Bug#993363: SectigoRSADomainValidationSecureServerCA.crt absent from ca-certificates

[Piotr Kierklo]

Package: ca-certificates
Version: 20210119

Hello

Intermediate CA certificate for Sectigo - "Sectigo RSA Domain Validation Secure Server CA" - this one: https://crt.sh/?id=924467861 - is missing from ca-certificates, resulting in errors while using CLI tools (but no errors when using web browsers). I was able to confirm that Chrome and Firefox actually have this certificate in their stores.

I found a lot of reports from year 2020, when this (or similar) certificate was issued by "USERTrustRSAAddTrustCA" which was issued by "AddTrustExternalCARoot" and that last one had expired in May 2020

But this certificate is now issued by "USERTrust_RSA_Certification_Authority" which is already in ca-certificates

I know that Namecheap for example, had issued us some certificates with this SectigoRSADomainValidationSecureServerCA as the signing certificates, and it's causing some problems during validation now.

Error in openssl:

------

verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
Verification error: unable to verify the first certificate

------

Errors in curl:

------

*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

------

Certificate info:   https://crt.sh/?id=924467861
---------
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

        X509v3 extensions:
          Authority Information Access:
                CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.sectigo.com
------------

The cert that is missing is here, as exposed by the 1st level of cert that failed:
-----
curl -s http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt | openssl x509 -text -inform DER | grep "Issuer\|Subject"
        Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
        Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
        Subject Public Key Info:
            X509v3 Subject Key Identifier:
                CA Issuers - URI:http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt

-----

I can confirm that adding the CA cert allowed curl to work (as root):
-----
curl -s http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt | openssl x509 -text -inform DER and adding it to /etc/ssl/certs/ca-certificates.crt
-----

The same can be done for openssl (as root again):
----
curl -s http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt | openssl x509 -text -inform DER > /usr/local/share/ca-certificates/SectigoRSADomainValidationSecureServerCA.crt
update-ca-certificates
----

-- 

Thank you

Piotr