Description of problem: Qt5-based applications (e.g. Arora browser, MultiMC Minecraft Launcher) can't seem to handle SSL connections, throwing an error about not being able to find issuer certificates. Version-Release number of selected component (if applicable): qt5-5.10.1-1 How reproducible: Every time Steps to Reproduce: 1. Open Qt5-based application (e.g. Arora browser, MultiMC) 2. Attempt to access web resources over SSL Actual results: Receive an error: The issuer certificate of a locally looked up certificate could not be found Expected results: The SSL connection is successful without error and web request completes
Is this still an issue? If so, can you give a specific example of SSL sites that fail?
Created attachment 1501194 [details] Arora Browser Error Can confirm this is still an issue, qt5 version is now 5.11.1. Issue happens on every website I could test with SSL. Attached a screenshot of Arora Browser trying to access https://start.fedoraproject.org as an example and displaying the error
Is there any detail about what could be causing this issue? Is there anything else I can provide to help the process? I logged this back in May and it's still an issue
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Have upgraded my system to Fedora 30 and the issue still very much exists.
I still cannot reproduce, tested with arora, falkon, konqueror browsers on fresh f30 install, all load https://start.fedoraproject.org and a @dayjob site with a custom wildcard cert ok I'd guess the problem here is more specific to your setup, and not a bug in general (otherwise, we'd see this problem more wide-spread). I'll see if I can dig up how to use 'openssl s_client' to test this.
What does this say for you? echo | openssl s_client -connect start.fedoraproject.org:443 Does it show any errors?
Of course it'd be my luck that I'm the only one with this issue lol. Here's the output of that command. Please let me know anything else you need: [colpanic@NATASCHA ~]$ echo | openssl s_client -connect start.fedoraproject.org:443 CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.fedoraproject.org verify return:1 --- Certificate chain 0 s:C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.fedoraproject.org i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIGaDCCBVCgAwIBAgIQBgAdcIAphhlAa5cCvBVVJTANBgkqhkiG9w0BAQsFADBw MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz dXJhbmNlIFNlcnZlciBDQTAeFw0xNzAyMDEwMDAwMDBaFw0yMDA1MDExMjAwMDBa MG0xCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UE BxMHUmFsZWlnaDEVMBMGA1UEChMMUmVkIEhhdCBJbmMuMRwwGgYDVQQDDBMqLmZl ZG9yYXByb2plY3Qub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA 37LQjTJywmLXo+XygC/0A4BnhIxTxVSyvDfeUefjLga9HmG+/V0E5AsRCORJJIg9 0Coe7n6GM8gZMb9zCX/FlEd3SibbNHHLN7lijd6sT75ZiRYYrcfOPvx/EFvqUOZ7 kOV65ecFR8TiI2znPHcXEXgiRQwCXUY11NH5s/2PVwORUeEr+ZPGTfqIqjD0lcqv Ls2jNx1Lce1bNNSug2ReMXfdPm59j/dmhMdqOrSyr74JFCYwIuBHneH41YLshBml WZE3dQGqwpKezVTFFNqT7frozhlQrvd4gXgB+3ULZynnkFfVnSMfGLZpE3zk2LAB 5rEG8cQ+Nu9VH7PjavrRZkVmmoosB0AZ5iXYdJdwc2lknA72jkajVVvljFDEfn9Y KDdoXJlhfX4OyVzO2ab6tjt5ZY0gBGLVN2soTfXbeoCR4ErnKD9pxjqKWm9OFgLI ETEAxS0Y+dASTYFVZOvujbELlilQp0Ixmbs2WRwHsfKzZKvR1upqzOpnqd4ljYHY dtUA5WyTdUTSlKv3NjD3FAQw8xByHtI/Hyf7RVIRlWy/9di7CoEsOsdq4NGps+9s I42W4sd9gFXDCQzylX5MqZlgteIlW8wG/63s0O/dJW8U6BFuAN166PH0uYXT5k4W QED2HDoie8JQy7Y1inDBhDo+zA7eqWrZIO9/8h9D+ZUCAwEAAaOCAf8wggH7MB8G A1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQWBBTf0GV/3Qey /Q4CMu7XrW3kk4OtJjAxBgNVHREEKjAoghMqLmZlZG9yYXByb2plY3Qub3JnghFm ZWRvcmFwcm9qZWN0Lm9yZzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB BQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRp Z2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZlci1nNS5jcmwwNKAyoDCGLmh0dHA6Ly9j cmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZlci1nNS5jcmwwTAYDVR0gBEUw QzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNl cnQuY29tL0NQUzAIBgZngQwBAgIwgYMGCCsGAQUFBwEBBHcwdTAkBggrBgEFBQcw AYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8v Y2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEySGlnaEFzc3VyYW5jZVNl cnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBiAwx1 DjSBQoum+ZDbX57ZHWvOAtausc6oMk5j02jco8c5Cc3fZoNHrhAxmCxLdGgdWz5q CeyWrsNl2+znX3iTUUUsjOPPjOjDDfZKkphKW7dFA0ec6tW6bZ+5BeRfjos1ZlqO d0Yey/Hti5T3sVN5jwBGJCXyb8PxLDfi5XEccP8DMIa91EdmERyblTotMyQ8O1He P3VNdGG7tJY53IFr5gRZ/BuQe99k+P5eQ7iHMv6K8DjR6apRY+LJ/Li0y2bwlF1x GzQz5B4XCOHC23A+11tH1tW/LSUF0g5RaQxldVrRBn74ec9Sc1NkFsZC1bn4FYYt DWfhteUyLpUczjDE -----END CERTIFICATE----- subject=C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.fedoraproject.org issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3670 bytes and written 415 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- DONE
This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Have reopened as I have finally upgraded to 32 and the problem still exists. Additionally, the problem seems to have spread now, my plasmashell keeps crashing as some part of it (maybe a widget? Not sure) is trying to access a HTTPS site, which throws the error and clicking "Details" or "Continue" causes plasmashell to crash and restart. I tried to run Arora with sudo to see if it was a problem with my user account (maybe something in my ~ could have been the cause) but it still produced the same problem.
I think I finally had a breakthrough on this after all this time. Long standing Qt bug: https://bugzilla.redhat.com/show_bug.cgi?id=1021499. I had a symlink /etc/ssl/certs/2c543cd1.0 -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, this was to work around a bug with Borderlands games that couldn't get online due to their own SSL issues. However apparently having any *.0 files in this folder causes Qt to break when dealing with SSL. I've removed this symlink and the error is finally gone. Seeing as the cause has finally been linked to an existing bug, I'm closing this one as a dupe. *** This bug has been marked as a duplicate of bug 1021499 ***