Android) and laptop I have it too. Maybe the certificates in the browsers are not yet adapted by the manufacturer.

There are some sites that don't work.

Is there a common provider for the certificates that don't work? Check the certificate chain to see if there is a provider that doesn't work well

Hello,

You can find the previous version of the package on
https://launchpad.net/ubuntu/+source/ca-certificates/20180409

Please let us know a series of commands to execute to see what works with the old version and doesn't work with the new version.

Thanks

https://www.softcreatr.com/
https://packagist.org/

These two are the ones where they don't work and others when googling (I don't know anymore).

I can't check the chains, I can't get a connection (ERR_CONNECTION_RESET)

Maybe someone else can check it?

Anyway, it's weird since I have the same problem on Android with the same pages.

Both of those use LetsEncrypt.

If you try https://www.bbc.co.uk is it OK?

Yeah, it works just fine.

But I don't know if LetsEncrypt is the reason because I also have a site with LetsEncrypt secured which works for example also.

> ERR_CONNECTION_RESET

Can't imagine how this can be related to ca-certificates update. Anyway, no problems with all example websites on any of my boxes. Tested with curl.

I don't understand that either.

Is it the same chain as the ones you said don't work?

SHA-256-Fingerabdruck DB 59 B7 67 ED CC F9 31 3B 54 FC 96 46 DD A4 CB
5D 68 8B E0 82 8D 05 F0 F7 C5 D6 E2 6D A1 64 CF

SHA-1-Fingerabdruck CD 27 86 F5 68 DD C0 BD 14 F1 5B 1E 4F 67 46 3D
2F EB F0 B1

In the browser go to a working website using LetsEncrypt and look at the certificate. Click the right most tab and note the name of the intermediate certificate and root certificate above it. Then go to one that doesn't which is using LetsEncrypt and see if the intermediate and root certificates are the same.

Unfortunately, I still have the problem on all kinds of devices that are available on the Internet (including Android).

As soon as I access the pages via mobile network or proxy, everything works again, but different pages are not affected, I just don't understand this and definitely has nothing to do with Linux/Ubuntu and ca-certs.

The affected pages:
https://www.ssllabs.com/ssltest/analyze.html?d=www.softcreatr.com&s=116.202.110.137&latest
https://www.ssllabs.com/ssltest/analyze.html?d=packagist.org&s=142.44.164.249&latest

Which website are you accessing that uses LetsEncrypt which works OK?

curl https://softcreatr.com/ -v
* Trying 2a01:4f8:c17:a310::1:443...
* TCP_NODELAY set
* Connected to softcreatr.com (2a01:4f8:c17:a310::1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt in connection to softcreatr.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt in connection to softcreatr.com:443

Sounds like a website issue then. If Android is also having issues then I suspect this isn't an OS issue but the site itself.

I get this

curl https://softcreatr.com/ -v
* Trying 172.16.100.105...
* Connected to mancmsmsqixxmc1.ms.private (172.16.100.105) port 3128 (#0)
* Establish HTTP proxy tunnel to softcreatr.com:443
> CONNECT softcreatr.com:443 HTTP/1.1
> Host: softcreatr.com:443
> User-Agent: curl/7.47.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: 1-2.dev (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=1-2.dev
* start date: Mon, 27 Apr 2020 22:23:43 GMT
* expire date: Sun, 26 Jul 2020 22:23:43 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: softcreatr.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Fri, 05 Jun 2020 11:27:54 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< Location: https://www.softcreatr.com/
< Server: softcreatr-media
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Referrer-Policy: no-referrer
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host mancmsmsqixxmc1.ms.private left intact

May want to check these on your system:

found 173 certificates in /etc/ssl/certs/ca-certificates.crt
found 692 certificates in /etc/ssl/certs

There may be an issue but, again, as your phone is weird too I'm not sure what to suggest. Do you use a proxy for web access?