[Bug 592836] New: SSL certificate for jabber.gnome.org invalid, clients cannot connect

http://bugzilla.gnome.org/show_bug.cgi?id=592836

           Summary: SSL certificate for jabber.gnome.org invalid, clients
                    cannot connect
    Classification: Infrastructure
           Product: sysadmin
           Version: unspecified
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: blocker
          Priority: Normal
         Component: Other
        AssignedTo: sysadmin-maint@...
        ReportedBy: andrew@...
         QAContact: sysadmin-maint@...
      GNOME target: ---
     GNOME version: ---


--- Comment #0 from Andrew Cowie <andrew@...> 2009-08-23 23:32:10 UTC ---
Having been upgraded to Pidgin 2.6.1 I suddently cannot connect to
jabber.gnome.org due to an "invalid certificate chain" which makes sense;
inspecting the logs I see the SSL certificate expired in October 2006.
Apparently we've been getting away with it all this time.

I guess I can't really blame pidgin for enforcing such things, but it means
I've now lost my connectivity to the XMPP network and the JID afcowie@...
I've been using for several years.

I know a fair bit of legwork will be required to fix this, and I almost feel
bad for asking, but if there is any possibiltiy of this being addressed
urgently it would be most appreciated. Instant messaging is kinda mission
critical, and I'd like to keep using GNOME infrastructure if possible.

AfC

--
Configure bugmail: http://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
_______________________________________________
gnome-infrastructure mailing list
gnome-infrastructure@...
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

http://bugzilla.gnome.org/show_bug.cgi?id=592836


Jeff Waugh <jdub> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jdub@...


--- Comment #1 from Jeff Waugh <jdub@...> 2009-08-24 00:34:12 UTC ---
Wow, impressive. I'll have a look at it soon.

--
Configure bugmail: http://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
_______________________________________________
gnome-infrastructure mailing list
gnome-infrastructure@...
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

https://bugzilla.gnome.org/show_bug.cgi?id=592836
  sysadmin | Other | unspecified

--- Comment #2 from André Klapper <a9016009@...> 2009-10-28 16:56:46 UTC ---
ping. Is this solved?

--
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
_______________________________________________
gnome-infrastructure mailing list
gnome-infrastructure@...
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

https://bugzilla.gnome.org/show_bug.cgi?id=592836
  sysadmin | Other | unspecified

--- Comment #3 from Andrew Cowie <andrew@...> 2009-10-29 04:40:00 UTC ---
I had to move my IM to another Jabber server, so I'm afraid I can't say whether
this is resolved or not. Sorry.

Incidentally, Empathy has an account option to "ignore invalid SSL" which means
if you're using Empathy to talk to their jabber.gnome.org account you can
likely workaround this. People using Pidgin will still be encounter the
problem, I expect.

AfC

--
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
_______________________________________________
gnome-infrastructure mailing list
gnome-infrastructure@...
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

https://bugzilla.gnome.org/show_bug.cgi?id=592836
  sysadmin | Other | unspecified

Tobias Mueller <gnome-bugs> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
                 CC|                            |gnome-bugs@auftrags-killer.
                   |                            |org
     Ever Confirmed|0                           |1

--- Comment #4 from Tobias Mueller <gnome-bugs@...> 2009-10-29 17:49:20 UTC ---
This is still an issue:

$ openssl s_client -connect jabber.gnome.org:5223
CONNECTED(00000003)

depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org
verify error:num=10:certificate has expired
notAfter=Oct  7 02:55:21 2006 GMT
verify return:1
depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org
notAfter=Oct  7 02:55:21 2006 GMT
verify return:1
---
Certificate chain
 0 s:/C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org
   i:/C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org
---
Server certificate
[...]


We have our Bugzilla Certificate signed by StartCom, we could totally have a
signature for a cert for jabber.gnome.org as well.
To set this up, one need access over either {host,post}master@... or at
least have a mail quickly forwarded to the person getting the signature from
StartCom.

--
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
_______________________________________________
gnome-infrastructure mailing list
gnome-infrastructure@...
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

https://bugzilla.gnome.org/show_bug.cgi?id=592836
  sysadmin | Other | unspecified

--- Comment #5 from Jeff Waugh <jdub@...> 2009-10-29 17:56:46 UTC ---
That'd be the best solution -- I don't quite grok your last paragraph, but let
me know what I need to request, and I can set it up.

--
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
_______________________________________________
gnome-infrastructure mailing list
gnome-infrastructure@...
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

https://bugzilla.gnome.org/show_bug.cgi?id=592836
  sysadmin | Other | unspecified

--- Comment #6 from Tobias Mueller <gnome-bugs@...> 2009-10-29 18:07:06 UTC ---
Coola :-)

Simply create a Certificate Signing Request using OpenSSL (assuming you've got
a key already):
    openssl req -new -key jabber.gnome.org.key -out jabber.gnome.org.csr

go to http://www.startssl.com/, sign up, login and validate the gnome.org
domain. An email will be send to either hostmaster, postmaster or
root@... with a token. Enter this token within 15 minutes on the website
to get the domain validated. Paste you CSR into the webform. Download signed
Certificate and deploy on server :-) Reset my mango password and send it to me
;-)

--
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
_______________________________________________
gnome-infrastructure mailing list
gnome-infrastructure@...
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure