Fedora Account System
Red Hat Associate
Red Hat Customer
Description of problem: After updating to Fedora 44, the pidgin client asks users to accept the certificate from the XMPP server, even though it should be trusted the system. Since we use letsencrypt for these certificates, this happens every ~60 days. On Fedora 43, the cert is automatically accepted. Version-Release number of selected component (if applicable): Pidgin 2.14.14-4.fc44 (libpurple 2.14.14) How reproducible: whenever xmpp server cert has changed Steps to Reproduce: 1. setup pidgin server with certificate that should be trusted by the system (e.g. a letsencrypt cert) 2. start pidgin client (if cert was already accepted, remove cached cert from ~/.purple/certificates/x509/tls_peers/ beforehand) Actual results: pidgin client asks user to accept cert Expected results: cert is trusted Additional info: This is likely related to https://fedoraproject.org/wiki/Changes/droppingOfCertPemFile When starting piding with pidgin -d on F44 we see this (I changed all internal user / server names): (15:46:46) nss: SSL version 3.4 using 128-bit AES-GCM with 128-bit AEAD MAC Server Auth: 2048-bit TLS 1.3, Key Exchange: 255-bit TLS 1.3, Compression: NULL Cipher Suite Name: TLS_AES_128_GCM_SHA256 (15:46:46) nss: subject=CN=MY-XMPP-SERVER.com issuer=CN=YR1,O=Let's Encrypt,C=US (15:46:46) nss: subject=CN=YR1,O=Let's Encrypt,C=US issuer=CN=Root YR,O=ISRG,C=US (15:46:46) nss: subject=CN=Root YR,O=ISRG,C=US issuer=CN=ISRG Root X1,O=Internet Security Research Group,C=US (15:46:46) certificate/x509/tls_cached: Starting verify for MY-XMPP-SERVER.com (15:46:46) certificate/x509/tls_cached: Checking for cached cert... (15:46:46) certificate/x509/tls_cached: ...Not in cache (15:46:46) certificate/x509/ca: Couldn't open location '/usr/share/purple/ca-certs' (15:46:46) certificate/x509/ca: Lazy init completed. (15:46:46) nss: CERT 2. CN=Root YR,O=ISRG,C=US [Certificate Authority]: (15:46:46) nss: ERROR -8179: SEC_ERROR_UNKNOWN_ISSUER Compared to F43, where we see this: (15:50:37) nss: SSL version 3.4 using 128-bit AES-GCM with 128-bit AEAD MAC Server Auth: 2048-bit TLS 1.3, Key Exchange: 255-bit TLS 1.3, Compression: NULL Cipher Suite Name: TLS_AES_128_GCM_SHA256 (15:50:37) nss: subject=CN=MY-XMPP-SERVER.com issuer=CN=YR1,O=Let's Encrypt,C=US (15:50:37) nss: subject=CN=YR1,O=Let's Encrypt,C=US issuer=CN=Root YR,O=ISRG,C=US (15:50:37) nss: subject=CN=Root YR,O=ISRG,C=US issuer=CN=ISRG Root X1,O=Internet Security Research Group,C=US (15:50:37) certificate/x509/tls_cached: Starting verify for MY-XMPP-SERVER.com (15:50:37) certificate/x509/tls_cached: Checking for cached cert... (15:50:37) certificate/x509/tls_cached: ...Not in cache (15:50:37) nss/x509: Loading certificate from /etc/pki/tls/certs/ca-bundle.crt (15:50:37) nss: Trusting CN=vTrus Root CA,O="iTrusChina Co.,Ltd.",C=CN (15:50:37) certificate/x509/ca: Loaded vTrus Root CA from /etc/pki/tls/certs/ca-bundle.crt (15:50:37) nss: Trusting CN=vTrus ECC Root CA,O="iTrusChina Co.,Ltd.",C=CN (15:50:37) certificate/x509/ca: Loaded vTrus ECC Root CA from /etc/pki/tls/certs/ca-bundle.crt ...(multiple other trusted CAs, removed for brevity) (15:50:37) certificate/x509/ca: Couldn't open location '/usr/share/purple/ca-certs' (15:50:37) certificate/x509/ca: Lazy init completed. (15:50:37) nss/x509: Exporting certificate to /home/.../.purple/certificates/x509/tls_peers/MY-XMPP-SERVER.com (15:50:37) util: Writing file /home/.../.purple/certificates/x509/tls_peers/MY-XMPP-SERVER.com (15:50:37) nss: Trusting CN=MY-XMPP-SERVER.com (15:50:37) certificate: Successfully verified certificate for MY-XMPP-SERVER.com