Bug 612269

Thanks for a bug report. I can reproduce this too, there seems to be two issues:
a) certificate name changed, thus one needs to change his/her certificate chosen in account preferences, otherwise there is shown an error about "not able to find the certificate".

b) even when I select the right certificate, then it fails to sign with it, with an error "Failed to encode data".

Finally, I cannot import a certificate to MY store with a new version, as I guess I do not know the password for it. I saw there also my evolution certificates for the first run, its name had Evolution prefix, but I do not see them now, only if I downgrade to the previous version, to 2.30.1.

I reopened the upstream bug [1], where I guess comes the issue from. Let's move with any further discussion there.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=585301

This could well be an NSS bug -- NSS in Fedora enables the 'shared system database' by default, but it doesn't really work without some NSS patches that I don't think have made it into updates yet.

As root, please run 'setup-nsssysinit.sh off'.

FWIW, I've tested this myself with the shared database disabled, and also with it enabled and with the patch from https://bugzilla.redhat.com/show_bug.cgi?id=603313#c10 applied. Both worked fine.

Any chance this might get updated soon?  One month later and not even an rpm in testing to try out.

As indicated by comments #2 and #3, please test this again and confirm whether you still have issues either with:
 - The fixed NSS packages (see bug 603313), or
 - The shared system database turned off

I didn't know you were waiting for me to respond since you replied to your own comment and seemed to be confirming the problem and a working solution.

I tried the first solution "setup-nsssysinit.sh off" but I get the exact same error message.

As for the suggested patch from bug #603313, has the nss-3.12.6-11.fc13 rpm made it into the testing repo yet and does it contain the necessary patch?  I can't find it.  It would be much easier for me to try installing that test rpm, rather that trying to patch and rebuild myself.

I pushed a new update with an additional fix Yesterday wich obsoleted the previous one, see https://admin.fedoraproject.org/updates/nss-3.12.6-11.fc13
Give it a day or two for the notification to show up on bug #603313 (hopefully here as well as I marked that one a blocker of this one)

(In reply to comment #6)
> I tried the first solution "setup-nsssysinit.sh off" but I get the exact same
> error message.

Ok, that's interesting. That was working for me, as I said. Is there something different about your key store? Does it have a master password?

Can you show the output of 'certutil -d $HOME/.evolution -L' and
'certutil -d sql:$HOME/.pki/nssdb -L', and the contents of /etc/pki/nssdb/pkcs11.txt

(In reply to comment #8)
> Ok, that's interesting. That was working for me, as I said. Is there something
> different about your key store? Does it have a master password?

Yes, the first time I try to send a signed email, I get prompted with "Enter the password for `NSS User Private Key and Certificate Services'".

> Can you show the output of 'certutil -d $HOME/.evolution -L' and
> 'certutil -d sql:$HOME/.pki/nssdb -L', and the contents of
> /etc/pki/nssdb/pkcs11.txt    

Do you need the full contents, it looks like it contains the email address of a lot of people that have sent me signed email.  A few key lines, related only to me are (I assume I am listed 3 times because my x509 cert expires every year and I have imported it 3 times over the past few years):

$ certutil -d $HOME/.evolution -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Jason A. Smith 236749's  ID                                  u,u,u
ESnet Root CA 1 - ESnet                                      CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
Jason A. Smith 236749's  ID                                  u,u,u
DOEGrids CA 1 - ESnet                                        CT,C,C


$ certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

DOEGrids CA 1 - ESnet                                        CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
ESnet Root CA 1 - ESnet                                      CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
Jason A. Smith 236749's  ID                                  u,u,u


$ cat /etc/pki/nssdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})

I tried the nss packages (nss-3.12.6-11.fc13.x86_64) in the testing repo (yum --enablerepo=updates-testing update nss), turned it back on since it didn't help for me (setup-nsssysinit.sh on), restarted evolution and tried to send a signed email.  First, it looked like the password prompt changed: "Enter the password for `NSS Application Slot 00000004'", and then I got the exact same error message:

Could not create message.
Because "Uknown error. (-12285) - Failed to encode data", you may need to
select different mail options.

PS. I also just noticed that there is a spelling mistake in the error message: Uknown.

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Using: evolution-2.32.2-1.fc14.x86_64, nss-3.12.9-8.fc14
I sent s/mime signed messages to myself from my home accounts to my work account and back. I also sent those messages to people on the cc list to this bug. Hope we can find out soon here from those received the messages and could reply in kind.

I'm not sure why I was on the CC of that email, and why it was sent, but anyway, the message is signed and evolution shows the signature as a correct one.

This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

. (In reply to comment #13)
> I'm not sure why I was on the CC of that email, and why it was sent, but
> anyway, the message is signed and evolution shows the signature as a correct
> one.

Thanks, I will close this bug then.