On Wed, Jul 14, 2010 at 06:17:30PM +0200, Frank Lin PIAT wrote: > On Wed, 2010-07-14 at 13:43 +0200, Mike Hommey wrote: > > On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote: > > > > > > When I visit https://www.gandi.net, the certificate isn't > > > trusted/recognized. > > > Error title: "This Connection is Untrusted" > > > Error code: sec_error_unknown_issuer > > > [..] as it works properly here, I suspect something fishy with the > > certificate database in your user profile. > > > > Can you first check if that works better if you try with a new profile > > The new profile is OK (I should have tested that rather than make wrong > assumption). > > I investigated... In the OK profile, the "AddTrust External CA Root" > certificate is selfsigned, whereas the certificates are differents on > the KO profile (and they make a loop!): > > /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n > "AddTrust External CA Root" | openssl x509 -noout -issuer -subject > > issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST > > Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC > > subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > > External CA Root > > /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "UTN - > DATACorp SGC" | openssl x509 -noout -issuer -subject > > issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > > External CA Root > > subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST > > Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC > > I wonder where I got those certificates from, and if others could be affected. > > <me thinking> > If I understand how NSS work properly, it means that NSS is "learning" > certificates chains (i.e adding certificates to it's database) as it is > receiving certificates from visited websites. > > This fuzzy / unpredictable behavior scares me. > </me thinking>
AFAIK, it doesn't. The "AddTrust External CA Root" certificate is provided by the "builtin object token", so it shouldn't have been broken in the first place. Are you sure you never imported a broken certificate? > Anyway, I removed the "Software Security Device" entries, and it's now > working: > UTN - DATACorp SGC > `-> AddTrust External CA Root > `-> COMODO EV SGC CA > `-> www.comodo.com Do you have a backup of your firefox profile directory? If you don't have any private key stored in it, would you mind providing the *.db files from there? Cheers, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
