Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gnome Web - HTTPS Errors - CA Certificate?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
KingKear
n00b
n00b


Joined: 27 Jun 2019
Posts: 8

PostPosted: Thu Jun 27, 2019 2:17 pm    Post subject: Gnome Web - HTTPS Errors - CA Certificate? Reply with quote

Hi

I have my first gentoo install up and running with Gnome 3 and systemd. I'm having a problem with the built in Web browser and I'm trying to understand what is wrong. Basically any TLS/SSL site kicks a security error... The certificate is not trusted...

Can anyone tell me how to resolve this? Does Web use the OPENSSL, NSS or some alternative store?

OPENSSL seems fine on my system and the OPENSSL client can retrieve and validate remote certificates. NSS I've not been able to figure out. I don't understand how it's database works and using certutil against libnssckbi.so produces an error SEC_ERROR_BAD_DATABASE.

Hoping somebody can help :)

Thanks in advance,
KingKear
Back to top
View user's profile Send private message
KingKear
n00b
n00b


Joined: 27 Jun 2019
Posts: 8

PostPosted: Fri Jul 05, 2019 7:32 am    Post subject: Reply with quote

Still stuck if anyone has any suggestions :(
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44010
Location: 56N 3W

PostPosted: Fri Jul 05, 2019 6:43 pm    Post subject: Reply with quote

KingKear,

We need the entire message. The certificate is not trusted...

It gives a reason in the text you did not post. With that reason, we know what to look at.

The cert is self signed ...
The cert has expired ...
The cert is not yet valid ...

Post the entire message. We can't guess.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
KingKear
n00b
n00b


Joined: 27 Jun 2019
Posts: 8

PostPosted: Sat Jul 06, 2019 7:07 pm    Post subject: Reply with quote

Hi NeddySeagoon,

Sorry, it wasn't clear from my original post.

I can't remember the exact wording and I won't be in front of the machine until Monday morning, but it says the certificate is not trusted because it's not signed by a trusted root CA. This is the same for all HTTPS sites.

Taking Google as an example I checked the certificate chain and I can see that everything is fine and the root CA exists in the OPENSSL store. I failed to check the NSS store because the instructions on the gentoo wiki don't seem to work (https://wiki.gentoo.org/wiki/Certificates#NSS).

Basically I need some guidance with troubleshooting. For example which store does Web/Epiphany use? How can I see relevant logs or debug info?

Cheers,
KingKear

NeddySeagoon wrote:
KingKear,

We need the entire message. The certificate is not trusted...

It gives a reason in the text you did not post. With that reason, we know what to look at.

The cert is self signed ...
The cert has expired ...
The cert is not yet valid ...

Post the entire message. We can't guess.
Back to top
View user's profile Send private message
KingKear
n00b
n00b


Joined: 27 Jun 2019
Posts: 8

PostPosted: Thu Jul 11, 2019 11:13 am    Post subject: Reply with quote

Hi NeddySeagoon,

After a few days sick I'm finally back in front of this machine. I can confirm the exact wording is "This connection is not secure. This does not look like the real https://www.google.co.uk. Attackers might be trying to steal or alter information going to or from this site. Technical information : This websites identification was not issued by a trusted organisation"

Out of curiosity I installed the pre built version of Firefox which works without issue, though I know it uses its own special certificate store. I did learn something from this though... I was previously struggling to use certutil to look at the default certificates in libnssckbi.so and it turns out I get the same problem looking at the Firefox store. Error message produces is "function failed: SEC_ERROR_BAD_DATABASE" but this may not be relevant since firefox works perfectly.

Crossing my fingers you oy can help.

Cheers,
KingKear

NeddySeagoon wrote:
KingKear,

We need the entire message. The certificate is not trusted...

It gives a reason in the text you did not post. With that reason, we know what to look at.

The cert is self signed ...
The cert has expired ...
The cert is not yet valid ...

Post the entire message. We can't guess.
Back to top
View user's profile Send private message
KingKear
n00b
n00b


Joined: 27 Jun 2019
Posts: 8

PostPosted: Wed Jul 17, 2019 11:55 am    Post subject: Reply with quote

Suddenly Web is working but I'm not exactly sure what happened. Whilst working on something else I discovered that etc-update had loads of pem updates which I accepted. I guess this must be what resolved the problem but I'm none the wiser on what caused it in the first place :) :S
Back to top
View user's profile Send private message
mccwalton
n00b
n00b


Joined: 19 Sep 2019
Posts: 1

PostPosted: Thu Sep 19, 2019 1:47 am    Post subject: Reply with quote

I think I'm hitting a very similar problem. After installing gentoo on a new drive because the old one failed, I copied over my home dir from a backup to the new drive. Web, which was working great before the new hard drive is now complaining about certificate errors all over the place & even after "accepting" the risk the pages are malformatted - maybe because of secondary link failure? Is there something I should remove from my home dir to ... clear this up? etc-update.... says it's got nothing to do.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum