Bug#909472: ca-certificates: Missing Cisco Umbrella certificates used by www.youtube.com

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#909472: ca-certificates: Missing Cisco Umbrella certificates used by www.youtube.com

Julian Calaby
Package: ca-certificates
Version: 20180409
Severity: important

Dear Maintainer,

https://www.youtube.com/ is inaccessible in Debian due to there being no local
copy of the Cisco Umbrella CA certificate(s).

Youtube appears to have updated their SSL certificate on the 24th of September
2018 to use this new CA.

I have all certificates enabled from the Sid version of this package.

$ openssl s_client -showcerts -connect www.youtube.com:443
CONNECTED(00000003)
depth=2 CN = Cisco Umbrella Primary SubCA, O = Cisco
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
   i:/CN=Cisco Umbrella Secondary SubCA syd-SG/O=Cisco
-----BEGIN CERTIFICATE-----
MIIDRDCCAiygAwIBAgIEW6hwwDANBgkqhkiG9w0BAQsFADBAMS4wLAYDVQQDDCVD
aXNjbyBVbWJyZWxsYSBTZWNvbmRhcnkgU3ViQ0Egc3lkLVNHMQ4wDAYDVQQKDAVD
aXNjbzAeFw0xODA5MjIwNTA1NTBaFw0xODA5MjcwNTA1NTBaMGoxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
MRYwFAYDVQQKDA1PcGVuRE5TLCBJbmMuMRYwFAYDVQQDDA0qLm9wZW5kbnMuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxAeKOlfM0rVDGznvoxC/
w0oXlZQBLSj/CqC6XRTsuyAJoT9A3HkIU4HcHq9GZLoQfLdjf/8jqIfTZWshxYbx
x5vaqjKMHuDJPHCY+pYGjhEeykU3zgMUWp12sZxcU/KQc3yZjdiXZO8veDCrYcSZ
1l37KCU9a//Q+aqXfOBpWXe2Y2xvXRj/6K6MtfXdFkuca42zhXJz67tjVwoqQIgY
PLP9jR+QRCj7d5HF6WzGoow6Vf/ySHVkKGTRVgVTExSCShw4g82NpS27G6mg5ot2
bHhnmzRZB7L4wl5oxYHfOnTKstZw78+OjTX7iMa0J/I5qwTLbGtWz4G2Pt8KzrUa
nwIDAQABoxwwGjAYBgNVHREEETAPgg0qLm9wZW5kbnMuY29tMA0GCSqGSIb3DQEB
CwUAA4IBAQCuU98KuTUmhwmE43qfeZvl8p4Vzlho5YcZT9OIVNLeDxBzlPIyW6d4
6pKFDTZW76+3B/ITVKFU8WA+ZDDkHts6xV0plFa4GbPH2uzirPYxK7odmsI5uA02
kamOh3I3BEgFTQ2lM/or+hXT9FgzctF49N/BlgVpCmdkx273v0krE7CluhZlVWSS
3V5bDLHsZLIAcvBm92SWD4aMxq3Rw/yAsZmdOBZ5JKAV0Sd+93suwXx8H5ysCJHO
oyCw/ZVYiHuAUNloK33czu3vl4cvPuIu4fAQ7YOyp+WZp/ofFVammg80aN6TnH7e
mfoIWh8yBddXi8kifMriaFZFpwUVtVSb
-----END CERTIFICATE-----
 1 s:/CN=Cisco Umbrella Secondary SubCA syd-SG/O=Cisco
   i:/CN=Cisco Umbrella Primary SubCA/O=Cisco
-----BEGIN CERTIFICATE-----
