[colug-432] [CRB] Ubuntu VPS Updating and/or SSL CA Update

Tue Feb 7 21:37:23 EST 2012

By design OpenSSL does not ship Root CA Certificates.  I was fortunate
to have a copy of O'Reilly's OpenSSL book on the shelf courtesy of
Half-Price.

Ubuntu/Debian have a ca-certificates package that contains Root CA's in
addition to those shipped with Mozilla products.  In addition, this
package contains an update-ca-certificates program.  One can update the
ca-certificates.crt by editing the /etc/ca-certificates.conf and running
the update-ca-certificates program.

1. Download the current Verisign Certs from
http://www.verisign.com/support/roots.html
2. Create a directory for the new root certs -
/usr/share/ca-certificates/verisign.com
3. Copy the Pem files into the new directory, renaming the files with a
.crt extension (I also removed white space with an underscore and
followed the original ca-certificates naming conventions.)
4. I edited the new .crt's to add a CR/LF to the end of each
certificate.  update-ca-certificates seemed to want this
5. Remove the old Verisign certs from /etc/ca-certificates.conf with an
"!"
6. Add the new Verisign certs into the /etc/ca-certificates.conf
7. Run update-ca-certificates with the -f option
8.  Test the new certs

Good additional commands to know:

openssl verify /etc/ssl/certs/Verisign_RSA_Secure_Server_CA.pem
openssl s_client -CApath /etc/ssl/certs -showcerts -connect
api.twitter.com:443

I'd still like dist-upgrade my server, but need to wait a couple weeks
for a maintenance window.

I can also confirm that turning of peer verification in the Ruby OpenSSL
lib allows the connection to function.  This is probably a really bad
idea!

Hope this was interesting to others

> -------- Original Message --------
> Subject: [CRB] Ubuntu VPS Updating and/or SSL CA Update
> From: "Mark Aufdencamp" <mark at aufdencamp.com>
> Date: Sun, February 05, 2012 3:41 pm
> To: colug-432 at colug.net, columbusrb at googlegroups.com
> 
> 
> Super Super Bowl Sunday to everyone!
> 
> I've a slight problem with an Ubuntu 9.10 Server in the cloud.  I missed
> the dist-update period and can no longer update from the command line.  
> It's sitting at Rackspace, so I can't really stick a CD in to perform an
> upgrade.  Anyone else run into this issue?  Solutions on updating the OS
> without having to rebuild a VPS?
> 
> It's an issue this weekend as I need to update the Verisign CA certs.  
> I've been working on some OAuth features in a Rails application and
> apparently Twitter has had to change their "api.twitter.com" SSL cert
> from Verisign, after Verisign was compromised last year.  BTW, Nice
> disclosure to the general public via an SEC filing!
> (http://www.pcworld.com/businesscenter/article/249242/verisign_hacked_what_we_dont_know_might_hurt_us.html)
> 
> 
> Thus when my Rails app makes an HTTPS request to api.twitter.com, it
> throws an exception:
> 
> OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read
> server certificate B: certificate verify failed)
> 
> I definitely don't want to turn off SSL verification in the Ruby
> Net::HTTP classes SSL configuration. (http.verify_mode =
> OpenSSL::SSL::VERIFY_NONE)  I've found the updated Certs from Verisign
> (http://www.verisign.com/support/roots.html).
> 
> Any advice on deploying these new Certs to /etc/ssl/certs ?
> 
> Thanks to all in advance!
> 
> Mark Aufdencamp
> Mark at Aufdencamp.com
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups "Columbus Ruby Brigade" group.
> To post to this group, send email to columbusrb at googlegroups.com.
> To unsubscribe from this group, send email to columbusrb+unsubscribe at googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/columbusrb?hl=en.