Ubuntu server cert issues

Dear experts,

We are failing our external security scans.

One of the issues we are having to deal with is with certificates.

example of some errors:

ca-certificates (20140927) unstable; urgency=medium

ca-certificates (20140325) unstable; urgency=medium

ca-certificates (20140223) unstable; urgency=medium

The server is:
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"

For any comments and help thank you!
marceloNYCMiddle-Tier AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
What do the certificates secure?
You need to edit OpenSSL.conf to restrict/limit the negotiations to secure ciphers.
These changes will effect all components using the ssl library.  Some programs will have to have the changes made within their own config.

What you posted means nothing with the context and detail on what was checked.
marceloNYCMiddle-Tier AdministratorAuthor Commented:
When I tried to update and upgrade the server I get this message:

ca-certificates (20140927) unstable; urgency=medium

  Update Mozilla Certificate Authority bundle to version 2.1.
    The following Certificate Authorities were added (+):
    + "DigiCert Assured ID Root G2"
    + "DigiCert Assured ID Root G3"
    + "DigiCert Global Root G2"
    + "DigiCert Global Root G3"
    + "DigiCert Trusted Root G4"
    + "QuoVadis Root CA 1 G3"
    + "QuoVadis Root CA 2 G3"
    + "QuoVadis Root CA 3 G3"
    + "WoSign"
    + "WoSign China"
    The following Certificate Authorities were removed (-):
    - "Entrust.net Secure Server CA"
    - "RSA Root Certificate 1"
    - "TDC Internet Root CA"
    - "ValiCert Class 1 VA"
    - "ValiCert Class 2 VA"

 -- Michael Shuler <michael@pbandjelly.org>  Sat, 27 Sep 2014 15:16:51 -0500

ca-certificates (20140325) unstable; urgency=medium

  Update mozilla/certdata.txt to version 1.97+revert_of_936304
    Mozilla reverted the removal of 1024-bit root certificates for
    Entrust.net, GTE CyberTrust, and ValiCert (RSA), but did not update the
    version number in nssckbi.h.
    Certificates added (+) (none removed):
    + "Entrust.net Secure Server CA"
    + "GTE CyberTrust Global Root"
    + "RSA Root Certificate 1"
    + "ValiCert Class 1 VA"
    + "ValiCert Class 2 VA"

 -- Michael Shuler <michael@pbandjelly.org>  Tue, 25 Mar 2014 13:28:19 -0500

ca-certificates (20140223) unstable; urgency=medium

  Debian will no longer ship cacert.org certificates.

  Update mozilla/certdata.txt to version 1.97.
    Certificates added (+), removed (-), and renamed (~):
    + "ACCVRAIZ1"
    + "Atos TrustedRoot 2011"
    + "E-Tugra Certification Authority"
    + "SG TRUST SERVICES RACINE"
    + "StartCom Certification Authority"
    ~ "StartCom Certification Authority"_2
      (both StartCom CAs now included with duplicate CKA_LABEL fix)
    + "T-TeleSec GlobalRoot Class 2"
    + "TWCA Global Root CA"
    + "TeliaSonera Root CA v1"
    + "Verisign Class 3 Public Primary Certification Authority"
    ~ "Verisign Class 3 Public Primary Certification Authority"_2
      (both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
:
arnoldCommented:
This deals with getting an update to the trusted certificates stored in the web clien.

you are using the graphical interface to perform the update/upgrade versus the command line?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

marceloNYCMiddle-Tier AdministratorAuthor Commented:
no I use:

 sudo apt-get update && sudo apt-get upgrade
arnoldCommented:
Do one at a time and see whether the warning is just a warning and requires interaction

The message includes the details not sure what you are looking in the form of an answer.
rindiCommented:
It is just for your info. enter "Q" to exit the info display and the upgrade will continue.
srikoteshCommented:
upgrade to 14.04
I have the same issue when I upgrade to 12.04,
it will resolve ur problem.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Thank you guys! This helps
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.