Certificates shown as untrusted.

[ignislupis]

When a try to access a few secure sites, https://bugs.gentoo.org and https://bugs.freedesktop.org, Firefox claims:

Code: Select all

bugs.gentoo.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

(Error code: sec_error_untrusted_issuer)

These sites us certificates provided by CAcert.org.

I don't know much about certificates but I Googled, searched the forums, and checked bugzilla.

The most relevant I found was [bug=245984]this bug[/bug] which talks about broken symlinks in /etc/ssl/certs. I did have some broken links so I cleared them out and re-emerged app-misc/ca-certificates. Still didn't work so I re-emerged Firefox and xulrunner (I don't know what does what).

Firefox still doesn't work and Konqueror also reports invalid certificate.

So looking closer I found the file /etc/ssl/certs/cacert.org.pem exists. I presume that this would be the file I need. I just don't know how to have Firefox/Konqueror use it.

I could add the certificate authority to Firefox, but I would rather have it automatically use the certificates from app-misc/ca-certificates (which I found are actually done by the Debian group). I believe that is the way it is supposed to be and has been in the past.

I run ~amd64 and Firefox recently upgraded to 3.6 then a couple of days later downgraded to 3.5.7. It was only yesterday that I noticed this problem
I can post emerge --info but didn't want to waste the space if I didn't need to.

Thanks.

[Jimmy Jazz]

When a try to access a few secure sites, https://bugs.gentoo.org and https://bugs.freedesktop.org, Firefox claims:

Code: Select all

bugs.gentoo.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

(Error code: sec_error_untrusted_issuer)

the hash "link" of cacert.org.pem is probably missing in /etc/ssl/certs

Code: Select all

cd /etc/ssl/certs
ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem

[ignislupis]

the hash "link" of cacert.org.pem is probably missing in /etc/ssl/certs

Code: Select all

cd /etc/ssl/certs
ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem

I already had a link for /etc/ssl/certs/cacert.org.pem but I tried your suggestion.
(And found out afterward that I had a link /etc/ssl/certs/5ed36f99.0).

I backed up the link (being lazy instead of just writing the target down).

I copy and pasted the command:

Code: Select all

ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem

and it gave me a broken link.

Code: Select all

lrwxrwxrwx 1 root root      8 Jan 25 18:00 cacert.org.pem -> 5ed36f99

flashing in red highlight.

While trying to figure out what you were having me do I noticed that I had a link as follows:

Code: Select all

lrwxrwxrwx 1 root root 14 Sep 10 18:36 5ed36f99.0 -> cacert.org.pem

It was a broken link after I ran your command. It fixed itself when I restored my backup link:

Code: Select all

 lrwxrwxrwx 1 root root 52 Sep 10 18:36 cacert.org.pem -> /usr/share/ca-certificates/cacert.org/cacert.org.crt

I think the arguments need to be switched in your command. Something like this:

Code: Select all

ln -s cacert.org.pem $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt).0

My bash programming isn't good enough to know if you can just tack on the .0 or not. The other links in the directory follow the pattern of "hash.0 -> cert.pem".

Anyway, Firefox still says that https://bugs.gentoo.org has an invalid certificate. Where the hash from your link command (5ed36f99)was the same as in the hash.0 link (5ed36f99.0) already in the directory, I didn't worry about replacing the existing file.

Any more ideas?
Thank you for your help so far.

[ignislupis]

I just found [bug=297165]this bug.[/bug] If I backup the /usr/share/apps/kssl/ca-bundle.crt and create a link in /usr/share/apps/kssl/:

Code: Select all

lrwxrwxrwx 1 root root     34 Jan 25 18:49 ca-bundle.crt -> /etc/ssl/certs/ca-certificates.crt

Konqueror can now access https://bugs.gentoo.org. It has no effect on Firefox even after a restart. I couldn't find anything similar in /usr/lib/mozilla-firefox.

Edit: I guess Firefox stores them in ~/.mozilla/firefox/somehash.default/cert8.db in binary form (although you can see a lot of strings with your favorite pager/editor). You can download a tool to edit the file from Mozilla. But that seems overkill for trying to get Firefox to use the system certificates.

[Jimmy Jazz]

the hash "link" of cacert.org.pem is probably missing in /etc/ssl/certs

Code: Select all

cd /etc/ssl/certs
ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem

I copy and pasted the command:

Code: Select all

ln -s $(openssl x509 -hash -noout -in /usr/share/ca-certificates/cacert.org/cacert.org.crt) cacert.org.pem

and it gave me a broken link.

My mistake, I was never able to remember "ln" options order


Any more ideas?

You need a valid root signing authority certificate, go to http://www.CAcert.org/ca.crt and firefox will be happy

[ignislupis]

My mistake, I was never able to remember "ln" options order

I had to run "ln --help" to remember myself.

You need a valid root signing authority certificate, go to http://www.CAcert.org/ca.crt and firefox will be happy

I was hoping to be able to use system installed certificates with Firefox. Like I found earlier with Konqueror. Or perhaps this is something I need to file a bug for. I haven't had this problem with other versions of Firefox so I thought it was a bug.

Thanks again.

[Jimmy Jazz]

I was hoping to be able to use system installed certificates with Firefox. Like I found earlier with Konqueror. Or perhaps this is something I need to file a bug for. I haven't had this problem with other versions of Firefox so I thought it was a bug.

