Every time my nightly mozilla-firefox-bin crashed, its crash reporter, breakpad, told me it had a problem sending the report. Today I found its log in .mozilla/firefox/Crash\ Reports/submit.log (as well as pending crash reports in given directory). Here are the contents of the log: [Fri Feb 1 18:24:39 2008] Crash report submission failed: Peer certificate cannot be authenticated with known CA certificates [Fri Feb 1 18:27:18 2008] Crash report submission failed: Peer certificate cannot be authenticated with known CA certificates [Sat 28 Jun 2008 09:24:00 AM CEST] Crash report submission failed: Peer certificate cannot be authenticated with known CA certificates [Sat 28 Jun 2008 09:24:39 AM CEST] Crash report submission failed: Peer certificate cannot be authenticated with known CA certificates [Sat 02 Aug 2008 11:45:25 AM CEST] Crash report submission failed: Peer certificate cannot be authenticated with known CA certificates I'm currently using nightly build with UA of "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1a2pre) Gecko/2008080102 Minefield/3.1a2pre" - it's not in portage, but eventually I can test with 3.1a1 from portage, using the crash me extension.
Not a Gentoo bug, report it upstream.
Mozilla closed the bug as invalid, see https://bugzilla.mozilla.org/show_bug.cgi?id=448925#c1 This is their response: "So install the right set of CA certificates. Not our problem." Please re-check our CA list, or ask Mozilla specifically. I have ca-certificates-20070303-r1.
Adding base-system, since ca-certificates its their package.
Except Mozilla's breakpad doesn't use any system CAs.... Mozilla has it's own set of CAs it installs completely separate. Additionally, it might be worth knowing what server it's attempting to connect to and what CA signed that servers certificate.
Created attachment 162203 [details] openssl info about crash-reports.mozilla.com Using a sniffer I discovered that breakpad connects to crash-reports.mozilla.com. This attachment is what could be retrieved using openssl from comand line (the command is included in the file, as well as full output). I also detected traffic to dyna-services-amo.nslb.sj.mozilla.com, but it seems to be irrelevant, as it's probably related to addons.mozilla.org (but I'm not sure about that).
ca-certificates provides the necessary cert... openssl s_client -connect crash-reports.mozilla.com:443 -CApath /etc/ssl/certs will result in a successful cert validation. Breakpad needs to be configured to use /etc/ssl/certs in this case.
Sigh, so Mozilla says its not their problem, and firefox doesn't use external certificates...so what? :/
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/205992 Still, -bin has its own nss lib...so...in my opinion that certificate crash-reports uses should be add to nss...we can't fix it.
Do you think I should re-open the upstream bug (maybe adding some additional info to it)? How about including link to this Gentoo bug?
Yeah, if you want an answer yes. Thing is, wether we want to fix it or not, we can't...
The crashreporter uses the system libcurl, not Firefox's built-in NSS. If your libcurl doesn't have the necessary certs available, it will not work. (We dlopen libcurl to get around SOversioning issues: http://mxr.mozilla.org/mozilla-central/source/toolkit/crashreporter/google-breakpad/src/common/linux/http_upload.cc#70 )
After re-emerging curl with nss USE flag disabled breakpad could successfully send reports, and curl could successfully validate Mozilla's certificate. Now possibilities of fixing this bug are much better.
Removing base-system then. The only fix here is adding a warning if someone has nss in its curl. What i still don't understand is why that cert is not included in nss, but well. Anyway, what version of firefox-bin are we talking about?
mozilla-firefox-bin-3.0.1-r1; I originally opened for nightly, but it also happens with in-portage version
I've added an einfo for this.