Link to home
Start Free TrialLog in
Avatar of marceloNYC
marceloNYCFlag for United States of America

asked on

Ubuntu server cert issues

Dear experts,

We are failing our external security scans.

One of the issues we are having to deal with is with certificates.

example of some errors:

ca-certificates (20140927) unstable; urgency=medium

ca-certificates (20140325) unstable; urgency=medium

ca-certificates (20140223) unstable; urgency=medium

The server is:
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"

For any comments and help thank you!
Avatar of arnold
arnold
Flag of United States of America image

What do the certificates secure?
You need to edit OpenSSL.conf to restrict/limit the negotiations to secure ciphers.
These changes will effect all components using the ssl library.  Some programs will have to have the changes made within their own config.

What you posted means nothing with the context and detail on what was checked.
Avatar of marceloNYC

ASKER

When I tried to update and upgrade the server I get this message:

ca-certificates (20140927) unstable; urgency=medium

  Update Mozilla Certificate Authority bundle to version 2.1.
    The following Certificate Authorities were added (+):
    + "DigiCert Assured ID Root G2"
    + "DigiCert Assured ID Root G3"
    + "DigiCert Global Root G2"
    + "DigiCert Global Root G3"
    + "DigiCert Trusted Root G4"
    + "QuoVadis Root CA 1 G3"
    + "QuoVadis Root CA 2 G3"
    + "QuoVadis Root CA 3 G3"
    + "WoSign"
    + "WoSign China"
    The following Certificate Authorities were removed (-):
    - "Entrust.net Secure Server CA"
    - "RSA Root Certificate 1"
    - "TDC Internet Root CA"
    - "ValiCert Class 1 VA"
    - "ValiCert Class 2 VA"

 -- Michael Shuler <michael@pbandjelly.org>  Sat, 27 Sep 2014 15:16:51 -0500

ca-certificates (20140325) unstable; urgency=medium

  Update mozilla/certdata.txt to version 1.97+revert_of_936304
    Mozilla reverted the removal of 1024-bit root certificates for
    Entrust.net, GTE CyberTrust, and ValiCert (RSA), but did not update the
    version number in nssckbi.h.
    Certificates added (+) (none removed):
    + "Entrust.net Secure Server CA"
    + "GTE CyberTrust Global Root"
    + "RSA Root Certificate 1"
    + "ValiCert Class 1 VA"
    + "ValiCert Class 2 VA"

 -- Michael Shuler <michael@pbandjelly.org>  Tue, 25 Mar 2014 13:28:19 -0500

ca-certificates (20140223) unstable; urgency=medium

  Debian will no longer ship cacert.org certificates.

  Update mozilla/certdata.txt to version 1.97.
    Certificates added (+), removed (-), and renamed (~):
    + "ACCVRAIZ1"
    + "Atos TrustedRoot 2011"
    + "E-Tugra Certification Authority"
    + "SG TRUST SERVICES RACINE"
    + "StartCom Certification Authority"
    ~ "StartCom Certification Authority"_2
      (both StartCom CAs now included with duplicate CKA_LABEL fix)
    + "T-TeleSec GlobalRoot Class 2"
    + "TWCA Global Root CA"
    + "TeliaSonera Root CA v1"
    + "Verisign Class 3 Public Primary Certification Authority"
    ~ "Verisign Class 3 Public Primary Certification Authority"_2
      (both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
:
This deals with getting an update to the trusted certificates stored in the web clien.

you are using the graphical interface to perform the update/upgrade versus the command line?
no I use:

 sudo apt-get update && sudo apt-get upgrade
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you guys! This helps