MIID3TCCAsWgAwIBAgIRAJQWOl4qSUQghc++yagk3u4wDQYJKoZIhvcNAQELBQAw
NzElMCMGA1UEAwwcQ2lzY28gVW1icmVsbGEgUHJpbWFyeSBTdWJDQTEOMAwGA1UE
CgwFQ2lzY28wHhcNMTgwOTIyMjAwMTM4WhcNMTgxMDAzMjAwMTM4WjBAMS4wLAYD
VQQDDCVDaXNjbyBVbWJyZWxsYSBTZWNvbmRhcnkgU3ViQ0Egc3lkLVNHMQ4wDAYD
VQQKDAVDaXNjbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQHijpX
zNK1Qxs576MQv8NKF5WUAS0o/wqgul0U7LsgCaE/QNx5CFOB3B6vRmS6EHy3Y3//
I6iH02VrIcWG8ceb2qoyjB7gyTxwmPqWBo4RHspFN84DFFqddrGcXFPykHN8mY3Y
l2TvL3gwq2HEmdZd+yglPWv/0Pmql3zgaVl3tmNsb10Y/+iujLX13RZLnGuNs4Vy
c+u7Y1cKKkCIGDyz/Y0fkEQo+3eRxelsxqKMOlX/8kh1ZChk0VYFUxMUgkocOIPN
jaUtuxupoOaLdmx4Z5s0WQey+MJeaMWB3zp0yrLWcO/Pjo01+4jGtCfyOasEy2xr
Vs+Btj7fCs61Gp8CAwEAAaOB2jCB1zAfBgNVHSMEGDAWgBQ3QZhaPSAuZ8oNMssn
yeDF7bqf6TASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNV
HQ4EFgQUw/XAWEmud+XAetLKwpcvBALZRDwwcQYIKwYBBQUHAQEEZTBjMCMGCCsG
AQUFBzABhhdodHRwOi8vb2NzcC5vcGVuZG5zLmNvbTA8BggrBgEFBQcwAoYwaHR0
cDovL2NhY2VydHMub3BlbmRucy5jb20vNDQ4NjNBQjE1NDY0NThENzIuY3J0MA0G
CSqGSIb3DQEBCwUAA4IBAQBAMymo8jxfN5267wqVmx4L9D6QcWH0/0gpbB8NSvm/
AX1JvCoIpS7LTt/45ikQz/RwUKY4oP+GCfnwSMtl888sZXTmYuotWwJyDAVU2DiD
zg+5avwUMbMRtOVWl8i1noAuPRcx1BTDd+0DcizFQk0FgbMCLjdUjEALtGe+VTiK
eQkZR4AvG1tKdopdoUx23yVNHozGZTGAIgbmWKqG6AR6xak3BIM894EIQvb+jju+
LhmYCl4jcfMJkvRHJUI+wLCfE1grYdEgCLIUMsboKOWulxZWEyvlNG8Tx38QRLKd
7UJpVcBAydatGdalj3fOZa4zvNCrWCYotLXHju2k1uWB
-----END CERTIFICATE-----
 2 s:/CN=Cisco Umbrella Primary SubCA/O=Cisco
   i:/O=Cisco/CN=Cisco Umbrella Root CA
-----BEGIN CERTIFICATE-----
MIIEgTCCA2mgAwIBAgIJBEhjqxVGRY1yMA0GCSqGSIb3DQEBCwUAMDExDjAMBgNV
BAoTBUNpc2NvMR8wHQYDVQQDExZDaXNjbyBVbWJyZWxsYSBSb290IENBMB4XDTE2
MDYyODE1NDAxMVoXDTIxMDYyODE1NDAxMVowNzElMCMGA1UEAwwcQ2lzY28gVW1i
cmVsbGEgUHJpbWFyeSBTdWJDQTEOMAwGA1UECgwFQ2lzY28wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCvR/Tm+U0VahUptIKAkU7BwSKgO1HO0CMdZXCO
OLFh9+pCoG1Ly7UiudFAumlfA4kzs1SS9xR2ax0TYIQG84hJsoOPSaZU6wkWWJDq
mZVD4+LSPZLUuMWbgWy8/BuqKKL32JjInU/LRXF3AaapHT6eprR5vv5MYSWzFv4r
QzhMXy8i8eK48EKsQyf3UBUHdUmOQFBYuRkYlKdave0ipxjMUYKh6DwJX+5psl7S
lwHxzKxppwBqZhI5GiuWIs4RhuB+1hOr1zuAb9Oy8WNryXTijXQJ+thl74oo0CoV
XS2nZQyDk1X2CUOpTy2Kj4W4ucd4Y1jRp37FkWQwivWq5DU5AgMBAAGjggGUMIIB
kDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATBSBgNVHSAESzBJ
