Problem since update ca-certificates
Hello,
This morning a package 'ca-certificates' was updated, since then some websites do not work anymore and cannot be opened. I have already run sudo update-
Question information
- Language:
- English Edit question
- Status:
- Answered
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
Revision history for this message
|
#1 |
What do you mean they don't work? Have you checked the certificate chain on the websites?
What is the output of:
lsb_release -a; uname -a; apt-cache policy ca-certificates
Thanks
Revision history for this message
|
#2 |
They just don't work anymore, I can't connect, but when I go to the website via proxy, it works again.
Anyway, this has something to do with the update, because everything was working before.
The website then shows:
ERR_CONNECTION_
This is the output:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
Linux ubuntuN 4.15.0-101-generic #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
ca-certificates:
Installiert: 20190110~18.04.1
Installations
Versionstabelle:
*** 20190110~18.04.1 500
500 http://
500 http://
500 http://
500 http://
100 /var/lib/
20180409 500
500 http://
500 http://
Revision history for this message
|
#3 |
I tried to update to ubuntu 20.04 myself, same problem:
Peer failed to perform TLS handshake: Error receiving data: Connection reset by peer
When I connect via VPN to the affected websites it works though, I have only had the problem since ca-certificates, some of which has been removed.
Removing the package and reinstalling it did not help either.
Revision history for this message
|
#4 |
https:/
OUTPUT AGAIN:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
Linux ubuntuN 5.4.0-33-generic #37-Ubuntu SMP Thu May 21 12:53:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
ca-certificates:
Installiert: 20190110ubuntu1.1
Installations
Versionstabelle:
*** 20190110ubuntu1.1 500
500 http://
500 http://
500 http://
500 http://
100 /var/lib/
20190110ub
500 http://
500 http://
Revision history for this message
|
#5 |
I just tried it on my laptop, same problem here.
Revision history for this message
|
#6 |
Try:
sudo apt-get --reinstall install ca-certificates
Revision history for this message
|
#7 |
I've done that a few times, didn't help.
The weird thing is on my mobile (Android) and laptop I have it too. Maybe the certificates in the browsers are not yet adapted by the manufacturer.
There are some sites that don't work.
Revision history for this message
|
#8 |
Is there a common provider for the certificates that don't work? Check the certificate chain to see if there is a provider that doesn't work well
Revision history for this message
|
#9 |
Hello,
You can find the previous version of the package on
https:/
Please let us know a series of commands to execute to see what works with the old version and doesn't work with the new version.
Thanks
Revision history for this message
|
#10 |
https:/
https:/
These two are the ones where they don't work and others when googling (I don't know anymore).
I can't check the chains, I can't get a connection (ERR_CONNECTION
Maybe someone else can check it?
Anyway, it's weird since I have the same problem on Android with the same pages.
Revision history for this message
|
#11 |
Both of those use LetsEncrypt.
If you try https:/
Revision history for this message
|
#12 |
Yeah, it works just fine.
But I don't know if LetsEncrypt is the reason because I also have a site with LetsEncrypt secured which works for example also.
Revision history for this message
|
#13 |
> ERR_CONNECTION_
Can't imagine how this can be related to ca-certificates update. Anyway, no problems with all example websites on any of my boxes. Tested with curl.
Revision history for this message
|
#14 |
I don't understand that either.
Revision history for this message
|
#15 |
Is it the same chain as the ones you said don't work?
Revision history for this message
|
#16 |
SHA-256-
5D 68 8B E0 82 8D 05 F0 F7 C5 D6 E2 6D A1 64 CF
SHA-1-Fingerabdruck CD 27 86 F5 68 DD C0 BD 14 F1 5B 1E 4F 67 46 3D
2F EB F0 B1
Revision history for this message
|
#17 |
In the browser go to a working website using LetsEncrypt and look at the certificate. Click the right most tab and note the name of the intermediate certificate and root certificate above it. Then go to one that doesn't which is using LetsEncrypt and see if the intermediate and root certificates are the same.
Revision history for this message
|
#18 |
Unfortunately, I still have the problem on all kinds of devices that are available on the Internet (including Android).
As soon as I access the pages via mobile network or proxy, everything works again, but different pages are not affected, I just don't understand this and definitely has nothing to do with Linux/Ubuntu and ca-certs.
The affected pages:
https:/
https:/
Revision history for this message
|
#19 |
Which website are you accessing that uses LetsEncrypt which works OK?
Revision history for this message
|
#20 |
curl https:/
* Trying 2a01:4f8:
* TCP_NODELAY set
* Connected to softcreatr.com (2a01:4f8:
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Die Verbindung wurde vom Kommunikationsp
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Die Verbindung wurde vom Kommunikationsp
Revision history for this message
|
#21 |
Sounds like a website issue then. If Android is also having issues then I suspect this isn't an OS issue but the site itself.
Revision history for this message
|
#22 |
I get this
curl https:/
* Trying 172.16.100.105...
* Connected to mancmsmsqixxmc1
* Establish HTTP proxy tunnel to softcreatr.com:443
> CONNECT softcreatr.com:443 HTTP/1.1
> Host: softcreatr.com:443
> User-Agent: curl/7.47.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* found 173 certificates in /etc/ssl/
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: 1-2.dev (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=1-2.dev
* start date: Mon, 27 Apr 2020 22:23:43 GMT
* expire date: Sun, 26 Jul 2020 22:23:43 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: softcreatr.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Fri, 05 Jun 2020 11:27:54 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< Location: https:/
< Server: softcreatr-media
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-
< Referrer-Policy: no-referrer
< Strict-
< Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
<
<html>
<head><title>301 Moved Permanently<
<body>
<center><h1>301 Moved Permanently<
<hr><center>
</body>
</html>
* Connection #0 to host mancmsmsqixxmc1
Revision history for this message
|
#23 |
May want to check these on your system:
found 173 certificates in /etc/ssl/
found 692 certificates in /etc/ssl/certs
There may be an issue but, again, as your phone is weird too I'm not sure what to suggest. Do you use a proxy for web access?
Can you help with this problem?
Provide an answer of your own, or ask Goodpeace for more information if necessary.