Bug#589023: iceweasel: SSL/X509 Certificate for 'AddTrust External CA Root' not recognized as valid
Mike Hommey
mh at glandium.org
Wed Jul 14 16:49:15 UTC 2010
On Wed, Jul 14, 2010 at 06:17:30PM +0200, Frank Lin PIAT wrote:
> On Wed, 2010-07-14 at 13:43 +0200, Mike Hommey wrote:
> > On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote:
> > >
> > > When I visit https://www.gandi.net, the certificate isn't trusted/recognized.
> > > Error title: "This Connection is Untrusted"
> > > Error code: sec_error_unknown_issuer
>
> > [..] as it works properly here, I suspect something fishy with the
> > certificate database in your user profile.
> >
> > Can you first check if that works better if you try with a new profile
>
> The new profile is OK (I should have tested that rather than make wrong
> assumption).
>
> I investigated... In the OK profile, the "AddTrust External CA Root"
> certificate is selfsigned, whereas the certificates are differents on
> the KO profile (and they make a loop!):
>
> /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "AddTrust External CA Root" | openssl x509 -noout -issuer -subject
> > issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
> > subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
>
> /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "UTN - DATACorp SGC" | openssl x509 -noout -issuer -subject
> > issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> > subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
>
> I wonder where I got those certificates from, and if others could be affected.
>
> <me thinking>
> If I understand how NSS work properly, it means that NSS is "learning"
> certificates chains (i.e adding certificates to it's database) as it is
> receiving certificates from visited websites.
>
> This fuzzy / unpredictable behavior scares me.
> </me thinking>
AFAIK, it doesn't.
The "AddTrust External CA Root" certificate is provided by the "builtin
object token", so it shouldn't have been broken in the first place. Are
you sure you never imported a broken certificate?
> Anyway, I removed the "Software Security Device" entries, and it's now
> working:
> UTN - DATACorp SGC
> `-> AddTrust External CA Root
> `-> COMODO EV SGC CA
> `-> www.comodo.com
Do you have a backup of your firefox profile directory? If you don't
have any private key stored in it, would you mind providing the *.db
files from there?
Cheers,
Mike
More information about the pkg-mozilla-maintainers
mailing list