Geary doesn't trust certificate but CA is in system trust store
Bug Summary
Thunderbird has no issues connecting to my managed IMAP server, while Geary is showing a dialogue that tells me that the server's certificate cannot be trusted.
Your installation
Fedora 33 Workstation, Gnome 3.38.3
Steps to reproduce
- Create an account w/ IMAP server dd13400.kasserver.com
What happened?
After clicking Create, a dialogue shows that the certificate cannot be trusted.
What did you expect to happen?
Geary should trust the certificate, as the chain resolves to a CA that is trusted by my distribution (Fedora).
Additionally, the dialogue is not very helpful in solving the issue. The certificate cannot be inspected and the resolved server address is not shown.
Even the logs don't mention the server's resolved IP.
Relevant logs and/or screenshots
[deb] 22:03:39.0382 GLib-GIO:GSocketClient: Starting new address enumeration
[deb] 22:03:39.0400 GLib-GIO:IPv6 DNS error: Fehler beim Auflösen von »dd13400.kasserver.com«: Der Name oder der Dienst ist nicht bekannt
[deb] 22:03:39.0400 GLib-GIO:GSocketClient: Address enumeration succeeded
[deb] 22:03:39.0400 GLib-GIO:GSocketClient: Starting TCP connection attempt
[deb] 22:03:39.0590 GLib-GIO:GSocketClient: TCP connection successful
[deb] 22:03:39.0590 GLib-GIO:GSocketClient: Starting application layer connection
[deb] 22:03:39.0590 GLib-GIO:GSocketClient: Starting TLS handshake
[deb] 22:03:39.0590 GLib-Net:CLIENT[0x557a7d2cb2e0]: Starting asynchronous TLS handshake
[deb] 22:03:39.0590 GLib-Net:CLIENT[0x557a7d2cb2e0]: Asynchronous TLS handshake thread starts
[deb] 22:03:39.0591 GLib-Net:CLIENT[0x557a7d2cb2e0]: TLS handshake thread starts
[deb] 22:03:39.0591 GLib-Net:CLIENT[0x557a7d2cb2e0]: claiming operation OP_HANDSHAKE
[deb] 22:03:39.0591 GLib-Net:CLIENT[0x557a7d2cb2e0]: claiming operation OP_HANDSHAKE succeeded
[deb] 22:03:39.0732 GLib-Net:CLIENT[0x557a7d2cb2e0]: verifying peer certificate
[deb] 22:03:39.0754 Gcr:searching for pinned certificate in 6 slots
[deb] 22:03:39.0756 Gck:for = slots, tokens = pkcs11:, objects = (5) [ { CKA_CLASS = CKO_X_TRUST_ASSERTION }, { CKA_X_ASSERTION_TYPE = CKT_X_PINNED_CERTIFICATE }, { CKA_X_CERTIFICATE_VALUE = (1527) "0\x82\x05\xf30\x82\x04\xdb\xa0\x03\x02\x01\x02\x02\x10\x1d\xa5^\xea'\xf0\xc6\xdaLY\x14\x0c\xd2b\xfc\x140\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000\x81\x851\x0b0\t\x06\x03U\x04\x06\x13\x02PL1"0 \x06\x03U\x04\n\x13\x19Unizeto Technologies S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certificatio..." }, { CKA_X_PURPOSE = (17) "1.3.6.1.5.5.7.3.1" }, { CKA_X_PEER = (21) "dd13400.kasserver.com" } ]
[deb] 22:03:39.0758 Gck:matching all tokens: User Key Storage
[deb] 22:03:39.0758 Gck:opened read-only session
[deb] 22:03:39.0758 Gck:no authentication necessary, skipping