MEcGCisGAQQBCRUBHQAwOTA3BggrBgEFBQcCARYraHR0cDovL3d3dy5jaXNjby5j
b20vc2VjdXJpdHkvcGtpL3BvbGljaWVzLzAdBgNVHQ4EFgQUN0GYWj0gLmfKDTLL
J8ngxe26n+kwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL3d3dy5jaXNjby5jb20v
c2VjdXJpdHkvcGtpL2NybC9jaXNjb3VtYnJlbGxhcm9vdC5jcmwwgYcGCCsGAQUF
BwEBBHsweTBJBggrBgEFBQcwAoY9aHR0cDovL3d3dy5jaXNjby5jb20vc2VjdXJp
dHkvcGtpL2NlcnRzL2Npc2NvdW1icmVsbGFyb290LmNlcjAsBggrBgEFBQcwAYYg
aHR0cDovL3BraWN2cy5jaXNjby5jb20vcGtpL29jc3AwHwYDVR0jBBgwFoAUQ3MA
3iS6QBpAVCx9fNUASIkMcKQwDQYJKoZIhvcNAQELBQADggEBAAhlqdX9AAHOyNPv
KA44ulyoprNnXp62XeYnlKRgCPvShWW2eDIMOePS8+RvuPGJdtAm1YoPa9hn0WO2
L+jHmnob7so2yc3c02uio9Q4VqPCuA1T/RmmXerpvHtxx1FfUhboBoiGvP/dnFTX
DF0lzLEllP3tYZOH0wjsTjhPERN60zR29lKHludW9ZRc5Fkxj5ZwALvAZ2Iqb0HG
DwIhJJjXUpJjZXQPRGQ8N+VDx2UqTf74g/rpKcALUERGFrrJMO0Z7yaiqVsVQ9/J
4FAJCjB6fkivL5SvmDWCB1ZeiRc2ud5qm/II0OuGdtX+mo0/Lo9Lh9Tdg2LxUxEn
7cAtMK0=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
issuer=/CN=Cisco Umbrella Secondary SubCA syd-SG/O=Cisco
---
No client certificate CA names sent
---
SSL handshake has read 3304 bytes and written 494 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 44A45E2041BFAF055C258AB477ECF487182F5F2AC19889D581140F0687F20AA9
    Session-ID-ctx:
    Master-Key: 3F27C4570C9AEB398AC6549DE78DF2EE7DDBCE8893E08B1408A20D85C88AF9E74B5CD08175FE2EDBE3A0D51C6F9DED56
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e5 96 cd e4 b3 05 0c 5b-cd 4f 55 74 d5 5e 7e 66   .......[.OUt.^~f
    0010 - 54 e9 55 25 6c cc 35 cc-ac bc 8a 7b 36 e4 6a 39   T.U%l.5....{6.j9
    0020 - f7 51 53 c0 c1 47 d8 49-81 67 ff 8b 44 f4 c9 7d   .QS..G.I.g..D..}
    0030 - a9 db a5 19 fc bb af 98-52 23 bc 8d cb d9 7f 80   ........R#......
    0040 - e1 08 68 07 74 94 27 8b-dc d4 75 09 6b b4 fa 48   ..h.t.'...u.k..H
    0050 - ef c6 13 34 e7 c5 3b ef-9b f8 32 42 6f 83 41 e8   ...4..;...2Bo.A.
    0060 - a6 e5 86 05 94 d6 f0 f1-99 c8 42 8f ca 31 24 ef   ..........B..1$.
    0070 - fd ee 73 8e a2 41 b2 62-e9 c2 52 dc 75 36 af d8   ..s..A.b..R.u6..
    0080 - 68 72 83 1e 2a ea 4c 9f-7c d8 0c 8d 26 08 93 c0   hr..*.L.|...&...
    0090 - ae 2c d5 d3 0b 32 37 e3-11 ab 66 d0 62 d2 92 5f   .,...27...f.b.._

