Bug#656578: Check your certificates (was: Can't install extensions from gnome site (exception in /usr/share/gnome-shell/js/ui/extensionSystem.js))

Damyan Ivanov dmn at debian.org
Sun Feb 5 07:45:46 UTC 2012 

On Sat, Feb 04, 2012 at 08:03:44PM -0500, Rafael D'Halleweyn wrote:
> I had the same problem as described above. I noticed that the
> extensions.gnome.org uses a certificate from StartCom. Upon
> inspection, I found that this CA was disabled in
> /etc/ca-certificates.config. After editing the file, and running
> update-ca-certificates, I was able to install gnome-shell extensions
> through the browser.

On both my workstation (bug present) and the laptop (everything works) this
file contains:

mozilla/StartCom_Certification_Authority.crt
!mozilla/StartCom_Ltd..crt

(e.g. one certificate is enabled and the other is disabled)

Test connection with openssl from the problem system seems to be ok:

$ openssl s_client -connect extensions.gnome.org:443 -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = 524807-rrlSge06II5amy2w, CN = extensions.gnome.org, emailAddress = hostmaster at gnome.org
verify return:1
---
Certificate chain
 0 s:/description=524807-rrlSge06II5amy2w/CN=extensions.gnome.org/emailAddress=hostmaster at gnome.org
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHITCCBgmgAwIBAgIDBFp6MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
…
ZVpqWzc=
-----END CERTIFICATE-----
subject=/description=524807-rrlSge06II5amy2w/CN=extensions.gnome.org/emailAddress=hostmaster at gnome.org
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4581 bytes and written 369 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 2753A54DB1CE3B5EFCE8AF561BAE2BEA68668C65C82654D1A3960EF3A9F15B11
    Session-ID-ctx: 
    Master-Key: FEE6B6D1A49C8883D601B0B5366876474D697252542F3873079AC04267FA3BC0A4026B3CAC8A6F1C0922F5F845E0BC72
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Compression: 1 (zlib compression)
    Start Time: 1328427268
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
^D
DONE

If I omit the -CApath option, I get "Verify return code: 20 (unable to get
local issuer certificate)" on both systems.


I'll try running update-ca-certificates and retry when I get to my workstation, just in case it changes anything.

More information about the pkg-gnome-maintainers mailing list