Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Certificates shown as untrusted.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
ignislupis
n00b
n00b


Joined: 30 Aug 2005
Posts: 19

PostPosted: Mon Jan 25, 2010 2:23 pm    Post subject: Certificates shown as untrusted. Reply with quote

When a try to access a few secure sites, https://bugs.gentoo.org and https://bugs.freedesktop.org, Firefox claims:

Code:
bugs.gentoo.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

(Error code: sec_error_untrusted_issuer)


These sites us certificates provided by CAcert.org.

I don't know much about certificates but I Googled, searched the forums, and checked bugzilla.

The most relevant I found was this bug which talks about broken symlinks in /etc/ssl/certs. I did have some broken links so I cleared them out and re-emerged app-misc/ca-certificates. Still didn't work so I re-emerged Firefox and xulrunner (I don't know what does what).

Firefox still doesn't work and Konqueror also reports invalid certificate.

So looking closer I found the file /etc/ssl/certs/cacert.org.pem exists. I presume that this would be the file I need. I just don't know how to have Firefox/Konqueror use it.

I could add the certificate authority to Firefox, but I would rather have it automatically use the certificates from app-misc/ca-certificates (which I found are actually done by the Debian group). I believe that is the way it is supposed to be and has been in the past.

I run ~amd64 and Firefox recently upgraded to 3.6 then a couple of days later downgraded to 3.5.7. It was only yesterday that I noticed this problem
I can post emerge --info but didn't want to waste the space if I didn't need to.

Thanks.
Back to top
View user's profile Send private message
Jimmy Jazz
Guru
Guru


Joined: 04 Oct 2004
Posts: 302
Location: Strasbourg

PostPosted: Mon Jan 25, 2010 7:54 pm    Post subject: Re: Certificates shown as untrusted. Reply with quote

ignislupis wrote:
When a try to access a few secure sites, https://bugs.gentoo.org and https://bugs.freedesktop.org, Firefox claims:

Code:
bugs.gentoo.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

(Error code: sec_error_untrusted_issuer)


the hash "link" of cacert.org.pem is probably missing in /etc/ssl/certs

Code:

cd /etc/ssl/certs
ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem

_________________
« La seule condition au triomphe du mal, c'est l'inaction des gens de bien » E.Burke
Code:

+----+----+----+
|    |::::|    |
|    |::::|    |
+----+----+----+

motto: WeLCRO
WritE Less Code, Repeat Often
Back to top
View user's profile Send private message
ignislupis
n00b
n00b


Joined: 30 Aug 2005
Posts: 19

PostPosted: Tue Jan 26, 2010 1:42 am    Post subject: Re: Certificates shown as untrusted. Reply with quote

Jimmy Jazz wrote:

the hash "link" of cacert.org.pem is probably missing in /etc/ssl/certs

Code:

cd /etc/ssl/certs
ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem



I already had a link for /etc/ssl/certs/cacert.org.pem but I tried your suggestion.
(And found out afterward that I had a link /etc/ssl/certs/5ed36f99.0).

I backed up the link (being lazy instead of just writing the target down).

I copy and pasted the command:
Code:
ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem
and it gave me a broken link.
Code:
lrwxrwxrwx 1 root root      8 Jan 25 18:00 cacert.org.pem -> 5ed36f99
flashing in red highlight.

While trying to figure out what you were having me do I noticed that I had a link as follows:
Code:
lrwxrwxrwx 1 root root 14 Sep 10 18:36 5ed36f99.0 -> cacert.org.pem

It was a broken link after I ran your command. It fixed itself when I restored my backup link:
Code:
 lrwxrwxrwx 1 root root 52 Sep 10 18:36 cacert.org.pem -> /usr/share/ca-certificates/cacert.org/cacert.org.crt


I think the arguments need to be switched in your command. Something like this:
Code:
ln -s cacert.org.pem $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt).0

My bash programming isn't good enough to know if you can just tack on the .0 or not. The other links in the directory follow the pattern of "hash.0 -> cert.pem".

