Ubuntu
ca-certificates package

Remove expired AddTrust_External_Root.crt because it breaks software

Bug #1881533 reported by halfgaar
52
This bug affects 9 people
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Fix Released
Critical
Marc Deslauriers
Xenial
Fix Released
Critical
Marc Deslauriers
Bionic
Fix Released
Critical
Marc Deslauriers
Eoan
Fix Released
Critical
Marc Deslauriers
Focal
Fix Released
Critical
Marc Deslauriers
Groovy
Fix Released
Critical
Marc Deslauriers

Bug Description

The AddTrust_External_Root.crt certificate has expired:

Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
        Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

This causes various client-side errors on Ubuntu 16.04 machines, about SSL certificate expiration, using (lib)curl for instance. Ubuntu 18.04 and up seem OK.

Removing 'mozilla/AddTrust_External_Root.crt' from /etc/ca-certificates.conf and running 'update-ca-certificates -f -v' helps. I'm not sure if removing it is universally the best solution, but I can't find any other bug reports about this on Launchpad, and this seems the quickest way to fix all clients.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ca-certificates (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Xenial):
importance: Undecided → Critical
Changed in ca-certificates (Ubuntu Bionic):
importance: Undecided → Critical
Changed in ca-certificates (Ubuntu Eoan):
importance: Undecided → Critical
Changed in ca-certificates (Ubuntu Focal):
importance: Undecided → Critical
Changed in ca-certificates (Ubuntu Groovy):
importance: Undecided → Critical
Changed in ca-certificates (Ubuntu Xenial):
status: New → In Progress
Changed in ca-certificates (Ubuntu Bionic):
status: New → In Progress
Changed in ca-certificates (Ubuntu Eoan):
status: New → In Progress
Changed in ca-certificates (Ubuntu Focal):
status: New → In Progress
Changed in ca-certificates (Ubuntu Groovy):
status: Confirmed → In Progress
Changed in ca-certificates (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Eoan):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Focal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Groovy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Mark Cunningham (mdscunningham) wrote :

Please ignore my mistake in the activity above.

Changed in ca-certificates (Ubuntu Xenial):
milestone: none → xenial-updates
milestone: xenial-updates → ubuntu-16.04.6
milestone: ubuntu-16.04.6 → none
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Updated will be released within the next half-hour.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Updates for this issue have now been published:

https://usn.ubuntu.com/4377-1/

Changed in ca-certificates (Ubuntu Xenial):
status: In Progress → Fix Released
Changed in ca-certificates (Ubuntu Bionic):
status: In Progress → Fix Released
Changed in ca-certificates (Ubuntu Eoan):
status: In Progress → Fix Released
Changed in ca-certificates (Ubuntu Focal):
status: In Progress → Fix Released
Changed in ca-certificates (Ubuntu Groovy):
status: In Progress → Fix Committed
Revision history for this message
Goodpeace (goody-mx-server) wrote :

I think this removal makes problems > Ubuntu 18:
https://answers.launchpad.net/ubuntu/+source/ca-certificates/+question/691096

Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Groovy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.