[deb] 22:03:39.0759 Gck:finding objects matching: (5) [ { CKA_CLASS = CKO_X_TRUST_ASSERTION }, { CKA_X_ASSERTION_TYPE = CKT_X_PINNED_CERTIFICATE }, { CKA_X_CERTIFICATE_VALUE = (1527) "0\x82\x05\xf30\x82\x04\xdb\xa0\x03\x02\x01\x02\x02\x10\x1d\xa5^\xea'\xf0\xc6\xdaLY\x14\x0c\xd2b\xfc\x140\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000\x81\x851\x0b0\t\x06\x03U\x04\x06\x13\x02PL1"0 \x06\x03U\x04\n\x13\x19Unizeto Technologies S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certificatio..." }, { CKA_X_PURPOSE = (17) "1.3.6.1.5.5.7.3.1" }, { CKA_X_PEER = (21) "dd13400.kasserver.com" } ]
[deb] 22:03:39.0759 Gck:finding objects completed with: CKR_OK
[deb] 22:03:39.0759 Gck:wanted 1 objects, have 0, looking for more
[deb] 22:03:39.0760 Gck:matching all tokens: Gnome2 Key Storage
[deb] 22:03:39.0760 Gck:opened read-only session
[deb] 22:03:39.0761 Gck:no authentication necessary, skipping
[deb] 22:03:39.0761 Gck:finding objects matching: (5) [ { CKA_CLASS = CKO_X_TRUST_ASSERTION }, { CKA_X_ASSERTION_TYPE = CKT_X_PINNED_CERTIFICATE }, { CKA_X_CERTIFICATE_VALUE = (1527) "0\x82\x05\xf30\x82\x04\xdb\xa0\x03\x02\x01\x02\x02\x10\x1d\xa5^\xea'\xf0\xc6\xdaLY\x14\x0c\xd2b\xfc\x140\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000\x81\x851\x0b0\t\x06\x03U\x04\x06\x13\x02PL1"0 \x06\x03U\x04\n\x13\x19Unizeto Technologies S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certificatio..." }, { CKA_X_PURPOSE = (17) "1.3.6.1.5.5.7.3.1" }, { CKA_X_PEER = (21) "dd13400.kasserver.com" } ]
[deb] 22:03:39.0763 Gck:finding objects completed with: CKR_OK
[deb] 22:03:39.0764 Gck:wanted 1 objects, have 0, looking for more
[deb] 22:03:39.0764 Gck:matching all tokens: Secret Store
[deb] 22:03:39.0765 Gck:opened read-only session
[deb] 22:03:39.0765 Gck:no authentication necessary, skipping
[deb] 22:03:39.0765 Gck:finding objects matching: (5) [ { CKA_CLASS = CKO_X_TRUST_ASSERTION }, { CKA_X_ASSERTION_TYPE = CKT_X_PINNED_CERTIFICATE }, { CKA_X_CERTIFICATE_VALUE = (1527) "0\x82\x05\xf30\x82\x04\xdb\xa0\x03\x02\x01\x02\x02\x10\x1d\xa5^\xea'\xf0\xc6\xdaLY\x14\x0c\xd2b\xfc\x140\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000\x81\x851\x0b0\t\x06\x03U\x04\x06\x13\x02PL1"0 \x06\x03U\x04\n\x13\x19Unizeto Technologies S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certificatio..." }, { CKA_X_PURPOSE = (17) "1.3.6.1.5.5.7.3.1" }, { CKA_X_PEER = (21) "dd13400.kasserver.com" } ]
[deb] 22:03:39.0766 Gck:finding objects completed with: CKR_OK
[deb] 22:03:39.0766 Gck:wanted 1 objects, have 0, looking for more
[deb] 22:03:39.0767 Gck:matching all tokens: SSH Keys
[deb] 22:03:39.0767 Gck:opened read-only session
[deb] 22:03:39.0767 Gck:no authentication necessary, skipping
[deb] 22:03:39.0767 Gck:finding objects matching: (5) [ { CKA_CLASS = CKO_X_TRUST_ASSERTION }, { CKA_X_ASSERTION_TYPE = CKT_X_PINNED_CERTIFICATE }, { CKA_X_CERTIFICATE_VALUE = (1527) "0\x82\x05\xf30\x82\x04\xdb\xa0\x03\x02\x01\x02\x02\x10\x1d\xa5^\xea'\xf0\xc6\xdaLY\x14\x0c\xd2b\xfc\x140\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000\x81\x851\x0b0\t\x06\x03U\x04\x06\x13\x02PL1"0 \x06\x03U\x04\n\x13\x19Unizeto Technologies S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certificatio..." }, { CKA_X_PURPOSE = (17) "1.3.6.1.5.5.7.3.1" }, { CKA_X_PEER = (21) "dd13400.kasserver.com" } ]
