View previous topic :: View next topic |
Author |
Message |
ignislupis n00b
Joined: 30 Aug 2005 Posts: 19
|
Posted: Mon Jan 25, 2010 2:23 pm Post subject: Certificates shown as untrusted. |
|
|
When a try to access a few secure sites, https://bugs.gentoo.org and https://bugs.freedesktop.org, Firefox claims:
Code: | bugs.gentoo.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
(Error code: sec_error_untrusted_issuer)
|
These sites us certificates provided by CAcert.org.
I don't know much about certificates but I Googled, searched the forums, and checked bugzilla.
The most relevant I found was this bug which talks about broken symlinks in /etc/ssl/certs. I did have some broken links so I cleared them out and re-emerged app-misc/ca-certificates. Still didn't work so I re-emerged Firefox and xulrunner (I don't know what does what).
Firefox still doesn't work and Konqueror also reports invalid certificate.
So looking closer I found the file /etc/ssl/certs/cacert.org.pem exists. I presume that this would be the file I need. I just don't know how to have Firefox/Konqueror use it.
I could add the certificate authority to Firefox, but I would rather have it automatically use the certificates from app-misc/ca-certificates (which I found are actually done by the Debian group). I believe that is the way it is supposed to be and has been in the past.
I run ~amd64 and Firefox recently upgraded to 3.6 then a couple of days later downgraded to 3.5.7. It was only yesterday that I noticed this problem
I can post emerge --info but didn't want to waste the space if I didn't need to.
Thanks. |
|
Back to top |
|
|
Jimmy Jazz Guru
Joined: 04 Oct 2004 Posts: 325 Location: Strasbourg
|
Posted: Mon Jan 25, 2010 7:54 pm Post subject: Re: Certificates shown as untrusted. |
|
|
ignislupis wrote: | When a try to access a few secure sites, https://bugs.gentoo.org and https://bugs.freedesktop.org, Firefox claims:
Code: | bugs.gentoo.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
(Error code: sec_error_untrusted_issuer)
|
|
the hash "link" of cacert.org.pem is probably missing in /etc/ssl/certs
Code: |
cd /etc/ssl/certs
ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem
|
_________________ « La seule condition au triomphe du mal, c'est l'inaction des gens de bien » E.Burke
Code: |
+----+----+----+
| |::::| |
| |::::| |
+----+----+----+ |
motto: WeLCRO
WritE Less Code, Repeat Often |
|
Back to top |
|
|
ignislupis n00b
Joined: 30 Aug 2005 Posts: 19
|
Posted: Tue Jan 26, 2010 1:42 am Post subject: Re: Certificates shown as untrusted. |
|
|
Jimmy Jazz wrote: |
the hash "link" of cacert.org.pem is probably missing in /etc/ssl/certs
Code: |
cd /etc/ssl/certs
ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem
|
|
I already had a link for /etc/ssl/certs/cacert.org.pem but I tried your suggestion.
(And found out afterward that I had a link /etc/ssl/certs/5ed36f99.0).
I backed up the link (being lazy instead of just writing the target down).
I copy and pasted the command: Code: | ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem | and it gave me a broken link. Code: | lrwxrwxrwx 1 root root 8 Jan 25 18:00 cacert.org.pem -> 5ed36f99 | flashing in red highlight.
While trying to figure out what you were having me do I noticed that I had a link as follows: Code: | lrwxrwxrwx 1 root root 14 Sep 10 18:36 5ed36f99.0 -> cacert.org.pem |
It was a broken link after I ran your command. It fixed itself when I restored my backup link: Code: | lrwxrwxrwx 1 root root 52 Sep 10 18:36 cacert.org.pem -> /usr/share/ca-certificates/cacert.org/cacert.org.crt |
I think the arguments need to be switched in your command. Something like this: Code: | ln -s cacert.org.pem $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt).0 |
My bash programming isn't good enough to know if you can just tack on the .0 or not. The other links in the directory follow the pattern of "hash.0 -> cert.pem".
Anyway, Firefox still says that https://bugs.gentoo.org has an invalid certificate. Where the hash from your link command (5ed36f99)was the same as in the hash.0 link (5ed36f99.0) already in the directory, I didn't worry about replacing the existing file.
Any more ideas?
Thank you for your help so far. |
|
Back to top |
|
|
ignislupis n00b
Joined: 30 Aug 2005 Posts: 19
|
Posted: Tue Jan 26, 2010 2:00 am Post subject: |
|
|
I just found this bug. If I backup the /usr/share/apps/kssl/ca-bundle.crt and create a link in /usr/share/apps/kssl/: Code: | lrwxrwxrwx 1 root root 34 Jan 25 18:49 ca-bundle.crt -> /etc/ssl/certs/ca-certificates.crt | Konqueror can now access https://bugs.gentoo.org. It has no effect on Firefox even after a restart. I couldn't find anything similar in /usr/lib/mozilla-firefox.
