Comment 6 for bug 566728

I've stumbled on this problem myself, and I might have a clue as to what the problem is. The certificate chain sent by help.ubuntu.com:443 is in the wrong order:

$ openssl s_client -CApath /etc/ssl/certs/ -connect help.ubuntu.com:443
CONNECTED(00000003)
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/O=*.ubuntu.com/OU=Domain Control Validated/CN=*.ubuntu.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---

The last two certificates are in the wrong order. Certificate 0 has certificate 2 as issuer, but "Each following certificate MUST directly certify the one preceding it" (RFC 5246).

Another problem with the certificate that very pedantic X.509 implementations will find is that the certificate for *.ubuntu.com uses a PrintableString to represent the string "*.ubuntu.com", but the PrintableString alphabet does not include the character "*". This can be checked by converting the certificate to DER format and running dumpasn1:

 338 3: OBJECT IDENTIFIER commonName (2 5 4 3)
 343 12: PrintableString '*.ubuntu.com'
         : Error: PrintableString contains illegal character(s).