RockyLinux vs Ubuntu SSL differences?

I recently have had to install some certificates on my machines to maintain network access. Two .crt files were provided.

The Rocky 9 (rhel) machines: Rename 2 .crt to .pem, copy to:

/etc/pki/ca-trust/source/anchors

Run:

sudo update-ca-trust extract

Done. Check a random website in Chrome and it loads fine. Git clones a test repo no problem. Only issue I can find is python apparently doesn’t use the system CA store, so I’ve got to figure that one out.

BUT!

I’m not so familiar with it, but I have two Ubuntu 24.04 LTS machines running some specialized software and the vendor only supports Ubuntu.

Copy 2 .crt files to:

/usr/local/share/ca-certificates

Run:

update-ca-certificates

Output includes that 2 new were found

Check a random website in Chrome “Your connection is not private” yet the certificate viewer looks the same as in Rocky. Can’t clone a git repo.

I’ve tried this on a fresh installed vm, and then right on a freshly booted livecd image on a desktop machine, same result. This is driving me nuts! Rocky must do SOMETHING different WRT CAs or is there an extra step in Ubuntu? I’ve also tried adding them with:

dpkg-reconfigure ca-certificates

And putting them in a subfolder (“extra”) of /usr/local/share/ca-certificates to avail.

Anyone familiar with both that can help me out here? There must be some configuration difference between them or something???

Rocky 9 has openssl 3.2.2
Ubuntu 24.04 has 3.0.13

Chrome uses NSS Shared DB to lookup trusted certificates (Chromium Docs).
Red Hat/Rocky Linux happen to use NSS libraries system wide, hence updating certdb works for chrome as well.
Ubuntu maintains a separate trust store for certificates. So it seems you either have to add your cert to trusted certs in chrome, or follow the manual from the above doc to do it from the command line. You will need the libnss3-tools package for it.

Hm, ok I also tested it with Firefox and it fails the same way. And it can’t clone a git repo either. But the systemwide storage difference seems like a hint, maybe

Firefox uses the same method. But git clone should use libcurl, I think. Check if you get the same error with curl.

I ended up having to remove the nss lib from where Ubuntu puts it (/usr/lib/x86_64-linux-gnu/libnssckbi.so and linking p11-kit-trust.so where it was. Now most everything just uses the system cert trust store.

Adding to the system trust “just worked” in Rocky. Not sure why?

Except python :-/