Issue 114926 in chromium: Can't add CA certificate ("unknown error")
chro...@googlecode.com
Owner: ----
Labels: Type-Bug Pri-2 Area-Undefined
New issue 114926 by phillip....@gmail.com: Can't add CA certificate
("unknown error")
http://code.google.com/p/chromium/issues/detail?id=114926
Chrome Version : 17.0.963.56 (Official Build 121963)
URLs (if applicable) : -
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5: ?
Firefox 4.x: OK
IE 7/8/9: OK
What steps will reproduce the problem?
1. Try adding your own CA at Settings → Under the hood → Certificate
Manager → Authorities → Import
What is the expected result?
That the CA is added.
What happens instead?
A dialog stating that an "Unknown error" appeared pops up, the CA is not
added.
I will attach the CA I used to test this. I created it using
$ openssl req -new -x509 -days 3650 -extensions v3_ca \
-keyout cakey.pem -out cacert.pem
with a (ubuntu) vanilla config file.
If you for some reason decide not to fix this please replace the error
message by a more meaningful one.
Attachments:
testca.crt 3.2 KB
chro...@googlecode.com
Cc: ma...@chromium.org
Labels: -Area-Undefined Area-Internals Internals-Network-SSL OS-Linux
Area-UI
Comment #1 on issue 114926 by rsl...@chromium.org: Can't add CA
certificate ("unknown error")
http://code.google.com/p/chromium/issues/detail?id=114926
(No comment was entered for this change.)
chro...@googlecode.com
Comment #2 on issue 114926 by rsl...@chromium.org: Can't add CA
http://code.google.com/p/chromium/issues/detail?id=114926
Are you running a 32-bit or 64-bit version of Ubuntu?
I note your certificate is set to expire in 2039, so I'm curious if this is
an issue with the Year 2038 problem (
http://en.wikipedia.org/wiki/Year_2038_problem )
chro...@googlecode.com
Comment #3 on issue 114926 by phillip....@gmail.com: Can't add CA
http://code.google.com/p/chromium/issues/detail?id=114926
32-bit. I got the same error message when I tried to import a certificate
with a shorter validity time (today until one month from now).
chro...@googlecode.com
Comment #8 on issue 114926 by phillip....@gmail.com: Can't add CA
http://code.google.com/p/chromium/issues/detail?id=114926
I do not even see the list. (Sorry for not reporting that before, I did not
realize there should be one.)
I noticed that the bug is gone when I start Chrome using a different $HOME,
but that it remains when I use a fresh profile. Using strace I've been able
to track the bug down to ~/.pki/nssdb/key4.db
When I delete that file, the bug is gone.
certutil says:
% certutil -d ~/.pki/nssdb -L
certutil: function failed: security library: bad database.
But I am not absolutely confident I am using a compatible version. The
sqlite Databases key4.db and cert9.db seem intact, I can open them using
sqlite3. There is one row in the nssPrivate table. Firefox & Thunderbird
have their own private, profile-wise databases; I believe the directory was
created by Evolution, because the pkcs11.txt reads
<<snip<<<<
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:~/.pki/nssdb' certPrefix='' keyPrefix=''
secmod='secmod.db' flags= updatedir='~/.evolution' updateCertPrefix=''
updateKeyPrefix='' updateid='~/.evolution'
updateTokenDescription='Evolution S/MIME'
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100
slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
askpw=any timeout=30})
library=~/.pki/nssdb/libnssckbi.so
name=Root Certs
NSS=trustOrder=100
>> snap>>>> (home directory replaced by ~)
btw. the file libnssckbi.so is NOT present.
I am not using Evolution anymore, so for me, the problem is solved - I will
simply rename the old nssdb directory and let Chrome create a new one.
chro...@googlecode.com
Comment #10 on issue 114926 by phillip....@gmail.com: Can't add CA
http://code.google.com/p/chromium/issues/detail?id=114926
Thank you! That did the job. The bug seems to be that Chrome can not handle
encrypted private key storages.
Removing the passphrase using
% certutil -d sql:$HOME/.pki/nssdb -W
makes my original database work with Chrome.
I have been able to reproduce the bug by re-encrypting the database. So
this should work:
STEPS TO REPRODUCE
1. Create a private key pair and import it to the key database
2. Encrypt the database using
% certutil -d sql:$HOME/.pki/nssdb -W
3. Start chrome and try to modify the database
chro...@googlecode.com
Comment #12 on issue 114926 by phillip....@gmail.com: Can't add CA
http://code.google.com/p/chromium/issues/detail?id=114926
I just tested this with 19.0.1081.2 dev and indeed the bug is gone.