Bug#589023: iceweasel: SSL/X509 Certificate for 'AddTrust External CA Root' not recognized as valid

Frank Lin PIAT fpiat at klabs.be
Wed Jul 14 16:17:30 UTC 2010 

On Wed, 2010-07-14 at 13:43 +0200, Mike Hommey wrote:
> On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote:
> > 
> > When I visit https://www.gandi.net, the certificate isn't trusted/recognized.
> >   Error title: "This Connection is Untrusted"
> >   Error code: sec_error_unknown_issuer

> [..] as it works properly here, I suspect something fishy with the
> certificate database in your user profile.
> 
> Can you first check if that works better if you try with a new profile

The new profile is OK (I should have tested that rather than make wrong
assumption).

I investigated... In the OK profile, the "AddTrust External CA Root"
certificate is selfsigned, whereas the certificates are differents on
the KO profile (and they make a loop!):

/usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "AddTrust External CA Root"  | openssl x509 -noout -issuer -subject 
> issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
> subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

/usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "UTN - DATACorp SGC"  | openssl x509 -noout -issuer -subject 
> issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC

I wonder where I got those certificates from, and if others could be affected.

<me thinking>
If I understand how NSS work properly, it means that NSS is "learning"
certificates chains (i.e adding certificates to it's database) as it is
receiving certificates from visited websites.

This fuzzy / unpredictable behavior scares me.
</me thinking>

Anyway, I removed the "Software Security Device" entries, and it's now
working:
UTN - DATACorp SGC
 `-> AddTrust External CA Root
     `-> COMODO EV SGC CA
          `-> www.comodo.com

Regards,

Franklin

More information about the pkg-mozilla-maintainers mailing list