Description of problem: I had to replace an expired pkcs#12 cert that had been imported into Firefox. I tried simply importing the new cert. It seemed like it had worked, but instead the old cert was still listed (and not the new one). So I tried deleting the old cert from within Firefox, restarting Firefox, and importing the new one. The old cert was still there, and the new one wasn't. Odd. So Ray Strode talked me through manually removing the old cert with certutil. That seemed to work, but Firefox just restored the old cert when I quit. I'll try removing it while Firefox isn't running right now. Version-Release number of selected component (if applicable): nss-3.11.5-2.fc7.i386 firefox-2.0.0.3-4.fc7.i386 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
It turns out this was partially caused by a bug in koji's fedora-packager-setup.sh. It takes an x509 cert, copies it somewhere else, and converts the copy to pkcs#12 format, then tells you to import it into Firefox. But it will only do the copy if it doesn't see the destination file. Anyway it does seem like there is an nss bug here (or two): 1. Importing the expired cert again, replacing its exact self, didn't cause NSS to give me a heads up that I was importing a cert that was already there. 2. Importing the renewed cert while the expired cert was still in the DB gave me an error, saying the operation failed "for unknown reasons". Once I removed the expired cert, I could add the renewed one with no problems.
(In reply to comment #1) > It turns out this was partially caused by a bug in koji's > fedora-packager-setup.sh. It takes an x509 cert, copies it somewhere else, and > converts the copy to pkcs#12 format, then tells you to import it into Firefox. > But it will only do the copy if it doesn't see the destination file. I see, so you always attempted to import the very same cert. > Anyway it does seem like there is an nss bug here (or two): > > 1. Importing the expired cert again, replacing its exact self, didn't cause NSS > to give me a heads up that I was importing a cert that was already there. Well, I agree it would be nice. But that's clearly an enhancement request. There is no harm. > 2. Importing the renewed cert while the expired cert was still in the DB gave me > an error, saying the operation failed "for unknown reasons". Once I removed the > expired cert, I could add the renewed one with no problems. This should not happen, but I have a suspicion. Is it possible that both certs had the same issuer name and the same serial number? This is strictly forbidden. All CAs follow that principle. But occassionaly we see that scenario when people try to "roll their own certs" without following the guidelines. NSS might have detected that scenario and rejected it (with an unhelpful error message, I agree). Please let me know whether there was such a conflict.
Based on the date this bug was created, it appears to have been reported against rawhide during the development of a Fedora release that is no longer maintained. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained. If this bug remains in NEEDINFO thirty (30) days from now, we will automatically close it. If you can reproduce this bug in a maintained Fedora version (7, 8, or rawhide), please change this bug to the respective version and change the status to ASSIGNED. (If you're unable to change the bug's version or status, add a comment to the bug and someone will change it for you.) Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again.
This bug has been in NEEDINFO for more than 30 days since feedback was first requested. As a result we are closing it. If you can reproduce this bug in the future against a maintained Fedora version please feel free to reopen it against that version. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp