alioth.debian.org uses an invalid security certificate

Asked by era on 2009-08-05

I'm not knowledgeable enough to tell whether this is a bug or a feature. When visiting https://alioth.debian.org/ URLs in Firefox (Ubuntu 8.10) I get a warning:

Secure Connection Failed

alioth.debian.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

(Error code: sec_error_untrusted_issuer)

Doesn't Ubuntu want to trust Debian's certificate, or is there a problem with the certificate? Or should I file a bug that this certificate (or rather, its issuing authority) is missing from ca-certificates?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu ca-certificates Edit question
Assignee:
No assignee Edit question
Solved by:
deejoe
Solved:
2014-03-03
Last query:
2014-03-03
Last reply:
2012-11-12

Click 'I understand the risks'
Add exception
Get certificate
Confirm security exception

It will then appear. It will also never happen again.

This is nothing to do with Ubuntu as it just happened on my Windows laptop for work. Its the Mozilla team who have somehow added this as a risk site.

era (era) said : #2

That's not what the question is about. The ca-certificates package contains a bunch of trusted certificates so you don't get "I understand the risks" for your bank, Ubuntu's sites, Mozilla's sites, etc. I'm wondering if Debian should be in that set as well. For example, SPI is in that set, and I'd expect ca-certificates (being a Debian package) to at least in theory wish to grant some trust to Debian's own sites.

Then I'd log a bug with the ca-certificates as well as firefox. I do not have ca-certificates package on my Windows system as it is running Windows, It is therefore more likely a firefox bug, but if the ca-certificate team add it to their collection then this will fix it too so I'd hit both.

You will rarely find a stock install of any OS fits everyones needs so the app allows you to add your own exceptions for safe websites even if they are not sanctioned as safe to the masses. A list of every safe and unsafe site would be unfeasible.

You have a point about the blocking of debian sites being weird but you are free to modify the config to allow it. I've personally not seen this before but if you see it as an issue, then make it known and it will hopefully be evaluated. If it is deemed ok then a change will take place. If not then it will be disgarded.

era (era) said : #4

I'm sorry, but you are not being helpful. I want to avoid filing useless bug reports and that's the reason I'm asking here. If you are not familiar with the ca-certificates package, why are you responding to questions about it?

midnightflash (midnightflash) said : #5

@Era: That alioth.debian.org server is just signed with a private key. No need to worry about. This is much more secure than with no key. Of course it would be nicer to just go to such a site.

The Problem in my mind is that the modern browsers (f.e. Firefox-3, IE-7) are senselessly telling you that it is insecure to go there. Indeed it is absolutely OK to go there... just to go through the key-accept-thing every first-time.

Debian could get their key signed f.e. by "officials" like Thawte or CA or something... for money or not... so the browsers are not moaning... but no need indeed.

Greetings
mid

era (era) said : #6

I'm sorry, I'm not interested in workarounds or musings on the web security infrastructure. I'm interested in whether or not this was intentionally left out from ca-certificates.

Its not a work around, its an extra exception to your browser that yuo must add. Just like adding a security key for ssh isn't automatic but is offered all the same.
If its causeing you so much worry then log a bug. You will find a lot of sites like this but you can slowly shape your browser to your uses just as you add passwords to storage and/or favourites.

midnightflash (midnightflash) said : #8

@Era: Because it is a PRIVATE CA-CERTIFICATE! The web is full of those and they are coming up and dying some stay for ages... don't care. It's to get a secure way for browsers to communicate with the web-servers at NO CHARGE.
And those PRIVATE-ONES CANNOT be supported by no browser.
No further discussion.

End of the line.

era (era) said : #9

It's not a private certificate, it was signed by ca.debian.org which arguably could be a candidate for ca-certificates. If you cannot weigh in on whether or not in fact it should be included, please don't post further follow-ups.

Arnaud Soyez (weboide) said : #10

Hi era,

This definately needs to be filed as bug, even though this would be a "wishlist",and you could specify it. Or maybe, you could file it as a blueprint!
A title like "please add alioth.debian.org certifcates, or its issuing authority into ca-certificates" would be self-explanatory.

If then, the bug is set WONTFIX or INVALID, you'll know that it is not possible and no need to ask again.

Paul Childs (childsey01) said : #11

I also have this problem, though with https://mentors.debian.net/register/register
Utterly ridiculous that Ubuntu security packages wouldn't trust debian.
There may be exceptions out there but considering Ubuntu and debians close working relationship and intent to continue and be enriched by this, this should definitely not be one of them.
Think its definitely time to fie a bug report.

Best deejoe (nyloco) said : #12

the SPI certificate is distributed as part of ca-certificates, it is just in a separate directory from the mozilla-distributed certificates used by Firefox. This may be because of restrictions in what can be distributed under the Mozilla trademarks.

To work around this problem without subjecting oneself to the possiblity of a MITM attack which is inherent to just adding an exception without first confirming the cerfiticate, click through the following within Firefox:

Edit
Preferences
Advanced
Encryption
View Certificates
Import...
File System
usr
share
ca-certificates
spi-inc.org
spi-cacert-2008.crt
Trust this CA to identify websites.
OK
OK
Close

Hope that helps . . .

Rolf Leggewie (r0lf) said : #13

Thanks, deejoe, that was helpful. It is indeed ridiculous and a bug for this not to work OOTB.

era (era) said : #14

Thanks deejoe, that solved my question.