[deb] 22:03:39.0768 Gck:finding objects completed with: CKR_OK
[deb] 22:03:39.0768 Gck:wanted 1 objects, have 0, looking for more
[deb] 22:03:39.0769 Gck:matching all tokens: Default Trust
[deb] 22:03:39.0769 Gck:opened read-only session
[deb] 22:03:39.0770 Gck:no authentication necessary, skipping
[deb] 22:03:39.0770 Gck:finding objects matching: (5) [ { CKA_CLASS = CKO_X_TRUST_ASSERTION }, { CKA_X_ASSERTION_TYPE = CKT_X_PINNED_CERTIFICATE }, { CKA_X_CERTIFICATE_VALUE = (1527) "0\x82\x05\xf30\x82\x04\xdb\xa0\x03\x02\x01\x02\x02\x10\x1d\xa5^\xea'\xf0\xc6\xdaLY\x14\x0c\xd2b\xfc\x140\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000\x81\x851\x0b0\t\x06\x03U\x04\x06\x13\x02PL1"0 \x06\x03U\x04\n\x13\x19Unizeto Technologies S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certificatio..." }, { CKA_X_PURPOSE = (17) "1.3.6.1.5.5.7.3.1" }, { CKA_X_PEER = (21) "dd13400.kasserver.com" } ]
[deb] 22:03:39.0770 Gck:finding objects completed with: CKR_OK
[deb] 22:03:39.0770 Gck:wanted 1 objects, have 0, looking for more
[deb] 22:03:39.0771 Gck:matching all tokens: System Trust
[deb] 22:03:39.0771 Gck:opened read-only session
[deb] 22:03:39.0772 Gck:no authentication necessary, skipping
[deb] 22:03:39.0772 Gck:finding objects matching: (5) [ { CKA_CLASS = CKO_X_TRUST_ASSERTION }, { CKA_X_ASSERTION_TYPE = CKT_X_PINNED_CERTIFICATE }, { CKA_X_CERTIFICATE_VALUE = (1527) "0\x82\x05\xf30\x82\x04\xdb\xa0\x03\x02\x01\x02\x02\x10\x1d\xa5^\xea'\xf0\xc6\xdaLY\x14\x0c\xd2b\xfc\x140\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000\x81\x851\x0b0\t\x06\x03U\x04\x06\x13\x02PL1"0 \x06\x03U\x04\n\x13\x19Unizeto Technologies S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certificatio..." }, { CKA_X_PURPOSE = (17) "1.3.6.1.5.5.7.3.1" }, { CKA_X_PEER = (21) "dd13400.kasserver.com" } ]
[deb] 22:03:39.0772 Gck:finding objects completed with: CKR_OK
[deb] 22:03:39.0772 Gck:wanted 1 objects, have 0, looking for more
[deb] 22:03:39.0772 Gck:no more slots, want next module
[deb] 22:03:39.0773 Gck:no more modules, stopping enumerator
[deb] 22:03:39.0773 Gcr:did not find certificate anchor
[deb] 22:03:39.0773 GLib-Net:CLIENT[0x557a7d2cb2e0]: TLS handshake thread failed: Nicht akzeptables TLS-Zertifikat
[deb] 22:03:39.0773 GLib-Net:CLIENT[0x557a7d2cb2e0]: yielding operation OP_HANDSHAKE
[deb] 22:03:39.0811 GLib-Net:CLIENT[0x557a7d2cb2e0]: Asynchronous TLS handshake thread completed
[deb] 22:03:39.0811 GLib-Net:CLIENT[0x557a7d2cb2e0]: finishing TLS handshake
[deb] 22:03:39.0811 GLib-Net:CLIENT[0x557a7d2cb2e0]: TLS handshake has finished with error: Nicht akzeptables TLS-Zertifikat
[deb] 22:03:39.0811 GLib-GIO:GSocketClient: TLS handshake failed: Nicht akzeptables TLS-Zertifikat
Edited by Andy Pillip