Edit: I guess Firefox stores them in ~/.mozilla/firefox/somehash.default/cert8.db in binary form (although you can see a lot of strings with your favorite pager/editor). You can download a tool to edit the file from Mozilla. But that seems overkill for trying to get Firefox to use the system certificates.
Last edited by ignislupis on Tue Jan 26, 2010 2:27 am; edited 1 time in total |
|
Back to top |
|
|
Jimmy Jazz Guru
Joined: 04 Oct 2004 Posts: 325 Location: Strasbourg
|
Posted: Tue Jan 26, 2010 2:25 am Post subject: Re: Certificates shown as untrusted. |
|
|
ignislupis wrote: | Jimmy Jazz wrote: |
the hash "link" of cacert.org.pem is probably missing in /etc/ssl/certs
Code: |
cd /etc/ssl/certs
ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem
|
|
I copy and pasted the command: Code: | ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem | and it gave me a broken link.
|
My mistake, I was never able to remember "ln" options order
Any more ideas?
You need a valid root signing authority certificate, go to http://www.CAcert.org/ca.crt and firefox will be happy _________________ « La seule condition au triomphe du mal, c'est l'inaction des gens de bien » E.Burke
Code: |
+----+----+----+
| |::::| |
| |::::| |
+----+----+----+ |
motto: WeLCRO
WritE Less Code, Repeat Often |
|
Back to top |
|
|
ignislupis n00b
Joined: 30 Aug 2005 Posts: 19
|
Posted: Tue Jan 26, 2010 2:34 am Post subject: Re: Certificates shown as untrusted. |
|
|
Jimmy Jazz wrote: |
My mistake, I was never able to remember "ln" options order
|
I had to run "ln --help" to remember myself.
I was hoping to be able to use system installed certificates with Firefox. Like I found earlier with Konqueror. Or perhaps this is something I need to file a bug for. I haven't had this problem with other versions of Firefox so I thought it was a bug.
Thanks again. |
|
Back to top |
|
|
Jimmy Jazz Guru
Joined: 04 Oct 2004 Posts: 325 Location: Strasbourg
|
Posted: Tue Jan 26, 2010 3:06 am Post subject: Re: Certificates shown as untrusted. |
|
|
ignislupis wrote: |
I was hoping to be able to use system installed certificates with Firefox. Like I found earlier with Konqueror. Or perhaps this is something I need to file a bug for. I haven't had this problem with other versions of Firefox so I thought it was a bug.
Thanks again. |
In fact both certificates are identical. You can read them with,
Code: |
openssl x509 -in /etc/ssl/certs/cacert.org.pem -noout -text -purpose
openssl x509 -in /var/tmp/CACertSigningAuthority -noout -text -purpose
|
Also, Firefox as well icecat didn't read in /etc/ssl/certs as expected. Probably the answer is hidden in about:config _________________ « La seule condition au triomphe du mal, c'est l'inaction des gens de bien » E.Burke
Code: |
+----+----+----+
| |::::| |
| |::::| |
+----+----+----+ |
motto: WeLCRO
WritE Less Code, Repeat Often |
|
Back to top |
|
|
ignislupis n00b
Joined: 30 Aug 2005 Posts: 19
|
Posted: Tue Jan 26, 2010 10:26 am Post subject: Re: Certificates shown as untrusted. |
|
|
Jimmy Jazz wrote: |
Also, Firefox as well icecat didn't read in /etc/ssl/certs as expected. Probably the answer is hidden in about:config |
Actually, it seems to be a bit more complicated than that. I found a redhat bug that talks about what it takes to get it to work. It does not seem to be implemented at all on Gentoo. Even though firefox depends on dev-libs/nss, to get the tools to manage the certificates you have to enable the utils use flag. Also I do not have a /etc/pki/nss directory on my system, which is where nss stores the system shared database.
I haven't used redhat for a long time, but I find it interesting that they seem to provide system wide certificates for their distribution. Is this something that would be worth putting in as a feature request for Gentoo? Possibly adding a use flag to Firefox and/or xulrunner (they both depend on dev-libs/nss but I'm not sure which one should actually implement the logic).
Most of the information I have come across, trying to figure this out, dealt with adding private certificates to the system store and trying to get Firefox to see them. Seems like a good idea to me. However, my personal interest is to have the same access to sites no matter the application I'm using. Which could be web-browsers, email clients, instant messengers, private or corporate intranets (not really an application, I know), etc..
I understand that Gentoo is designed for a generally more advanced audience, but I have become comfortable with using it for my more normal user experience as well. And with a use flag option it would keep with the 'configure everything' that Gentoo is known for. I have no idea how difficult the maintenance would be for this. Where we already use app-misc/ca-certificates, could we just add a script to the ebuild for Firefox and grab all those certificates and put them in the shared nss database? But then when app-misc/ca-certificates is updated we would want to update the nss shared database too.
