Ubuntu server cert issues

Dear experts,

We are failing our external security scans.

One of the issues we are having to deal with is with certificates.

example of some errors:

ca-certificates (20140927) unstable; urgency=medium

ca-certificates (20140325) unstable; urgency=medium

ca-certificates (20140223) unstable; urgency=medium

The server is:
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"

For any comments and help thank you!
marceloNYCMiddle-Tier AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
What do the certificates secure?
You need to edit OpenSSL.conf to restrict/limit the negotiations to secure ciphers.
These changes will effect all components using the ssl library.  Some programs will have to have the changes made within their own config.

What you posted means nothing with the context and detail on what was checked.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
When I tried to update and upgrade the server I get this message:

ca-certificates (20140927) unstable; urgency=medium

  Update Mozilla Certificate Authority bundle to version 2.1.
    The following Certificate Authorities were added (+):
    + "DigiCert Assured ID Root G2"
    + "DigiCert Assured ID Root G3"
    + "DigiCert Global Root G2"
    + "DigiCert Global Root G3"
    + "DigiCert Trusted Root G4"
    + "QuoVadis Root CA 1 G3"
    + "QuoVadis Root CA 2 G3"
    + "QuoVadis Root CA 3 G3"
    + "WoSign"
    + "WoSign China"
    The following Certificate Authorities were removed (-):
    - "Entrust.net Secure Server CA"
    - "RSA Root Certificate 1"
    - "TDC Internet Root CA"
    - "ValiCert Class 1 VA"
    - "ValiCert Class 2 VA"

 -- Michael Shuler <michael@pbandjelly.org>  Sat, 27 Sep 2014 15:16:51 -0500

ca-certificates (20140325) unstable; urgency=medium

  Update mozilla/certdata.txt to version 1.97+revert_of_936304
    Mozilla reverted the removal of 1024-bit root certificates for
    Entrust.net, GTE CyberTrust, and ValiCert (RSA), but did not update the
    version number in nssckbi.h.
    Certificates added (+) (none removed):
    + "Entrust.net Secure Server CA"
    + "GTE CyberTrust Global Root"
    + "RSA Root Certificate 1"
    + "ValiCert Class 1 VA"
    + "ValiCert Class 2 VA"

 -- Michael Shuler <michael@pbandjelly.org>  Tue, 25 Mar 2014 13:28:19 -0500

ca-certificates (20140223) unstable; urgency=medium

  Debian will no longer ship cacert.org certificates.

  Update mozilla/certdata.txt to version 1.97.
    Certificates added (+), removed (-), and renamed (~):
    + "ACCVRAIZ1"
    + "Atos TrustedRoot 2011"
    + "E-Tugra Certification Authority"
    + "SG TRUST SERVICES RACINE"
    + "StartCom Certification Authority"
    ~ "StartCom Certification Authority"_2
      (both StartCom CAs now included with duplicate CKA_LABEL fix)
    + "T-TeleSec GlobalRoot Class 2"
    + "TWCA Global Root CA"
    + "TeliaSonera Root CA v1"
    + "Verisign Class 3 Public Primary Certification Authority"
    ~ "Verisign Class 3 Public Primary Certification Authority"_2
      (both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
:
0
arnoldCommented:
This deals with getting an update to the trusted certificates stored in the web clien.

you are using the graphical interface to perform the update/upgrade versus the command line?
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

marceloNYCMiddle-Tier AdministratorAuthor Commented:
no I use:

 sudo apt-get update && sudo apt-get upgrade
0
arnoldCommented:
Do one at a time and see whether the warning is just a warning and requires interaction

The message includes the details not sure what you are looking in the form of an answer.
1
rindiCommented:
It is just for your info. enter "Q" to exit the info display and the upgrade will continue.
0
srikoteshCommented:
upgrade to 14.04
I have the same issue when I upgrade to 12.04,
it will resolve ur problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Thank you guys! This helps
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.