Equifax_Secure_Global_eBusiness_CA.pem unexpectedly disabled

Bug #522067 reported by Matt Zimmerman
40
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
Won't Fix
Undecided
Unassigned
ca-certificates (Debian)
Fix Released
Unknown
ca-certificates (Ubuntu)
Won't Fix
Medium
Matthias Klose

Bug Description

Binary package hint: gwibber

Since the upgrade to 2.0, Gwibber is no longer displaying my Twitter updates. It still displays everything from identi.ca fine.

ProblemType: Bug
Architecture: amd64
Date: Mon Feb 15 10:20:51 2010
DistroRelease: Ubuntu 10.04
Package: gwibber 2.29.1-0ubuntu1
PackageArchitecture: all
ProcEnviron:
 LC_COLLATE=C
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/zsh
ProcVersionSignature: Ubuntu 2.6.32-13.18-generic
SourcePackage: gwibber
Uname: Linux 2.6.32-13-generic x86_64

Revision history for this message
Matt Zimmerman (mdz) wrote :
Revision history for this message
Matt Zimmerman (mdz) wrote :

Here is what it prints:

perseus:[~] gwibber
No dbus monitor yet
Updating...
Updating...
ERROR:dbus.proxies:Introspect error on com.Gwibber.Accounts:/com/gwibber/Accounts: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name com.Gwibber.Accounts was not provided by any .service files
2010-02-15 10:39:31,090 - Introspect error on com.Gwibber.Accounts:/com/gwibber/Accounts: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name com.Gwibber.Accounts was not provided by any .service files
DEBUG:dbus.proxies:Executing introspect queue due to error
ERROR:dbus.proxies:Introspect error on com.Gwibber.Streams:/com/gwibber/Streams: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name com.Gwibber.Streams was not provided by any .service files
2010-02-15 10:39:31,091 - Introspect error on com.Gwibber.Streams:/com/gwibber/Streams: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name com.Gwibber.Streams was not provided by any .service files
DEBUG:dbus.proxies:Executing introspect queue due to error

Revision history for this message
Victor Vargas (kamus) wrote :

@Matt, please could you upgrade your gwibber version to latest included in Lucid (2.29.90) and check if this issue is still affecting you? Thanks in advance

Changed in gwibber (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Matt Zimmerman (mdz) wrote : Re: [Bug 522067] Re: No longer displays updates from Twitter

On Thu, Feb 18, 2010 at 05:31:16PM -0000, Kamus wrote:
> @Matt, please could you upgrade your gwibber version to latest included
> in Lucid (2.29.90) and check if this issue is still affecting you?
> Thanks in advance

I have, and now Gwibber doesn't start up at all (bug 523964).

--
 - mdz

Revision history for this message
Matt Zimmerman (mdz) wrote : Re: No longer displays updates from Twitter

I've upgraded my other system, and it shows the same symptoms as my original report. Only identi.ca updates are displayed. If I click the twitter messages tab, it displays an empty window.

Matt Zimmerman (mdz)
Changed in gwibber (Ubuntu):
status: Incomplete → Confirmed
importance: Low → Undecided
Revision history for this message
Matt Zimmerman (mdz) wrote :

As a test, i blew away my desktop-couch data and restarted Gwibber. It did this:

No dbus monitor yet
Updating...
Updating...
Migrated identica - mdz
Migrated twitter - mdzimm
Updating...
2010-02-21 21:52:38,423 - Introspect error on com.Gwibber.Accounts:/com/gwibber/Accounts: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name com.Gwibber.Accounts was not provided by any .service files
2010-02-21 21:52:38,423 - Introspect error on com.Gwibber.Streams:/com/gwibber/Streams: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name com.Gwibber.Streams was not provided by any .service files

and returned to the same state (identi.ca works, Twitter doesn't).

Revision history for this message
Matt Zimmerman (mdz) wrote :

I also tried deleting my Twitter account from Gwibber, and then re-adding it. Nothing seems to help.

Revision history for this message
Matt Zimmerman (mdz) wrote :

The account record looks like this:

{
   "_id": "<deleted>",
   "_rev": "<deleted>",
   "username": "mdzimm",
   "protocol": "twitter",
   "color": "#729FCF",
   "receive_enabled": true,
   "record_type": "http://gwibber.com/couch/account",
   "send_enabled": false,
   "password": "<deleted>"
}

Seems OK to me. There is also a similar one which has an "Ubuntu One" annotation, though for my identica account there is none like this.

