SSL Certificate Error With Gwibber And identi.ca on Ubuntu

UPDATE: The problem has been fixed on identi.ca’s side. Maybe the workaround will be useful to others in some other context at some other time. I will also remove the certificate mentioned below from my system. It won’t be needed any longer, and who knows what nasty side effects it might have going forward…

I ran into this problem today where Gwibber (the micro-blogging client) on Ubuntu would not work with identi.ca anymore. The bug report referred to the log file ~/.xsession-errors, which contained this message:

Traceback (most recent call last):
File “/usr/lib/python2.6/dist-packages/gwibber/microblog/network.py”, line 53, in __init__
self.curl.perform()
error: (60, ‘server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none’)

This is actually a cURL error, so I tried to reproduce the issue directly with curl on the command line:

$ curl https://identi.ca/api/statuses/friends_timeline.json?count=200&since_id=61361942
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the –cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or –insecure) option.

After searching for this error on the web, I found a cURL page about SSL certificates. This page talks about importing SSL certificates for cURL to use. After some trial and error, I came up with these steps to import the certificate and solve the issue:

1. I went to https://identi.ca/ in Firefox and inspected the certificate. This pointed to the certificate download URL: http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt

2. I downloaded the .crt file from that URL.

3. The downloaded file is in some binary format. I converted the .crt file using this openssl command:

$ openssl x509 -inform DER -in COMODOHigh-AssuranceSecureServerCA.crt -out outcert.crt -text

4. I copied the resulting file, outcert.crt, to /usr/share/ca-certificates/COMODO_High_Assurance_Secure_Server_CA.crt.

5. From there, the new certificate can be installed system-wide by running dpkg-reconfigure:

$ sudo dpkg-reconfigure ca-certificates

This last step updates the files /etc/ca-certificates.conf and the directory /etc/ssl/certs.

The same curl command that didn’t work initially should work now (at least, it won’t complain about incorrect certificates.)

I’m sure there will be an “official” fix soon, but at least this provided for some geeky evening entertainment tonight. (Did I mention my TV is broken;-) )

5 comments to SSL Certificate Error With Gwibber And identi.ca on Ubuntu

  • Hello,
    Thank for your work!
    I’ve tried your workaround. But I have some questions. Would the certificate be a different one depending the country?
    I don’t have the
    /usr/share/ca-certificates/COMODO_High_Assurance_Secure_Server_CA.crt
    so I tried to copy the outcert.crt elsewhere:
    /usr/share/ca-certificates/mozilla
    where I found, for instance, a COMODO_Certification_Authority.crt and then the dpkg-reconfigure

    But then, when I start Gwibber again, it doesn’t work with Identi.ca.
    I did a gwibber-service and I get this:
    Traceback (most recent call last):
    File "/usr/lib/python2.6/dist-packages/gwibber/microblog/network.py", line 53, in __init__
    self.curl.perform()
    error: (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')
    Traceback (most recent call last):
    File "/usr/lib/python2.6/dist-packages/gwibber/microblog/network.py", line 53, in __init__
    self.curl.perform()
    error: (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')
    Traceback (most recent call last):
    File "/usr/lib/python2.6/dist-packages/gwibber/microblog/network.py", line 53, in __init__
    self.curl.perform()
    error: (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')
    Traceback (most recent call last):
    File "/usr/lib/python2.6/dist-packages/gwibber/microblog/network.py", line 53, in __init__
    self.curl.perform()
    error: (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')

  • [...] This post was mentioned on Twitter by 1g0r. 1g0r said: Workaround (solution) for #gwibber problem with identi.ca on !ubuntu: http://j.mp/hNocmp thanks to mfoetsch !gwibber [...]

  • Michael Fötsch

    @1g0r The one that’s shipped with Ubuntu in /usr/share/ca-certificates/mozilla doesn’t appear to work.

    The certificate that you download from http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt is not country-specific. After you convert it to outcert.crt (or whatever name you choose), copy it as a new file to /usr/share/ca-certificates/COMODO_High_Assurance_Secure_Server_CA.crt (that’s the name I chose; you can copy it anywhere in /usr/share/ca-certificates/).

    Now, once the new file exists and you run “dpkg-reconfigure ca-certificates”, check the file /etc/ca-certificates.conf. A line for the new file should have been appended to the file. Is this the case?

    Also, the file /etc/ssl/certs/ca-certificates.crt should contain a new certificate at the end that begins with these characters:

    —–BEGIN CERTIFICATE—–
    MIIE/DCCA+SgAwIBAgIQFpDDKbZ4BgdRHwWwNEhGyzANBgkqhkiG9w0BAQUFADBv

  • naveen

    openssl x509 -inform DER -in COMODOHigh-AssuranceSecureServerCA.crt -out outcert.crt -text
    Error opening Certificate COMODOHigh-AssuranceSecureServerCA.crt
    14045:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen(‘COMODOHigh-AssuranceSecureServerCA.crt’,’r’)
    14045:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
    unable to load certificate

    above error is coming for me while doing ur instruction…
    pls post for this issue

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Ads