Home / server / Questions / 722770
In Process
Alan Robertson
Asked: 2015-09-17 07:48:48 +0800 CST

Which Ubuntu package has the CA for debian.neo4j.org (godaddy)?

  • 772

The neo4j site shows that you should get their certificate using 

wget -q -O - http://debian.neo4j.org/neotechnology.gpg.key

This, of course, could allow their certificate to be hacked. So, I really should use https://debian.neo4j.org/neotechnology.gpg.key instead. But when I do, neither wget nor curl can find the certificate. On the other hand, Chrome seems perfectly happy with it.

Here's the detailed message from wget:

ERROR: cannot verify debian.neo4j.org's certificate, issued by ‘CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US’:

I have to use a command line tool in this context, and I very strongly prefer to use **https*. What package will install the certificiate I need?

[I already know about --no-check-certificate. That's not what I want]

ubuntu

1 Answers

  1. Looks like that website failed to send the required intermediate certificate along, and intermediate certificates are not typically installed. You can check this by running

    openssl s_client -showcerts -connect debian.neo4j.org:443

    Which tells us

    depth=0 OU = Domain Control Validated, CN = *.neo4j.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = *.neo4j.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = *.neo4j.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.neo4j.org
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

    So now it's time for some manual steps. As you can see, the web page where GoDaddy makes these certificates available is listed. In this case we'll need 

    wget https://certs.godaddy.com/repository/gdig2.crt

    So, now we give this certificate to wget, and you'll see that it's happy:

    wget -q --ca-certificate gdig2.crt -O - https://debian.neo4j.org/neotechnology.gpg.key
    • 1