I've stumbled on this problem myself, and I might have a clue as to what the problem is. The certificate chain sent by help.ubuntu.com:443 is in the wrong order:
$ openssl s_client -CApath /etc/ssl/certs/ -connect help.ubuntu.com:443
CONNECTED(00000003)
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/O=*.ubuntu.com/OU=Domain Control Validated/CN=*.ubuntu.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
The last two certificates are in the wrong order. Certificate 0 has certificate 2 as issuer, but "Each following certificate MUST directly certify the one preceding it" (RFC 5246).
Another problem with the certificate that very pedantic X.509 implementations will find is that the certificate for *.ubuntu.com uses a PrintableString to represent the string "*.ubuntu.com", but the PrintableString alphabet does not include the character "*". This can be checked by converting the certificate to DER format and running dumpasn1:
I've stumbled on this problem myself, and I might have a clue as to what the problem is. The certificate chain sent by help.ubuntu.com:443 is in the wrong order:
$ openssl s_client -CApath /etc/ssl/certs/ -connect help.ubuntu.com:443 ubuntu. com/OU= Domain Control Validated/ CN=*.ubuntu. com US/ST=Arizona/ L=Scottsdale/ O=GoDaddy. com, Inc./OU=http:// certificates. godaddy. com/repository/ CN=Go Daddy Secure Certification Authority/ serialNumber= 07969287 ST=Arizona/ L=Scottsdale/ O=GoDaddy. com, Inc./OU=http:// certificates. godaddy. com/repository/ CN=Go Daddy Secure Certification Authority/ serialNumber= 07969287
CONNECTED(00000003)
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/O=*.
i:/C=
1 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>
2 s:/C=US/
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
The last two certificates are in the wrong order. Certificate 0 has certificate 2 as issuer, but "Each following certificate MUST directly certify the one preceding it" (RFC 5246).
Another problem with the certificate that very pedantic X.509 implementations will find is that the certificate for *.ubuntu.com uses a PrintableString to represent the string "*.ubuntu.com", but the PrintableString alphabet does not include the character "*". This can be checked by converting the certificate to DER format and running dumpasn1:
338 3: OBJECT IDENTIFIER commonName (2 5 4 3)
343 12: PrintableString '*.ubuntu.com'
: Error: PrintableString contains illegal character(s).