On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote: > Package: iceweasel > Version: 3.5.10-1 > > Hello, > > When I visit https://www.gandi.net, the certificate isn't trusted/recognized. > I can reproduce the problem with https://www.comodo.com > Error title: "This Connection is Untrusted" > Error code: sec_error_unknown_issuer
Both work here. (...) > Other web browsers (epiphany/Deb, chrome/Deb, firefox 3.6.3/Win, Safari/Win) > and openssl's CLI don't exhibit this loop behaviour. > (I have submited a webshots session... we'll see how other browsers do > on http://browsershots.org/https://www.comodo.com/ ) > > The certificate "AddTrust External CA Root" is supposed to be > enabled/trusted on my system: > > readlink /etc/ssl/certs/AddTrust_External_Root.pem > > /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt > > > # openssl x509 -noout -in > > /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt -subject > > subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > > External CA Root Unfortunately, these are not used by Iceweasel/libnss3. The interesting data point in your report, though, is that it works with chrome/deb. Chrome, like Iceweasel, uses libnss3, though unless you tested with chromium-browser, I'm unsure it uses the system library. Anyways, as it works properly here, I suspect something fishy with the certificate database in your user profile. Can you first check if that works better if you try with a new profile (you can use a new user account, or run iceweasel -P to create a new profile). If so, I invite you to check in Edit > Preferences > Advanced > Encryption > View Certificates > Authorities. Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org