Bug#589023: iceweasel: SSL/X509 Certificate for 'AddTrust External CA Root' not recognized as valid
Mike Hommey
mh at glandium.org
Wed Jul 14 11:43:21 UTC 2010
On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote:
> Package: iceweasel
> Version: 3.5.10-1
>
> Hello,
>
> When I visit https://www.gandi.net, the certificate isn't trusted/recognized.
> I can reproduce the problem with https://www.comodo.com
> Error title: "This Connection is Untrusted"
> Error code: sec_error_unknown_issuer
Both work here.
(...)
> Other web browsers (epiphany/Deb, chrome/Deb, firefox 3.6.3/Win, Safari/Win)
> and openssl's CLI don't exhibit this loop behaviour.
> (I have submited a webshots session... we'll see how other browsers do
> on http://browsershots.org/https://www.comodo.com/ )
>
> The certificate "AddTrust External CA Root" is supposed to be
> enabled/trusted on my system:
> > readlink /etc/ssl/certs/AddTrust_External_Root.pem
> > /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
>
> > # openssl x509 -noout -in /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt -subject
> > subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Unfortunately, these are not used by Iceweasel/libnss3.
The interesting data point in your report, though, is that it works with
chrome/deb. Chrome, like Iceweasel, uses libnss3, though unless you
tested with chromium-browser, I'm unsure it uses the system library.
Anyways, as it works properly here, I suspect something fishy with the
certificate database in your user profile.
Can you first check if that works better if you try with a new profile
(you can use a new user account, or run iceweasel -P to create a new
profile). If so, I invite you to check in Edit > Preferences > Advanced
> Encryption > View Certificates > Authorities.
Mike
More information about the pkg-mozilla-maintainers
mailing list