Bug#758698: security-tracker: Valid, trusted Certificates Fail Validation
A number of jabber client programs, like gajim, mcabber, pidgin, psi report a GoDaddy signed certificate as 'Certificate cannot be trusted' or 'Certificate cannot be verified'. This used to work fine, I had no issues previously and I do not really know when it started, some weeks ago gajim started to complain.
In gajim, when I click 'View Cert' I get the following information:
Common Name (CN): jabber.redwood.com
Organization (O): None
Organizationl Unit (OU): Domain Control Validated
Serial Number: 12151355787224957
Common Name (CN): Go Daddy Secure Certificate Authority - G2
Organization (O): GoDaddy.com, Inc.
Organizationl Unit (OU): http://certs.godaddy.com/repository/
Issued on: 20140715065303Z
Expires on: 20150715065303Z
SHA1 Fingerprint: D4:79:32:73:36:15:97:F0:06:7F:22:55:25:C0:16:37:88:E8:68:2B
Now, I do not understand why these programs cannot verify this certificate other than the goDaddy certificates in /usr/share/ca-certificates/mozilla/ for GoDaddy have a different Common Name:
Go Daddy Root Certificate Authority - G2
Go Daddy Secure Certificate Authority - G2
I am not sure what the problem is, here, my browser (Firefox 31.0) accepts this certificate authority.
Since it is not limited to gajim, I think it is an issue in debian.
HP, happy Debian user since 2002
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
RunMyJobs: Process Automation in the Cloud
This message may contain confidential or legally privileged information. In the event of any error in transmission, unauthorized recipients are requested to contact the sender immediately and do not disclose or make use of this information. No warranties or
assurances are made or given as to the accuracy of the information given or in relation to the safety of this e-mail and any attachments. No liability whatsoever is accepted for any consequences arising from this e-mail.
If I don't document something, it's usually either for a good reason,
or a bad reason. In this case it's [certainly for]
a good reason. :-)