Bug 239051 - Can't replace expired cert with new one via Firefox
Can't replace expired cert with new one via Firefox
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: nss (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Kai Engert (:kaie)
bzcl34nup
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-04 13:11 EDT by Zack Cerza
Modified: 2008-08-02 19:40 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-06 21:39:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Zack Cerza 2007-05-04 13:11:43 EDT
Description of problem:
I had to replace an expired pkcs#12 cert that had been imported into Firefox. I
tried simply importing the new cert. It seemed like it had worked, but instead
the old cert was still listed (and not the new one).  So I tried deleting the
old cert from within Firefox, restarting Firefox, and importing the new one. The
old cert was still there, and the new one wasn't. Odd.

So Ray Strode talked me through manually removing the old cert with certutil.
That seemed to work, but Firefox just restored the old cert when I quit. I'll
try removing it while Firefox isn't running right now.

Version-Release number of selected component (if applicable):
nss-3.11.5-2.fc7.i386
firefox-2.0.0.3-4.fc7.i386


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Zack Cerza 2007-05-04 13:27:49 EDT
It turns out this was partially caused by a bug in koji's
fedora-packager-setup.sh. It takes an x509 cert, copies it somewhere else, and
converts the copy to pkcs#12 format, then tells you to import it into Firefox.
But it will only do the copy if it doesn't see the destination file.

Anyway it does seem like there is an nss bug here (or two):

1. Importing the expired cert again, replacing its exact self, didn't cause NSS
to give me a heads up that I was importing a cert that was already there.

2. Importing the renewed cert while the expired cert was still in the DB gave me
an error, saying the operation failed "for unknown reasons". Once I removed the
expired cert, I could add the renewed one with no problems.
Comment 2 Kai Engert (:kaie) 2007-05-16 16:21:16 EDT
(In reply to comment #1)
> It turns out this was partially caused by a bug in koji's
> fedora-packager-setup.sh. It takes an x509 cert, copies it somewhere else, and
> converts the copy to pkcs#12 format, then tells you to import it into Firefox.
> But it will only do the copy if it doesn't see the destination file.

I see, so you always attempted to import the very same cert.


> Anyway it does seem like there is an nss bug here (or two):
> 
> 1. Importing the expired cert again, replacing its exact self, didn't cause NSS
> to give me a heads up that I was importing a cert that was already there.

Well, I agree it would be nice. But that's clearly an enhancement request. There
is no harm.


> 2. Importing the renewed cert while the expired cert was still in the DB gave me
> an error, saying the operation failed "for unknown reasons". Once I removed the
> expired cert, I could add the renewed one with no problems.

This should not happen, but I have a suspicion.
Is it possible that both certs had the same issuer name and the same serial number?

This is strictly forbidden. All CAs follow that principle.
But occassionaly we see that scenario when people try to "roll their own certs"
without following the guidelines.

NSS might have detected that scenario and rejected it (with an unhelpful error
message, I agree).

Please let me know whether there was such a conflict.
Comment 3 Bug Zapper 2008-04-03 20:30:17 EDT
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 4 Bug Zapper 2008-05-06 21:39:26 EDT
This bug has been in NEEDINFO for more than 30 days since feedback was
first requested. As a result we are closing it.

If you can reproduce this bug in the future against a maintained Fedora
version please feel free to reopen it against that version.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

Note You need to log in before you can comment on or make changes to this bug.