Anyway, Firefox still says that https://bugs.gentoo.org has an invalid certificate. Where the hash from your link command (5ed36f99)was the same as in the hash.0 link (5ed36f99.0) already in the directory, I didn't worry about replacing the existing file.

Any more ideas?
Thank you for your help so far.
Back to top
View user's profile Send private message
ignislupis
n00b
n00b


Joined: 30 Aug 2005
Posts: 19

PostPosted: Tue Jan 26, 2010 2:00 am    Post subject: Reply with quote

I just found this bug. If I backup the /usr/share/apps/kssl/ca-bundle.crt and create a link in /usr/share/apps/kssl/:
Code:
lrwxrwxrwx 1 root root     34 Jan 25 18:49 ca-bundle.crt -> /etc/ssl/certs/ca-certificates.crt
Konqueror can now access https://bugs.gentoo.org. It has no effect on Firefox even after a restart. I couldn't find anything similar in /usr/lib/mozilla-firefox.

Edit: I guess Firefox stores them in ~/.mozilla/firefox/somehash.default/cert8.db in binary form (although you can see a lot of strings with your favorite pager/editor). You can download a tool to edit the file from Mozilla. But that seems overkill for trying to get Firefox to use the system certificates.


Last edited by ignislupis on Tue Jan 26, 2010 2:27 am; edited 1 time in total
Back to top
View user's profile Send private message
Jimmy Jazz
Guru
Guru


Joined: 04 Oct 2004
Posts: 302
Location: Strasbourg

PostPosted: Tue Jan 26, 2010 2:25 am    Post subject: Re: Certificates shown as untrusted. Reply with quote

ignislupis wrote:
Jimmy Jazz wrote:

the hash "link" of cacert.org.pem is probably missing in /etc/ssl/certs

Code:

cd /etc/ssl/certs
ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem



I copy and pasted the command:
Code:
ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem
and it gave me a broken link.



My mistake, I was never able to remember "ln" options order :)


Any more ideas?

You need a valid root signing authority certificate, go to http://www.CAcert.org/ca.crt and firefox will be happy
_________________
« La seule condition au triomphe du mal, c'est l'inaction des gens de bien » E.Burke
Code:

+----+----+----+
|    |::::|    |
|    |::::|    |
+----+----+----+

motto: WeLCRO
WritE Less Code, Repeat Often
Back to top
View user's profile Send private message
ignislupis
n00b
n00b


Joined: 30 Aug 2005
Posts: 19

PostPosted: Tue Jan 26, 2010 2:34 am    Post subject: Re: Certificates shown as untrusted. Reply with quote

Jimmy Jazz wrote:


My mistake, I was never able to remember "ln" options order :)

I had to run "ln --help" to remember myself. :wink:


Jimmy Jazz wrote:
You need a valid root signing authority certificate, go to http://www.CAcert.org/ca.crt and firefox will be happy


I was hoping to be able to use system installed certificates with Firefox. Like I found earlier with Konqueror. Or perhaps this is something I need to file a bug for. I haven't had this problem with other versions of Firefox so I thought it was a bug.

Thanks again.
Back to top
View user's profile Send private message
Jimmy Jazz
Guru
Guru


Joined: 04 Oct 2004
Posts: 302
Location: Strasbourg

PostPosted: Tue Jan 26, 2010 3:06 am    Post subject: Re: Certificates shown as untrusted. Reply with quote

ignislupis wrote:


I was hoping to be able to use system installed certificates with Firefox. Like I found earlier with Konqueror. Or perhaps this is something I need to file a bug for. I haven't had this problem with other versions of Firefox so I thought it was a bug.

Thanks again.