Revision history for this message
Matt Zimmerman (mdz) wrote :

I also tried adding a Facebook account, and that worked fine. It seems to be only Twitter which has this problem.

Revision history for this message
Matt Zimmerman (mdz) wrote :

perseus:[~] gwibber-service --debug
Updating...
2010-02-21 22:25:46,419 - <twitter:receive> Operation failed
2010-02-21 22:25:47,616 - <twitter:responses> Operation failed
2010-02-21 22:25:48,839 - <twitter:private> Operation failed

stracing gwibber-service shows it connecting to twitter.com:443 and exchanging data, so it's getting somewhere...

Revision history for this message
Matt Zimmerman (mdz) wrote :
Download full text (3.4 KiB)

Aha:

perseus:[~] gwibber-service --debug -o
Updating...
[...]
Gwibber Dispatcher: ERROR <twitter:receive> Operation failed
2010-02-21 22:27:50,998 - <twitter:receive> Operation failed
Gwibber Dispatcher: DEBUG Traceback:
Traceback (most recent call last):
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/dispatcher.py", line 54, in perform_operation
    message_data = PROTOCOLS[account["protocol"]].Client(account)(opname, **args)
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/twitter.py", line 139, in __call__
    return getattr(self, opname)(**args)
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/twitter.py", line 142, in receive
    return self._get("statuses/home_timeline.json", count=count, since_id=since)
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/twitter.py", line 127, in _get
    self.account["username"], self.account["password"]).get_json()
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/network.py", line 28, in __init__
    self.curl.perform()
error: (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')

Gwibber Dispatcher: DEBUG <twitter:responses> Performing operation
Gwibber Dispatcher: ERROR <twitter:responses> Operation failed
2010-02-21 22:27:52,202 - <twitter:responses> Operation failed
Gwibber Dispatcher: DEBUG Traceback:
Traceback (most recent call last):
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/dispatcher.py", line 54, in perform_operation
    message_data = PROTOCOLS[account["protocol"]].Client(account)(opname, **args)
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/twitter.py", line 139, in __call__
    return getattr(self, opname)(**args)
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/twitter.py", line 148, in responses
    return self._get("statuses/mentions.json", count=count, since_id=since)
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/twitter.py", line 127, in _get
    self.account["username"], self.account["password"]).get_json()
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/network.py", line 28, in __init__
    self.curl.perform()
error: (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')

Gwibber Dispatcher: DEBUG <twitter:private> Performing operation
Gwibber Dispatcher: ERROR <twitter:private> Operation failed
2010-02-21 22:27:53,341 - <twitter:private> Operation failed
Gwibber Dispatcher: DEBUG Traceback:
Traceback (most recent call last):
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/dispatcher.py", line 54, in perform_operation
    message_data = PROTOCOLS[account["protocol"]].Client(account)(opname, **args)
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/twitter.py", line 139, in __call__
    return getattr(self, opname)(**args)
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/twitter.py", line 151, in private
    return self._get("direct_messages.json", "private", count=count, since_id=since)
  File "/usr/lib/python2.6/dist-packages/gwibber/microblog/twitter.py", line 127, in _get
    self.account["username"], self.account...

Read more...

Revision history for this message
Matt Zimmerman (mdz) wrote :

Twitter's SSL certificate seems to be signed by:

CN = Equifax Secure Global eBusiness CA-1
O = Equifax Secure Inc.
C = US

which was missing from my ca-certificates configuration (unchecked in debconf). I'm pretty sure I never touched this, and the changelog says it was disabled temporarily by the maintainer, so I suspect a bug.

affects: gwibber (Ubuntu) → ca-certificates (Ubuntu)
Changed in ca-certificates (Ubuntu):
status: Confirmed → New
summary: - No longer displays updates from Twitter
+ Equifax_Secure_Global_eBusiness_CA.pem unexpectedly disabled
Revision history for this message
Ryan Paul (segphault) wrote :

This problem is caused by a defect with certificates in Ubuntu. Jorge Castro has published a solution here: https://answers.edge.launchpad.net/gwibber/+question/101673

Revision history for this message
Matt Zimmerman (mdz) wrote :

You can check if you experienced a similar bug by running:

sudo dpkg-reconfigure ca-certificates

and scrolling through the list to see if "mozilla/Equifax_Secure_Global_eBusiness_CA.pem" is unchecked.

