Bug 1278494 - mirall does not trust the system certificate authority store
mirall does not trust the system certificate authority store
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: owncloud-client (Show other bugs)
rawhide
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Nikos Roussos
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-05 10:45 EST by Randy Barlow
Modified: 2015-11-05 11:15 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-05 11:02:25 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Randy Barlow 2015-11-05 10:45:08 EST
tl;dr: mirall doesn't use the system certificate store. Upstream has recommended that I suggest that Rawhide update to the 2.0.2 release, so that may fix this issue.

Description of problem:
I am experiencing this error message when I start the OwnCloud client, configured to connect to my server with a Let's Encrypt certificate:

Warnings about current SSL Connection:
The issuer certificate of a locally looked up certificate could not be found
with Certificate electronsweatshop.com
Organization: <not specified>
Unit: <not specified>
Country: <not specified>
Fingerprint (MD5): 02:d5:6b:f9:2c:23:b1:05:e7:e2:f9:fb:d7:e2:60:64
Fingerprint (SHA1): 09:71:46:51:df:2a:e3:99:5e:5f:6a:5d:f6:a2:4a:a7:24:05:98:de

Effective Date: Sun Nov 1 03:15:00 2015
Expiration Date: Sat Jan 30 03:15:00 2016
Issuer: Let's Encrypt Authority X1
Organization: Let's Encrypt
Unit: 
Country: US

I am confident that I have configured the httpd server correctly (using the correct key, certificate, and CA chain) as the following clients accept the certificate without issue: Firefox, Seamonkey, curl, openssl s_client, Miredo, Psi, and Conversations (Android).

There are a couple possible explanations for this issue:

0) The client cannot use certificate chains.
1) The client does not trust the DST Root CA X3, which has cross signed the Let's Encrypt certificate. This would be surprising, since DST is a widely trusted certificate authority and every other program on my computer does not have any issue with trusting it.

I don't have an easy way to diagnose these two possibilities, but I do know that the OwnCloud client has a few issues where it does not trust system certificate stores:

https://github.com/owncloud/client/issues/2964
https://github.com/owncloud/client/issues/3739

Upstream asked me to ask Fedora to update to the 2.0.2 release, which they believe will solve this issue.

Let me know if you require any more information!

Version-Release number of selected component (if applicable):
I am running version 1.8.0 on Fedora Rawhide:

% rpm -q mirall
mirall-1.8.0-3.fc23.x86_64


How reproducible:
Every time.


Steps to Reproduce:
1. Sign the OwnCloud server's certificate with a custom certificate authority (or use Let's Encyrpt. I have tried both).
2. Install the custom CA cert on the client machine.
3. Point mirall at the OwnCloud server.


Actual results:
mirall will complain that the signing authority is untrusted.


Expected results:
mirall should trust any certificate that the system certificate store trusts. I.e., if the openssl client trusts the certificate, mirall should trust it too.


Additional info:
I've filed an upstream bug on this issue. I don't see a way to associate github issues in the external bug feature here in Bugzilla, so here's the link to the upstream report:

https://github.com/owncloud/client/issues/4062
Comment 1 Germano Massullo 2015-11-05 10:47:28 EST
mirall is obsolete. Please use
owncloud-client
package
Comment 2 Randy Barlow 2015-11-05 10:54:26 EST
I had filed an upstream bug report that is more specifically about mirall not trusting the system certificate store. I should have linked that bug report instead. Here it is:

https://github.com/owncloud/client/issues/3739
Comment 3 Randy Barlow 2015-11-05 11:02:25 EST
Ahhhhh. Now I feel like an idiot. I noticed that someone had made a comment like that on my other bug so apparently I am thick in the skull. I updated to owncloud-client-2.0.1, and the issue is resolved. Apologies for the noise, and thank you for pointing me in the correct direction.
Comment 4 Germano Massullo 2015-11-05 11:15:36 EST
No problem, thank you for letting us about any kind of bugs.
I will ping the main maintainer asking him if we can clean all residual mirall references in the Fedora infrastructure

Note You need to log in before you can comment on or make changes to this bug.