Thanks again.

In fact both certificates are identical. You can read them with,

Code: Select all

openssl x509 -in /etc/ssl/certs/cacert.org.pem  -noout -text -purpose
openssl x509 -in /var/tmp/CACertSigningAuthority -noout -text -purpose

Also, Firefox as well icecat didn't read in /etc/ssl/certs as expected. Probably the answer is hidden in about:config

[ignislupis]

Also, Firefox as well icecat didn't read in /etc/ssl/certs as expected. Probably the answer is hidden in about:config

Actually, it seems to be a bit more complicated than that. I found a redhat bug that talks about what it takes to get it to work. It does not seem to be implemented at all on Gentoo. Even though firefox depends on dev-libs/nss, to get the tools to manage the certificates you have to enable the utils use flag. Also I do not have a /etc/pki/nss directory on my system, which is where nss stores the system shared database.

I haven't used redhat for a long time, but I find it interesting that they seem to provide system wide certificates for their distribution. Is this something that would be worth putting in as a feature request for Gentoo? Possibly adding a use flag to Firefox and/or xulrunner (they both depend on dev-libs/nss but I'm not sure which one should actually implement the logic).

Most of the information I have come across, trying to figure this out, dealt with adding private certificates to the system store and trying to get Firefox to see them. Seems like a good idea to me. However, my personal interest is to have the same access to sites no matter the application I'm using. Which could be web-browsers, email clients, instant messengers, private or corporate intranets (not really an application, I know), etc..

I understand that Gentoo is designed for a generally more advanced audience, but I have become comfortable with using it for my more normal user experience as well. And with a use flag option it would keep with the 'configure everything' that Gentoo is known for. I have no idea how difficult the maintenance would be for this. Where we already use app-misc/ca-certificates, could we just add a script to the ebuild for Firefox and grab all those certificates and put them in the shared nss database? But then when app-misc/ca-certificates is updated we would want to update the nss shared database too.

I haven't dived into the goodness of portage/ebuild black magic yet (I haven't learned python). So I don't know how hard it would be to do this. So now I'm asking: is it worth it?

[njsg]

I was hoping to be able to use system installed certificates with Firefox. Like I found earlier with Konqueror. Or perhaps this is something I need to file a bug for. I haven't had this problem with other versions of Firefox so I thought it was a bug.

Thanks again.

Maybe it's worth a bugzilla request, as there's the pointed bug, about the same problem, but in konqueror.

I haven't used redhat for a long time, but I find it interesting that they seem to provide system wide certificates for their distribution. Is this something that would be worth putting in as a feature request for Gentoo? Possibly adding a use flag to Firefox and/or xulrunner (they both depend on dev-libs/nss but I'm not sure which one should actually implement the logic).

Gentoo already provides system-wide certificates (app-misc/ca-certificates), the problem is that Firefox uses its own store.

If a root certificate is accepted into ca-certificates, and thus trusted, I don't think it makes sense, from a security point-of-view, to have Firefox not trusting that certificate.

[njsg]

Maybe it's worth a bugzilla request,(...)

As I found no bug about firefox and ca-certificates, I just filled bug #325723 about this.

[cwr]

I often access Gentoo/Bugzilla from a system whose security checks I can't override.
Bugzilla doesn't have a valid security certificate, so I can't access it - does anyone
know a way around this?

(On my own machines I can simply accept the certificate regardless, but using them
isn't always convenient).

Thanks - Will

Ediot - should have added the error message "certificate signed by untrused user"

And yes, I'll try the http:// prefix at the next opportunity - many thanks.

[xaviermiller]

Hello,

Did you tried http:// in place of https:// ?

[tomk]

Merged previous two posts.

[e3k]

konqueror: accepts
firefox: does not trust

[sphakka]

Hi there,

This is not a real NSS's bug, rather a policy issue. Reasons here https://bugzilla.mozilla.org/show_bug.cgi?id=215243.
Solution here http://blog.yjl.im/2010/07/trust-cacert ... n-nss.html

Bash recipe for mozilla-based browsers:

Code: Select all

# make sure cacert's cert is there, [re-]install certificates if not
root# [ -r /etc/ssl/certs/cacert.org.pem ] || emerge -q app-misc/ca-certificates
# [re-]emerge nss with tools
root# USE=utils emerge dev-libs/nss
# ...shouldn't need a revdep-rebuild
user$ cd ~/.mozilla/<firefox|seamonkey>/<your-profile>
# add the cacert's certificate to your local DB and verify
user$ certutil -d . -A -t "C,," -n cacert -i /etc/ssl/certs/cacert.org.pem
user$ certutil -L -d . | grep -i cacert                                                                                      
cacert                           C,,  
CAcert Class 3 Root      ,, 

Restart your FF/SM. Enjoy!

It works for me; if it does for you too, please mark this thread as [SOLVED].

Cheers,

^s

[potuz]

Hi there,

This is not a real NSS's bug, rather a policy issue. Reasons here https://bugzilla.mozilla.org/show_bug.cgi?id=215243.
Solution here http://blog.yjl.im/2010/07/trust-cacert ... n-nss.html

Thanks a lot!