    Start Time: 1537784592
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
---
closed


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.69
ii  openssl                1.1.0h-4

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information:
  ca-certificates/new_crts:
  ca-certificates/title:
* ca-certificates/trust_new_crts: yes
* ca-certificates/enable_crts: mozilla/ACCVRAIZ1.crt, mozilla/AC_RAIZ_FNMT-RCM.crt, mozilla/Actalis_Authentication_Root_CA.crt, mozilla/AddTrust_External_Root.crt, mozilla/AffirmTrust_Commercial.crt, mozilla/AffirmTrust_Networking.crt, mozilla/AffirmTrust_Premium.crt, mozilla/AffirmTrust_Premium_ECC.crt, mozilla/Amazon_Root_CA_1.crt, mozilla/Amazon_Root_CA_2.crt, mozilla/Amazon_Root_CA_3.crt, mozilla/Amazon_Root_CA_4.crt, mozilla/Atos_TrustedRoot_2011.crt, mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt, mozilla/Baltimore_CyberTrust_Root.crt, mozilla/Buypass_Class_2_Root_CA.crt, mozilla/Buypass_Class_3_Root_CA.crt, mozilla/CA_Disig_Root_R2.crt, mozilla/Certigna.crt, mozilla/Certinomis_-_Root_CA.crt, mozilla/Certplus_Class_2_Primary_CA.crt, mozilla/Certplus_Root_CA_G1.crt, mozilla/Certplus_Root_CA_G2.crt, mozilla/certSIGN_ROOT_CA.crt, mozilla/Certum_Trusted_Network_CA_2.crt, mozilla/Certum_Trusted_Network_CA.crt, mozilla/CFCA_EV_ROOT.crt, mozilla/Chambers_of_Commerce_Root_-_2008.crt, mozilla/Comodo_AAA_Services_root.crt, mozilla/COMODO_Certification_Authority.crt, mozilla/COMODO_ECC_Certification_Authority.crt, mozilla/COMODO_RSA_Certification_Authority.crt, mozilla/Cybertrust_Global_Root.crt, mozilla/Deutsche_Telekom_Root_CA_2.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Assured_ID_Root_G2.crt, mozilla/DigiCert_Assured_ID_Root_G3.crt, mozilla/DigiCert_Global_Root_CA.crt, mozilla/DigiCert_Global_Root_G2.crt, mozilla/DigiCert_Global_Root_G3.crt, mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DigiCert_Trusted_Root_G4.crt, mozilla/DST_Root_CA_X3.crt, mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt, mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt, mozilla/EC-ACC.crt, mozilla/EE_Certification_Centre_Root_CA.crt, mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, mozilla/Entrust_Root_Certification_Authority.crt, mozilla/Entrust_Root_Certification_Authority_-_EC1.crt, mozilla/Entrust_Root_Certification_Authority_-_G2.crt, mozilla/ePKI_Root_Certification_Authority.crt, mozilla/E-Tugra_Certification_Authority.crt, mozilla/GDCA_TrustAUTH_R5_ROOT.crt, mozilla/GeoTrust_Global_CA.crt, mozilla/GeoTrust_Primary_Certification_Authority.crt, mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt, mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt, mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GeoTrust_Universal_CA.crt, mozilla/Global_Chambersign_Root_-_2008.crt, mozilla/GlobalSign_ECC_Root_CA_-_R4.crt, mozilla/GlobalSign_ECC_Root_CA_-_R5.crt, mozilla/GlobalSign_Root_CA.crt, mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/GlobalSign_Root_CA_-_R3.crt, mozilla/Go_Daddy_Class_2_CA.crt, mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt, mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt, mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt, mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt, mozilla/Hongkong_Post_Root_CA_1.crt, mozilla/IdenTrust_Commercial_Root_CA_1.crt, mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt, mozilla/Izenpe.com.crt, mozilla/LuxTrust_Global_Root_2.crt, mozilla/Microsec_e-Szigno_Root_CA_2009.crt, mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt, mozilla/Network_Solutions_Certificate_Authority.crt, mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt, mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt, mozilla/OpenTrust_Root_CA_G1.crt, mozilla/OpenTrust_Root_CA_G2.crt, mozilla/OpenTrust_Root_CA_G3.crt, mozilla/QuoVadis_Root_CA_1_G3.crt, mozilla/QuoVadis_Root_CA_2.crt, mozilla/QuoVadis_Root_CA_2_G3.crt, mozilla/QuoVadis_Root_CA_3.crt, mozilla/QuoVadis_Root_CA_3_G3.crt, mozilla/QuoVadis_Root_CA.crt, mozilla/Secure_Global_CA.crt, mozilla/SecureSign_RootCA11.crt, mozilla/SecureTrust_CA.crt, mozilla/Security_Communication_RootCA2.crt, mozilla/Security_Communication_Root_CA.crt, mozilla/Sonera_Class_2_Root_CA.crt, mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt, mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt, mozilla/SSL.com_Root_Certification_Authority_ECC.crt, mozilla/SSL.com_Root_Certification_Authority_RSA.crt, mozilla/Staat_der_Nederlanden_EV_Root_CA.crt, mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt, mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt, mozilla/Starfield_Class_2_CA.crt, mozilla/Starfield_Root_Certificate_Authority_-_G2.crt, mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt, mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/SZAFIR_ROOT_CA2.crt, mozilla/Taiwan_GRCA.crt, mozilla/TeliaSonera_Root_CA_v1.crt, mozilla/thawte_Primary_Root_CA.crt, mozilla/thawte_Primary_Root_CA_-_G2.crt, mozilla/thawte_Primary_Root_CA_-_G3.crt, mozilla/TrustCor_ECA-1.crt, mozilla/TrustCor_RootCert_CA-1.crt, mozilla/TrustCor_RootCert_CA-2.crt, mozilla/Trustis_FPS_Root_CA.crt, mozilla/T-TeleSec_GlobalRoot_Class_2.crt, mozilla/T-TeleSec_GlobalRoot_Class_3.crt, mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt, mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt, mozilla/TWCA_Global_Root_CA.crt, mozilla/TWCA_Root_Certification_Authority.crt, mozilla/USERTrust_ECC_Certification_Authority.crt, mozilla/USERTrust_RSA_Certification_Authority.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt, mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt, mozilla/VeriSign_Universal_Root_Certification_Authority.crt, mozilla/Visa_eCommerce_Root.crt, mozilla/XRamp_Global_CA_Root.crt