Bug 239051
Summary: | Can't replace expired cert with new one via Firefox | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Zack Cerza <zcerza> |
Component: | nss | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | nalin, triage |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | bzcl34nup | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-07 01:39:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Zack Cerza
2007-05-04 17:11:43 UTC
It turns out this was partially caused by a bug in koji's fedora-packager-setup.sh. It takes an x509 cert, copies it somewhere else, and converts the copy to pkcs#12 format, then tells you to import it into Firefox. But it will only do the copy if it doesn't see the destination file. Anyway it does seem like there is an nss bug here (or two): 1. Importing the expired cert again, replacing its exact self, didn't cause NSS to give me a heads up that I was importing a cert that was already there. 2. Importing the renewed cert while the expired cert was still in the DB gave me an error, saying the operation failed "for unknown reasons". Once I removed the expired cert, I could add the renewed one with no problems. (In reply to comment #1) > It turns out this was partially caused by a bug in koji's > fedora-packager-setup.sh. It takes an x509 cert, copies it somewhere else, and > converts the copy to pkcs#12 format, then tells you to import it into Firefox. > But it will only do the copy if it doesn't see the destination file. I see, so you always attempted to import the very same cert. > Anyway it does seem like there is an nss bug here (or two): > > 1. Importing the expired cert again, replacing its exact self, didn't cause NSS > to give me a heads up that I was importing a cert that was already there. Well, I agree it would be nice. But that's clearly an enhancement request. There is no harm. > 2. Importing the renewed cert while the expired cert was still in the DB gave me > an error, saying the operation failed "for unknown reasons". Once I removed the > expired cert, I could add the renewed one with no problems. This should not happen, but I have a suspicion. Is it possible that both certs had the same issuer name and the same serial number? This is strictly forbidden. All CAs follow that principle. But occassionaly we see that scenario when people try to "roll their own certs" without following the guidelines. NSS might have detected that scenario and rejected it (with an unhelpful error message, I agree). Please let me know whether there was such a conflict. Based on the date this bug was created, it appears to have been reported against rawhide during the development of a Fedora release that is no longer maintained. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained. If this bug remains in NEEDINFO thirty (30) days from now, we will automatically close it. If you can reproduce this bug in a maintained Fedora version (7, 8, or rawhide), please change this bug to the respective version and change the status to ASSIGNED. (If you're unable to change the bug's version or status, add a comment to the bug and someone will change it for you.) Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. This bug has been in NEEDINFO for more than 30 days since feedback was first requested. As a result we are closing it. If you can reproduce this bug in the future against a maintained Fedora version please feel free to reopen it against that version. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp |