On Sun, 2011-03-06 at 10:00 -0800, Josh Triplett wrote: > retitle 616587 evolution: No certificate authorities available (libnssckbi.so > not found) > thanks > > On Sun, Mar 06, 2011 at 12:08:53PM +0100, Yves-Alexis Perez wrote: > > On dim., 2011-03-06 at 02:51 -0800, Josh Triplett wrote: > > > On Sun, Mar 06, 2011 at 11:09:06AM +0100, Yves-Alexis Perez wrote: > > > > On sam., 2011-03-05 at 12:11 -0800, Josh Triplett wrote: > > > > > I wanted to try evolution again, so I started setting up an email > > > > > account. When configuring SMTP, I entered the server > > > > > "mail.gandi.net", > > > > > selected "SSL encryption" from the "Use secure connection" dropdown, > > > > > checked "Server requires authentication", and hit "Check for Supported > > > > > Types". This connected to the SMTP server via smtps, and promptly > > > > > gave the following SSL certificate warning: > > > > > > > > Is the CA in the NSS certificate store? (you can look at it in the > > > > Evolution preferences, “Certificate” tab). > > > > > > Evolution doesn't seem to have any certificates listed under > > > "Certificates" -> "Authorities" at all. > > > > That looks weird indeed. Is there something unusual in your install? > > Not that I know of, but obviously *something* has gone wrong somewhere. > :)
Is it completely up2date? Looking at the initial mail it seems that nss
is a beta version, which might be related:
ii libnss3-1d 3.12.9~beta2-1 Network Security Service libraries
while experimental has 3.12.9-2 and sid has 3.12.8-2. Try updating to
latest version in experimental and report back?
>
> Doing a bit of searching turned up bug 563253 and 563324, and this looks
> very much like the same issue. Following the advice in those bugs, I
> tried stracing evolution, and sure enough:
>
> 2679 open("/home/josh/.pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No
> such file or directory)
>
> And no other attempt occurs to open libnssckbi.so.
>
> Doing this:
> mkdir -p ~/.pki/nssdb
> ln -s /usr/lib/nss/libnssckbi.so ~/.pki/nssdb/
So .pki didn't exist at all?
>
> before launching evolution caused it to properly validate my mail
> server's CA certificate. That rather definitively suggests that the
> issue from those previous bug reports has returned.
>
> I see that evolution 2.32.2-1 had this changelog entry:
> * debian/patches:
> - 02_let-nss-search-for-nssckbi, 03_correctly-init-nss and
> 04_login-to-nss-on-demand dropped, included upstream.
>
> A quick check of the source confirms that evolution still tries to
> search for libnssckbi itself, so the functionality of
> 02_let-nss-search-for-nssckbi did not get included upstream.
Sounds fishy, it's worth trying with a more recent nss.
>
> CCing Mike Hommey as well.
>
> > > Shouldn't Evolution just use the CA certificates from ca-certificates
> > > (plus any additions by the user)?
> >
> > Evolution uses NSS for the imap/smtp secure connections, so it uses
> > whatever NSS uses (and unfortunately not ca-certificates).
>
> Sigh, but in any case that seems like a separate issue.
>
Regards,
--
Yves-Alexis
signature.asc
Description: This is a digitally signed message part
