Trusting New SSL Certificates in Debian

Debain (and Ubuntu) systems store a list of trusted Certificate Authority (CA) SSL certificates in /etc/ssl/certs that many packages (ruby, curl, etc) rely on.

These days, many SSL certificates are issued with at least 1 intermediate certificate between the root CA certificate and the end of the chain. When the intermediate certificate is unrecognised some SSL clients are happy to automatically download them, but some will refuse to allow the connection to continue.

Ruby throws an error when this happens and it looks something like this:

    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

To resolve this, add the intermediate certificate to Debian’s trusted set by following these steps:

You should see output that looks something like this and any program that uses Debian’s central list of trusted certificates should be happy again.

    server:/usr/local/share/ca-certificates# cp /root/ThawteSSLCA.pem .
    server:/usr/local/share/ca-certificates# update-ca-certificates
    Updating certificates in /etc/ssl/certs...
    1 added, 0 removed; done.
    Running hooks in /etc/ca-certificates/update.d....done.