Revision history for this message
Jorge Castro (jorge) wrote :

This seems to be hitting a lot more core-devs than I expected, proposing for release notes.

Revision history for this message
Steve Langasek (vorlon) wrote :

If this is a bug in ca-certificates, the preferred first course of action here is to fix that bug; we should only document it in the release notes if for some reason we have to ship with this bug still present.

Changed in ca-certificates (Ubuntu):
assignee: nobody → Matthias Klose (doko)
Changed in ca-certificates (Ubuntu):
status: New → Confirmed
Revision history for this message
Brian Murray (brian-murray) wrote :

Neither my desktop, upgrade since Edgy, nor my laptop, installed using Lucid, have the certificate disabled.

Revision history for this message
Robbie Williamson (robbiew) wrote :

I have 3 machines, of which 2 I upgraded from Karmic *very* early in the Lucid cycle, and one re-installed with Lucid Alpha1. Both upgraded machines have this problem. Both are also running 64bit, while the re-install is 32bit, but I doubt this makes a difference.

Revision history for this message
Kees Cook (kees) wrote :

This is only a problem if a system ever installed version 20090624 of ca-certificates.

Revision history for this message
Matthias Klose (doko) wrote :

not sure, how and if we want to fix this:

The certificate is disabled both in the config file /etc/ca-certificates.conf and not present in /etc/ssl/certs. Afaics, there's no way to tell if this was disabled by the sysadmin or by the 20090624 version.

Can be "fixed" by enabling it in the postinst:

# do nothing when upgrading from intrepid or earlier
if ! dpkg --compare-versions "$2" lt 20080808'; then
  # upgrading from karmic
  if dpkg --compare-versions "$2" lt 20090625'; then
    sed -i 's,^!\(mozilla/Equifax_Secure_Global_eBusiness_CA\.crt\)$,\1,' /etc/ca-certificates.conf
    update-ca-certificates
  fi
fi

but then, somebody might have disabled it by intent.

Given that this version was only present in the archive for a week early in the karmic release cycle, and not part of any release, the chance that end users are affected is very low.

Revision history for this message
Steve Langasek (vorlon) wrote :

The affected version of ca-certificates was in the archive from 2009-06-26 to 2009-07-07 - so for < 2 weeks between alpha1 and alpha2. I don't think this belongs in the release notes, as it will contribute to errata fatigue among general users.

Changed in ubuntu-release-notes:
status: New → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

Matthias, your proposed fix is unlikely to help those users affected by this, who are likely to have the final karmic version installed by now (20090814) which doesn't fall in your comparison range...

Revision history for this message
Matthias Klose (doko) wrote : Re: [Bug 522067] Re: Equifax_Secure_Global_eBusiness_CA.pem unexpectedly disabled

On 18.03.2010 15:38, Steve Langasek wrote:
> Matthias, your proposed fix is unlikely to help those users affected by
> this, who are likely to have the final karmic version installed by now
> (20090814) which doesn't fall in your comparison range...

then lets extend the upper bound the version including this fix (if we decide to
fix it).

Changed in ca-certificates (Debian):
status: Unknown → New
Victor Vargas (kamus)
Changed in ca-certificates (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
Vipul (vipul-bhandari)
Changed in ca-certificates (Ubuntu):
status: Triaged → Confirmed
Matt Zimmerman (mdz)
Changed in ca-certificates (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Bina Meusl (s-cretella-gmail) wrote :

It seems I have this problem on OpenSuse-Education - I am using Gibbler for the first time here - facebook looks fine, twitter does not though data seems to be accepted at the creation of the connection to twitter.

Revision history for this message
Matthias Klose (doko) wrote :

marking it as won't fix for now, as suggested in comment #20

Changed in ca-certificates (Ubuntu):
status: Triaged → Won't Fix
Changed in ca-certificates (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.