uses an invalid security certificate

Asked by era

I'm not knowledgeable enough to tell whether this is a bug or a feature. When visiting URLs in Firefox (Ubuntu 8.10) I get a warning:

Secure Connection Failed uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

(Error code: sec_error_untrusted_issuer)

Doesn't Ubuntu want to trust Debian's certificate, or is there a problem with the certificate? Or should I file a bug that this certificate (or rather, its issuing authority) is missing from ca-certificates?

Question information

English Edit question
Ubuntu ca-certificates Edit question
No assignee Edit question
Solved by:
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said :

Click 'I understand the risks'
Add exception
Get certificate
Confirm security exception

It will then appear. It will also never happen again.

This is nothing to do with Ubuntu as it just happened on my Windows laptop for work. Its the Mozilla team who have somehow added this as a risk site.

Revision history for this message
era (era) said :

That's not what the question is about. The ca-certificates package contains a bunch of trusted certificates so you don't get "I understand the risks" for your bank, Ubuntu's sites, Mozilla's sites, etc. I'm wondering if Debian should be in that set as well. For example, SPI is in that set, and I'd expect ca-certificates (being a Debian package) to at least in theory wish to grant some trust to Debian's own sites.

Revision history for this message
actionparsnip (andrew-woodhead666) said :

Then I'd log a bug with the ca-certificates as well as firefox. I do not have ca-certificates package on my Windows system as it is running Windows, It is therefore more likely a firefox bug, but if the ca-certificate team add it to their collection then this will fix it too so I'd hit both.

You will rarely find a stock install of any OS fits everyones needs so the app allows you to add your own exceptions for safe websites even if they are not sanctioned as safe to the masses. A list of every safe and unsafe site would be unfeasible.

You have a point about the blocking of debian sites being weird but you are free to modify the config to allow it. I've personally not seen this before but if you see it as an issue, then make it known and it will hopefully be evaluated. If it is deemed ok then a change will take place. If not then it will be disgarded.

Revision history for this message
era (era) said :

I'm sorry, but you are not being helpful. I want to avoid filing useless bug reports and that's the reason I'm asking here. If you are not familiar with the ca-certificates package, why are you responding to questions about it?

Revision history for this message
midnightflash (midnightflash) said :

@Era: That server is just signed with a private key. No need to worry about. This is much more secure than with no key. Of course it would be nicer to just go to such a site.

The Problem in my mind is that the modern browsers (f.e. Firefox-3, IE-7) are senselessly telling you that it is insecure to go there. Indeed it is absolutely OK to go there... just to go through the key-accept-thing every first-time.

Debian could get their key signed f.e. by "officials" like Thawte or CA or something... for money or not... so the browsers are not moaning... but no need indeed.


Revision history for this message
era (era) said :

I'm sorry, I'm not interested in workarounds or musings on the web security infrastructure. I'm interested in whether or not this was intentionally left out from ca-certificates.

Revision history for this message
actionparsnip (andrew-woodhead666) said :

Its not a work around, its an extra exception to your browser that yuo must add. Just like adding a security key for ssh isn't automatic but is offered all the same.
If its causeing you so much worry then log a bug. You will find a lot of sites like this but you can slowly shape your browser to your uses just as you add passwords to storage and/or favourites.

Revision history for this message
midnightflash (midnightflash) said :

@Era: Because it is a PRIVATE CA-CERTIFICATE! The web is full of those and they are coming up and dying some stay for ages... don't care. It's to get a secure way for browsers to communicate with the web-servers at NO CHARGE.
And those PRIVATE-ONES CANNOT be supported by no browser.
No further discussion.

End of the line.

Revision history for this message
era (era) said :

It's not a private certificate, it was signed by which arguably could be a candidate for ca-certificates. If you cannot weigh in on whether or not in fact it should be included, please don't post further follow-ups.

Revision history for this message
Arnaud Soyez (weboide) said :

Hi era,

This definately needs to be filed as bug, even though this would be a "wishlist",and you could specify it. Or maybe, you could file it as a blueprint!
A title like "please add certifcates, or its issuing authority into ca-certificates" would be self-explanatory.

If then, the bug is set WONTFIX or INVALID, you'll know that it is not possible and no need to ask again.

Revision history for this message
Paul Childs (childsey01) said :

I also have this problem, though with
Utterly ridiculous that Ubuntu security packages wouldn't trust debian.
There may be exceptions out there but considering Ubuntu and debians close working relationship and intent to continue and be enriched by this, this should definitely not be one of them.
Think its definitely time to fie a bug report.

Revision history for this message
Best deejoe (nyloco) said :

the SPI certificate is distributed as part of ca-certificates, it is just in a separate directory from the mozilla-distributed certificates used by Firefox. This may be because of restrictions in what can be distributed under the Mozilla trademarks.

To work around this problem without subjecting oneself to the possiblity of a MITM attack which is inherent to just adding an exception without first confirming the cerfiticate, click through the following within Firefox:

View Certificates
File System
Trust this CA to identify websites.

Hope that helps . . .

Revision history for this message
Rolf Leggewie (r0lf) said :

Thanks, deejoe, that was helpful. It is indeed ridiculous and a bug for this not to work OOTB.

Revision history for this message
era (era) said :

Thanks deejoe, that solved my question.