Geary stops trusting certificate on connection change
Bug Summary
Geary stops trusting various certificates when a VPN connection is started. An error dialog pops up.
Cancelling the dialog (I don't want to hardcode trust or distrust), offers an error bar with "check". Checking clears the error, and it appears to work.
Your installation
Geary version: 40.0
Geary revision:
GTK version: 3.24.30
GLib version: 2.68.4
WebKitGTK version: 2.32.3
Desktop environment: GNOME
Distribution name: Fedora
Distribution release: 34 (Workstation Edition)
Installation prefix: /usr
It's usually on the gmail accounts (one private, one business) for imap.gmail.com:993. I'm trying to remember if it has happened on the other accounts due_to_vpn_change.
Steps to reproduce
- Get network connected
- Start Geary
- Connect to GOA account
- Start VPN
- error pops up
It's more often than 1-in-10, but it doesn't happen every time.
What happened?
Error dialog about a certificate. Note that this certificate is valid, and that the same DNS and routes are in use for the mailserver. The VPN is only grabbing private network routes. Non-vpn DNS is in use (resolvectl query ...)
Re-check or re-start Geary clears the error.
What did you expect to happen?
No error dialog.
Alternatively an error dialog with re-check.
Relevant logs and/or screenshots
To the best of my ability I've confirmed that the VPN grabs neither routes nor DNS for *.gmail.com or *.google.com. Systemd-resolved is setup with a split DNS for vpn and not-vpn, and the default route doesn't go over the VPN.
vpn is configured in networkmanager. I assume geary notices a new network connection.
vpn setup does take a few seconds (not minutes, but there is a temporary hiccup.)
openssl is happy with the tls certificate before and after vpn connection.
epiphany and firefox remain happy.
There's been a recurring but not confirmed identical problem with a non gmail account.