I haven't dived into the goodness of portage/ebuild black magic yet (I haven't learned python). So I don't know how hard it would be to do this. So now I'm asking: is it worth it? |
|
Back to top |
|
|
njsg Tux's lil' helper
Joined: 17 Dec 2005 Posts: 88
|
Posted: Sat Jun 26, 2010 4:03 pm Post subject: Re: Certificates shown as untrusted. |
|
|
ignislupis wrote: | I was hoping to be able to use system installed certificates with Firefox. Like I found earlier with Konqueror. Or perhaps this is something I need to file a bug for. I haven't had this problem with other versions of Firefox so I thought it was a bug.
Thanks again. |
Maybe it's worth a bugzilla request, as there's the pointed bug, about the same problem, but in konqueror.
ignislupis wrote: | I haven't used redhat for a long time, but I find it interesting that they seem to provide system wide certificates for their distribution. Is this something that would be worth putting in as a feature request for Gentoo? Possibly adding a use flag to Firefox and/or xulrunner (they both depend on dev-libs/nss but I'm not sure which one should actually implement the logic). |
Gentoo already provides system-wide certificates (app-misc/ca-certificates), the problem is that Firefox uses its own store.
If a root certificate is accepted into ca-certificates, and thus trusted, I don't think it makes sense, from a security point-of-view, to have Firefox not trusting that certificate. |
|
Back to top |
|
|
njsg Tux's lil' helper
Joined: 17 Dec 2005 Posts: 88
|
Posted: Sat Jun 26, 2010 4:49 pm Post subject: Re: Certificates shown as untrusted. |
|
|
njsg wrote: | Maybe it's worth a bugzilla request,(...) |
As I found no bug about firefox and ca-certificates, I just filled bug #325723 about this. |
|
Back to top |
|
|
cwr Veteran
Joined: 17 Dec 2005 Posts: 1969
|
Posted: Mon Jul 04, 2011 8:37 am Post subject: Bugzilla security certificate |
|
|
I often access Gentoo/Bugzilla from a system whose security checks I can't override.
Bugzilla doesn't have a valid security certificate, so I can't access it - does anyone
know a way around this?
(On my own machines I can simply accept the certificate regardless, but using them
isn't always convenient).
Thanks - Will
Ediot - should have added the error message "certificate signed by untrused user"
And yes, I'll try the http:// prefix at the next opportunity - many thanks.
Last edited by cwr on Mon Jul 04, 2011 9:58 am; edited 1 time in total |
|
Back to top |
|
|
xaviermiller Bodhisattva
Joined: 23 Jul 2004 Posts: 8708 Location: ~Brussels - Belgique
|
Posted: Mon Jul 04, 2011 8:41 am Post subject: |
|
|
Hello,
Did you tried http:// in place of https:// ? _________________ Kind regards,
Xavier Miller |
|
Back to top |
|
|
tomk Bodhisattva
Joined: 23 Sep 2003 Posts: 7221 Location: Sat in front of my computer
|
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 513 Location: Inner Space
|
Posted: Sun Sep 25, 2011 6:09 pm Post subject: status |
|
|
konqueror: accepts
firefox: does not trust |
|
Back to top |
|
|
sphakka Tux's lil' helper
Joined: 24 Jun 2003 Posts: 79
|
Posted: Wed Oct 12, 2011 5:29 pm Post subject: Solution |
|
|
Hi there,
This is not a real NSS's bug, rather a policy issue. Reasons here https://bugzilla.mozilla.org/show_bug.cgi?id=215243.
Solution here http://blog.yjl.im/2010/07/trust-cacertorg-root-certificate-in-nss.html
Bash recipe for mozilla-based browsers:
Code: |
# make sure cacert's cert is there, [re-]install certificates if not
root# [ -r /etc/ssl/certs/cacert.org.pem ] || emerge -q app-misc/ca-certificates
# [re-]emerge nss with tools
root# USE=utils emerge dev-libs/nss
# ...shouldn't need a revdep-rebuild
user$ cd ~/.mozilla/<firefox|seamonkey>/<your-profile>
# add the cacert's certificate to your local DB and verify
user$ certutil -d . -A -t "C,," -n cacert -i /etc/ssl/certs/cacert.org.pem
user$ certutil -L -d . | grep -i cacert
cacert C,,
CAcert Class 3 Root ,,
|
Restart your FF/SM. Enjoy!
It works for me; if it does for you too, please mark this thread as [SOLVED].
Cheers,
^s |
|
Back to top |
|
|
potuz Guru
Joined: 30 Jan 2010 Posts: 378
|
Posted: Thu Dec 12, 2013 4:51 pm Post subject: Re: Solution |
|
|
Thanks a lot! |
|
Back to top |
|
|
|