Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 479312

Summary: ca-certificates not enabled by default
Product: Gentoo Linux Reporter: Pavel Volkov <ao>
Component: [OLD] Core systemAssignee: Gentoo Linux bug wranglers <bug-wranglers>
Status: RESOLVED NEEDINFO    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Pavel Volkov 2013-07-31 19:20:40 UTC 
I'll post here since I don't encounter this problem in other distributions (which I run in virtual machines).

Problem occurs when I open this URL in a browser (tried mostly in Chromium, also in Firefox and Konqueror): https://www.sixxs.net/

Most of the time the browser says that certificate is not trusted (chain verification fails).
It is signed by CAcert which is present in Gentoo and enabled in browsers by default. No such problem happens with https://bugs.gentoo.org which is signed by the same authority.

The certificate 100% valid (I compared its fingerprint with Chromium on another Linux distribution, Chakra, which says it's valid).

Sometimes the certificate passes validation, I figured out that I can force it by adding the host's IPv4 address to /etc/hosts or enabling "Check for server certificate revocation" checkbox in Chromium and clearing the cache and restarting it, but it does not work all of the time, so I can't guarantree that these are the trigger conditions.

Date/time is correct on my PC.

Reproducible: Always

Steps to Reproduce:
1. Launch Chromium
2. Go to https://www.sixxs.net/home/



Portage 2.2.0_alpha191 (default/linux/amd64/13.0/desktop/kde, gcc-4.7.3, glibc-2.17, 3.9.11-gentoo-r1melf x86_64)
=================================================================
System uname: Linux-3.9.11-gentoo-r1melf-x86_64-Intel-R-_Core-TM-_i5-2400_CPU_@_3.10GHz-with-gentoo-2.2
KiB Mem:    16414120 total,  11679544 free
KiB Swap:    5242876 total,   5242876 free
Timestamp of tree: Wed, 31 Jul 2013 04:45:01 +0000
ld GNU ld (GNU Binutils) 2.23.1
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.5-r1, 3.3.2-r1
dev-util/cmake:           2.8.11.1
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6, 1.14
sys-devel/binutils:       2.23.1
sys-devel/gcc:            4.7.3
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.9 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo systemd-love custom
Installed sets: @fonts, @mkde, @vim
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE NVIDIA-r1 skype-4.0.0.7-copyright AdobeFlash-11.x unRAR MPEG-4 myspell-ru_RU-ALexanderLebedev grass-ipafonts BitstreamCyberbit freedist free-noncomm MSttfEULA vim.org CC-BY-NC-ND-3.0"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native -mtune=native"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/ibus/component/simple.xml"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native -mtune=native"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://mirror.yandex.ru/gentoo-distfiles/ http://trumpetti.atm.tut.fi/gentoo/"
LANG="ru_RU.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/systemd-love /usr/local/portage"
USE="X a52 aac acl acpi alsa amd64 anthy bluetooth branding bzip2 cairo cdda cdr cjk cli cracklib crypt cryptsetup cups cxx dbus declarative directfb djvu dri dts dvd dvdr embedded emboss encode exif fam fbcon ffmpeg firefox flac fortran gdbm gif gpm gstreamer gtk iconv icu idn ipv6 jpeg kde kipi lame lcms libcaca libnotify lm_sensors mad mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl ogg opengl openmp openvg pam pango pcre pdf perl phonon plasma png policykit ppds python qt3support qt4 raw readline samba scanner sdl semantic-desktop session spell sse sse2 ssl startup-notification svg systemd tcpd tiff truetype udev udisks unicode upower usb vdpau vorbis wxwidgets x264 xcb xcomposite xinerama xml xscreensaver xv xvid zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_GB ru ja" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-4" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby18 ruby20" SANE_BACKENDS="genesys" USERLAND="GNU" VIDEO_CARDS="nvidia nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, SYNC, USE_PYTHON
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-08-01 01:14:19 UTC 
You should probably tell your browser to import /etc/ssl/certs/ca-certificates.crt
. I have tested this with www-client/opera and www-client/firefox-bin, and neither accept CA Cert by default
Comment 2 Pavel Volkov 2013-08-01 05:19:08 UTC 
I have tested with an empty $HOME.
All websites signed by CAcert are accepted in www-client/chromium and www-client/firefox. Those include https://bugs.gentoo.org (signed by "CAcert Class 3 Root" and my own websites signed by "CA Cert Signing Authority").
I can open authorities list window and confirm this.

The only problem is https://www.sixxs.net.
But right now https://www.sixxs.net passes verification. When it breaks later, I'll try importing certificates.crt, alright :)
Comment 3 Jory A. Pratt gentoo-dev 2013-08-03 01:17:56 UTC 
(In reply to Pavel Volkov from comment #2)
> I have tested with an empty $HOME.
> All websites signed by CAcert are accepted in www-client/chromium and
> www-client/firefox. Those include https://bugs.gentoo.org (signed by "CAcert
> Class 3 Root" and my own websites signed by "CA Cert Signing Authority").
> I can open authorities list window and confirm this.
> 
> The only problem is https://www.sixxs.net.
> But right now https://www.sixxs.net passes verification. When it breaks
> later, I'll try importing certificates.crt, alright :)

ca-certificates are not used in any browser. Firefox/Chromium only work due to the fact we have patched nss to include the CAcert. If you are having issues you will need to debug nss to locate the break down.
Comment 4 Pavel Volkov 2013-08-04 15:14:50 UTC 
I can't reproduce it anymore in Chromium or FF.
Konqueror says "Trusted" but doesn't show the whole chain (only "www.sixxs.net" 2 times for old and new cert). With bugs.gentoo.org it shows full chain.