Red Hat Bugzilla – Bug 1278494
mirall does not trust the system certificate authority store
Last modified: 2015-11-05 11:15:36 EST
tl;dr: mirall doesn't use the system certificate store. Upstream has recommended that I suggest that Rawhide update to the 2.0.2 release, so that may fix this issue.
Description of problem:
I am experiencing this error message when I start the OwnCloud client, configured to connect to my server with a Let's Encrypt certificate:
Warnings about current SSL Connection:
The issuer certificate of a locally looked up certificate could not be found
with Certificate electronsweatshop.com
Organization: <not specified>
Unit: <not specified>
Country: <not specified>
Fingerprint (MD5): 02:d5:6b:f9:2c:23:b1:05:e7:e2:f9:fb:d7:e2:60:64
Fingerprint (SHA1): 09:71:46:51:df:2a:e3:99:5e:5f:6a:5d:f6:a2:4a:a7:24:05:98:de
Effective Date: Sun Nov 1 03:15:00 2015
Expiration Date: Sat Jan 30 03:15:00 2016
Issuer: Let's Encrypt Authority X1
Organization: Let's Encrypt
I am confident that I have configured the httpd server correctly (using the correct key, certificate, and CA chain) as the following clients accept the certificate without issue: Firefox, Seamonkey, curl, openssl s_client, Miredo, Psi, and Conversations (Android).
There are a couple possible explanations for this issue:
0) The client cannot use certificate chains.
1) The client does not trust the DST Root CA X3, which has cross signed the Let's Encrypt certificate. This would be surprising, since DST is a widely trusted certificate authority and every other program on my computer does not have any issue with trusting it.
I don't have an easy way to diagnose these two possibilities, but I do know that the OwnCloud client has a few issues where it does not trust system certificate stores:
Upstream asked me to ask Fedora to update to the 2.0.2 release, which they believe will solve this issue.
Let me know if you require any more information!
Version-Release number of selected component (if applicable):
I am running version 1.8.0 on Fedora Rawhide:
% rpm -q mirall
Steps to Reproduce:
1. Sign the OwnCloud server's certificate with a custom certificate authority (or use Let's Encyrpt. I have tried both).
2. Install the custom CA cert on the client machine.
3. Point mirall at the OwnCloud server.
mirall will complain that the signing authority is untrusted.
mirall should trust any certificate that the system certificate store trusts. I.e., if the openssl client trusts the certificate, mirall should trust it too.
I've filed an upstream bug on this issue. I don't see a way to associate github issues in the external bug feature here in Bugzilla, so here's the link to the upstream report:
mirall is obsolete. Please use
I had filed an upstream bug report that is more specifically about mirall not trusting the system certificate store. I should have linked that bug report instead. Here it is:
Ahhhhh. Now I feel like an idiot. I noticed that someone had made a comment like that on my other bug so apparently I am thick in the skull. I updated to owncloud-client-2.0.1, and the issue is resolved. Apologies for the noise, and thank you for pointing me in the correct direction.
No problem, thank you for letting us about any kind of bugs.
I will ping the main maintainer asking him if we can clean all residual mirall references in the Fedora infrastructure