UPDATE: The problem has been fixed on identi.ca’s side. Maybe the workaround will be useful to others in some other context at some other time. I will also remove the certificate mentioned below from my system. It won’t be needed any longer, and who knows what nasty side effects it might have going forward…
I ran into this problem today where Gwibber (the micro-blogging client) on Ubuntu would not work with identi.ca anymore. The bug report referred to the log file
~/.xsession-errors, which contained this message:
Traceback (most recent call last):
File “/usr/lib/python2.6/dist-packages/gwibber/microblog/network.py”, line 53, in __init__
error: (60, ‘server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none’)
This is actually a cURL error, so I tried to reproduce the issue directly with curl on the command line:
$ curl https://identi.ca/api/statuses/friends_timeline.json?count=200&since_id=61361942
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the –cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or –insecure) option.
After searching for this error on the web, I found a cURL page about SSL certificates. This page talks about importing SSL certificates for cURL to use. After some trial and error, I came up with these steps to import the certificate and solve the issue:
1. I went to https://identi.ca/ in Firefox and inspected the certificate. This pointed to the certificate download URL: http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt
2. I downloaded the .crt file from that URL.
3. The downloaded file is in some binary format. I converted the .crt file using this openssl command:
$ openssl x509 -inform DER -in COMODOHigh-AssuranceSecureServerCA.crt -out outcert.crt -text
4. I copied the resulting file, outcert.crt, to
5. From there, the new certificate can be installed system-wide by running dpkg-reconfigure:
$ sudo dpkg-reconfigure ca-certificates
This last step updates the files
/etc/ca-certificates.conf and the directory
The same curl command that didn’t work initially should work now (at least, it won’t complain about incorrect certificates.)
I’m sure there will be an “official” fix soon, but at least this provided for some geeky evening entertainment tonight. (Did I mention my TV is broken… )