Error 60 in Landscape: a failing certificate chain

Jurjen Bokma


Table of Contents

The problem

We have a Landscape server to keep our Ubuntu PC's wellbehaved. When they boot for the first time, they are supposed to apply for a Landscape membership with:

landscape-config --import= -t $(hostname -f) --script-users=me,you,everybody --silent --registration-password=verysecretofcourse

But this fails with:

Fetching configuration from
Couldn't download configuration from Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Now, when we fetch the bootstrap.conf with a browser, it doesn't complain. Wget complains about the certificate on some machines, but not on all, most notably not on the client we are trying to connect to Landscape. But ssl reports a self-signed certificate in the chain:

openssl s_client -host -port 443
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate chain
0 s:/C=NL/O=Rijksuniversiteit Groningen/OU=CITNWD/
1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 1
  i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
  i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
  i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=


The issuer of this certificate is the same as the signee. We'd expect that only at the top of the chain.