Bug 586256

Summary: NM looses p12 certificate location each time
Product: [Fedora] Fedora Reporter: Robert de Rooy <rderooy>
Component: NetworkManagerAssignee: Dan Williams <dcbw>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dcbw
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-03 09:19:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert de Rooy 2010-04-27 07:24:23 UTC
Description of problem:
I use a Wireless network for which I have a private p12 certificate. I have this setup properly in NetworkManager.

However, each reboot or logout/login I need to tell it again where the certificate is located. All other settings it does keep, including the password. The certificate file is stored in a subdirectory of my home directory.

After telling it the location of the p12 certificate it will connect, but going to edit connections, the Private key is again set to (none), so clearly it is not being saved.

Also it will ask me each and every time if I do not want to set a certificate authority, and selecting the "do not ask me again" checkbox has no effect.

Version-Release number of selected component (if applicable):
NetworkManager-0.8.0-6.git20100408.fc12.x86_64

How reproducible:
Each time after a new login or reboot when connecting to this network which needs a private key.

Steps to Reproduce:
1. create a WiFi profile with a private p12 certificate
2. logout (or reboot)
3. Login
4. when NM detects the WiFi network it will ask for the security settings because the private key is missing
  
Actual results:
Security dialog box with p12 private certificate missing

Expected results:
automatically reconnect

Additional info:

Comment 1 Dan Williams 2010-04-27 17:52:57 UTC
Hmm, I wasn't able to reproduce this issue earlier this month after one report, and the original reporter said it went away.  Can you grab your ~/.xsession-errors file for me?  And also, do you have SELinux enabled ('getenforce' from a terminal will tell you)?  Last, where is the .p12 certificate, your homedir, a system directory, etc?

Comment 2 Robert de Rooy 2010-04-27 20:00:15 UTC
Selinux is set to permissive, and the certificate file is located in my home directory.

After a bit of digging into gconf-editor, I some testing I figured out how to trigger this problem.

1. create connection profile with p12 certificate
2. delete old p12 certificate
3. try to point NM to the new certificate file location

networkmanager will not save the new certificate file location

But if you take this sequence instead, all works fine

1. create connection profile with p12 certificate
2. point NM to the new certificate file
3. delete old p12 certificate

basically once the data in gconf is invalid, nm will no longer update it with new data.

Comment 3 Dan Williams 2010-04-30 22:00:12 UTC
I'm not sure I understand quite what "point NM to the new certificate means here"; do you mean point the *connection editor* at the new file after having deleted it, or do you mean point the *applet* at the new file when it asks you for the connection details after you deleted the old one?

I did:

1) open the connection editor
2) create new WPA-Enterprise TLS connection using a p12 file and a PEM-format CA certificate
3) close the connection editor
4) choose the AP from the menu
5) verify that we get connected
6) from a terminal, move the old P12 file somewhere else
7) log out
8) log back in; nm-applet asks for the private key
9) give it the new location and wait for connection
10) verify that new private key is seen in connection editor
11) log out
12 log back in and verify that we get connected again

What's your exact procedure to reproduce this again?  I'm also using the latest testing version of NM from f12-updates, which could affect the problem, but there haven't been major chnages to the connection-editor or applet since the build you're using so I don't expect the issue to have been fixed necessarily.

Comment 4 Robert de Rooy 2010-05-03 07:14:29 UTC
Well, this is strange. I tried again to duplicate the behaviour I had in the past, and could not.

What I had a few days ago is that the connection editor would claim no certificate if the file referenced in gconf was no longer present. And when selecting a new certificate it would use if for connecting, but not save it to gconf, as if the gconf entry was read-only. So if you 'saved' the profile in the connection editor and went back in it still claimed (none) and in gconf it was still pointing to the old one.

What I did to fix it was to delete the certificate file entries in gconf-editor manually, and select the certificate again in the connection editor. And now I cannot duplicate the old behaviour any more.

Comment 5 Dan Williams 2010-05-03 09:19:17 UTC
Ok, if you see this again, please re-open so I can try to track it down again.  Thanks!