In fact both certificates are identical. You can read them with,

Code:

openssl x509 -in /etc/ssl/certs/cacert.org.pem  -noout -text -purpose
openssl x509 -in /var/tmp/CACertSigningAuthority -noout -text -purpose


Also, Firefox as well icecat didn't read in /etc/ssl/certs as expected. Probably the answer is hidden in about:config :)
_________________
« La seule condition au triomphe du mal, c'est l'inaction des gens de bien » E.Burke
Code:

+----+----+----+
|    |::::|    |
|    |::::|    |
+----+----+----+

motto: WeLCRO
WritE Less Code, Repeat Often
Back to top
View user's profile Send private message
ignislupis
n00b
n00b


Joined: 30 Aug 2005
Posts: 19

PostPosted: Tue Jan 26, 2010 10:26 am    Post subject: Re: Certificates shown as untrusted. Reply with quote

Jimmy Jazz wrote:

Also, Firefox as well icecat didn't read in /etc/ssl/certs as expected. Probably the answer is hidden in about:config :)


Actually, it seems to be a bit more complicated than that. I found a redhat bug that talks about what it takes to get it to work. It does not seem to be implemented at all on Gentoo. Even though firefox depends on dev-libs/nss, to get the tools to manage the certificates you have to enable the utils use flag. Also I do not have a /etc/pki/nss directory on my system, which is where nss stores the system shared database.

I haven't used redhat for a long time, but I find it interesting that they seem to provide system wide certificates for their distribution. Is this something that would be worth putting in as a feature request for Gentoo? Possibly adding a use flag to Firefox and/or xulrunner (they both depend on dev-libs/nss but I'm not sure which one should actually implement the logic).

Most of the information I have come across, trying to figure this out, dealt with adding private certificates to the system store and trying to get Firefox to see them. Seems like a good idea to me. However, my personal interest is to have the same access to sites no matter the application I'm using. Which could be web-browsers, email clients, instant messengers, private or corporate intranets (not really an application, I know), etc..

I understand that Gentoo is designed for a generally more advanced audience, but I have become comfortable with using it for my more normal user experience as well. And with a use flag option it would keep with the 'configure everything' that Gentoo is known for. I have no idea how difficult the maintenance would be for this. Where we already use app-misc/ca-certificates, could we just add a script to the ebuild for Firefox and grab all those certificates and put them in the shared nss database? But then when app-misc/ca-certificates is updated we would want to update the nss shared database too.

I haven't dived into the goodness of portage/ebuild black magic yet (I haven't learned python). So I don't know how hard it would be to do this. So now I'm asking: is it worth it?
Back to top
View user's profile Send private message
njsg
Tux's lil' helper
Tux's lil' helper


Joined: 17 Dec 2005
Posts: 87

PostPosted: Sat Jun 26, 2010 4:03 pm    Post subject: Re: Certificates shown as untrusted. Reply with quote

ignislupis wrote:
I was hoping to be able to use system installed certificates with Firefox. Like I found earlier with Konqueror. Or perhaps this is something I need to file a bug for. I haven't had this problem with other versions of Firefox so I thought it was a bug.

Thanks again.


Maybe it's worth a bugzilla request, as there's the pointed bug, about the same problem, but in konqueror.

ignislupis wrote:
I haven't used redhat for a long time, but I find it interesting that they seem to provide system wide certificates for their distribution. Is this something that would be worth putting in as a feature request for Gentoo? Possibly adding a use flag to Firefox and/or xulrunner (they both depend on dev-libs/nss but I'm not sure which one should actually implement the logic).


Gentoo already provides system-wide certificates (app-misc/ca-certificates), the problem is that Firefox uses its own store.

If a root certificate is accepted into ca-certificates, and thus trusted, I don't think it makes sense, from a security point-of-view, to have Firefox not trusting that certificate.
Back to top
View user's profile Send private message
njsg
Tux's lil' helper
Tux's lil' helper


Joined: 17 Dec 2005
Posts: 87

PostPosted: Sat Jun 26, 2010 4:49 pm    Post subject: Re: Certificates shown as untrusted. Reply with quote

njsg wrote:
Maybe it's worth a bugzilla request,(...)


