Bug 2484801

Summary: XMPP server Letsencrypt Cert is not automatically accepted
Product: [Fedora] Fedora Reporter: imma <Immanuel.Hartung>
Component: pidginAssignee: Jaroslav Škarvada <jskarvad>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 44CC: igor.raits, jskarvad, stu
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2360110    

Description imma 2026-06-04 14:26:19 UTC
Description of problem:

After updating to Fedora 44, the pidgin client asks users to accept the certificate from the XMPP server, even though it should be trusted the system. Since we use letsencrypt for these certificates, this happens every ~60 days. On Fedora 43, the cert is automatically accepted.


Version-Release number of selected component (if applicable):

Pidgin 2.14.14-4.fc44 (libpurple 2.14.14)


How reproducible:

whenever xmpp server cert has changed


Steps to Reproduce:

1. setup pidgin server with certificate that should be trusted by the system (e.g. a letsencrypt cert)
2. start pidgin client (if cert was already accepted, remove cached cert from ~/.purple/certificates/x509/tls_peers/ beforehand)


Actual results:

pidgin client asks user to accept cert


Expected results:

cert is trusted


Additional info:

This is likely related to https://fedoraproject.org/wiki/Changes/droppingOfCertPemFile

When starting piding with pidgin -d on F44 we see this (I changed all internal user / server names):

(15:46:46) nss: SSL version 3.4 using 128-bit AES-GCM with 128-bit AEAD MAC
Server Auth: 2048-bit TLS 1.3, Key Exchange: 255-bit TLS 1.3, Compression: NULL
Cipher Suite Name: TLS_AES_128_GCM_SHA256
(15:46:46) nss: subject=CN=MY-XMPP-SERVER.com issuer=CN=YR1,O=Let's Encrypt,C=US
(15:46:46) nss: subject=CN=YR1,O=Let's Encrypt,C=US issuer=CN=Root YR,O=ISRG,C=US
(15:46:46) nss: subject=CN=Root YR,O=ISRG,C=US issuer=CN=ISRG Root X1,O=Internet Security Research Group,C=US
(15:46:46) certificate/x509/tls_cached: Starting verify for MY-XMPP-SERVER.com
(15:46:46) certificate/x509/tls_cached: Checking for cached cert...
(15:46:46) certificate/x509/tls_cached: ...Not in cache
(15:46:46) certificate/x509/ca: Couldn't open location '/usr/share/purple/ca-certs'
(15:46:46) certificate/x509/ca: Lazy init completed.
(15:46:46) nss: CERT 2. CN=Root YR,O=ISRG,C=US [Certificate Authority]:
(15:46:46) nss:   ERROR -8179: SEC_ERROR_UNKNOWN_ISSUER


Compared to F43, where we see this:

(15:50:37) nss: SSL version 3.4 using 128-bit AES-GCM with 128-bit AEAD MAC
Server Auth: 2048-bit TLS 1.3, Key Exchange: 255-bit TLS 1.3, Compression: NULL
Cipher Suite Name: TLS_AES_128_GCM_SHA256
(15:50:37) nss: subject=CN=MY-XMPP-SERVER.com issuer=CN=YR1,O=Let's Encrypt,C=US
(15:50:37) nss: subject=CN=YR1,O=Let's Encrypt,C=US issuer=CN=Root YR,O=ISRG,C=US
(15:50:37) nss: subject=CN=Root YR,O=ISRG,C=US issuer=CN=ISRG Root X1,O=Internet Security Research Group,C=US
(15:50:37) certificate/x509/tls_cached: Starting verify for MY-XMPP-SERVER.com
(15:50:37) certificate/x509/tls_cached: Checking for cached cert...
(15:50:37) certificate/x509/tls_cached: ...Not in cache
(15:50:37) nss/x509: Loading certificate from /etc/pki/tls/certs/ca-bundle.crt
(15:50:37) nss: Trusting CN=vTrus Root CA,O="iTrusChina Co.,Ltd.",C=CN
(15:50:37) certificate/x509/ca: Loaded vTrus Root CA from /etc/pki/tls/certs/ca-bundle.crt
(15:50:37) nss: Trusting CN=vTrus ECC Root CA,O="iTrusChina Co.,Ltd.",C=CN
(15:50:37) certificate/x509/ca: Loaded vTrus ECC Root CA from /etc/pki/tls/certs/ca-bundle.crt

...(multiple other trusted CAs, removed for brevity)

(15:50:37) certificate/x509/ca: Couldn't open location '/usr/share/purple/ca-certs'
(15:50:37) certificate/x509/ca: Lazy init completed.
(15:50:37) nss/x509: Exporting certificate to /home/.../.purple/certificates/x509/tls_peers/MY-XMPP-SERVER.com
(15:50:37) util: Writing file /home/.../.purple/certificates/x509/tls_peers/MY-XMPP-SERVER.com
(15:50:37) nss: Trusting CN=MY-XMPP-SERVER.com
(15:50:37) certificate: Successfully verified certificate for MY-XMPP-SERVER.com