Bug#589023: iceweasel: SSL/X509 Certificate for 'AddTrust External CA Root' not recognized as valid
Frank Lin PIAT
fpiat at klabs.be
Wed Jul 14 16:17:30 UTC 2010
On Wed, 2010-07-14 at 13:43 +0200, Mike Hommey wrote:
> On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote:
> >
> > When I visit https://www.gandi.net, the certificate isn't trusted/recognized.
> > Error title: "This Connection is Untrusted"
> > Error code: sec_error_unknown_issuer
> [..] as it works properly here, I suspect something fishy with the
> certificate database in your user profile.
>
> Can you first check if that works better if you try with a new profile
The new profile is OK (I should have tested that rather than make wrong
assumption).
I investigated... In the OK profile, the "AddTrust External CA Root"
certificate is selfsigned, whereas the certificates are differents on
the KO profile (and they make a loop!):
/usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "AddTrust External CA Root" | openssl x509 -noout -issuer -subject
> issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
> subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "UTN - DATACorp SGC" | openssl x509 -noout -issuer -subject
> issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
I wonder where I got those certificates from, and if others could be affected.
<me thinking>
If I understand how NSS work properly, it means that NSS is "learning"
certificates chains (i.e adding certificates to it's database) as it is
receiving certificates from visited websites.
This fuzzy / unpredictable behavior scares me.
</me thinking>
Anyway, I removed the "Software Security Device" entries, and it's now
working:
UTN - DATACorp SGC
`-> AddTrust External CA Root
`-> COMODO EV SGC CA
`-> www.comodo.com
Regards,
Franklin
More information about the pkg-mozilla-maintainers
mailing list