As I found no bug about firefox and ca-certificates, I just filled bug #325723 about this.
Back to top
View user's profile Send private message
cwr
Veteran
Veteran


Joined: 17 Dec 2005
Posts: 1969

PostPosted: Mon Jul 04, 2011 8:37 am    Post subject: Bugzilla security certificate Reply with quote

I often access Gentoo/Bugzilla from a system whose security checks I can't override.
Bugzilla doesn't have a valid security certificate, so I can't access it - does anyone
know a way around this?

(On my own machines I can simply accept the certificate regardless, but using them
isn't always convenient).

Thanks - Will

Ediot - should have added the error message "certificate signed by untrused user"

And yes, I'll try the http:// prefix at the next opportunity - many thanks.


Last edited by cwr on Mon Jul 04, 2011 9:58 am; edited 1 time in total
Back to top
View user's profile Send private message
xaviermiller
Administrator
Administrator


Joined: 23 Jul 2004
Posts: 8500
Location: ~Brussels - Belgique

PostPosted: Mon Jul 04, 2011 8:41 am    Post subject: Reply with quote

Hello,

Did you tried http:// in place of https:// ?
_________________
Kind regards,
Xavier Miller
Back to top
View user's profile Send private message
tomk
Bodhisattva
Bodhisattva


Joined: 23 Sep 2003
Posts: 7221
Location: Sat in front of my computer

PostPosted: Mon Jul 04, 2011 8:46 am    Post subject: Reply with quote

Merged previous two posts.
_________________
Search | Read | Answer | Report | Strip
Back to top
View user's profile Send private message
e3k
Guru
Guru


Joined: 01 Oct 2007
Posts: 516
Location: Inner Space

PostPosted: Sun Sep 25, 2011 6:09 pm    Post subject: status Reply with quote

konqueror: accepts
firefox: does not trust
Back to top
View user's profile Send private message
sphakka
Tux's lil' helper
Tux's lil' helper


Joined: 24 Jun 2003
Posts: 77

PostPosted: Wed Oct 12, 2011 5:29 pm    Post subject: Solution Reply with quote

Hi there,

This is not a real NSS's bug, rather a policy issue. Reasons here https://bugzilla.mozilla.org/show_bug.cgi?id=215243.
Solution here http://blog.yjl.im/2010/07/trust-cacertorg-root-certificate-in-nss.html

Bash recipe for mozilla-based browsers:
Code:

# make sure cacert's cert is there, [re-]install certificates if not
root# [ -r /etc/ssl/certs/cacert.org.pem ] || emerge -q app-misc/ca-certificates
# [re-]emerge nss with tools
root# USE=utils emerge dev-libs/nss
# ...shouldn't need a revdep-rebuild
user$ cd ~/.mozilla/<firefox|seamonkey>/<your-profile>
# add the cacert's certificate to your local DB and verify
user$ certutil -d . -A -t "C,," -n cacert -i /etc/ssl/certs/cacert.org.pem
user$ certutil -L -d . | grep -i cacert                                                                                     
cacert                           C,, 
CAcert Class 3 Root      ,,


Restart your FF/SM. Enjoy!

It works for me; if it does for you too, please mark this thread as [SOLVED].

Cheers,

^s
Back to top
View user's profile Send private message
potuz
Guru
Guru


Joined: 30 Jan 2010
Posts: 378

PostPosted: Thu Dec 12, 2013 4:51 pm    Post subject: Re: Solution Reply with quote

sphakka wrote:
Hi there,

This is not a real NSS's bug, rather a policy issue. Reasons here https://bugzilla.mozilla.org/show_bug.cgi?id=215243.
Solution here http://blog.yjl.im/2010/07/trust-cacertorg-root-certificate-in-nss.html

Thanks a lot!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum