GNOME Bugzilla – Bug 273233
s/mime failures cryptic
Last modified: 2009-02-25 12:09:02 UTC
Description of Problem: Email-address cacert.org certificates don't work for sending S/MIME signed email. Steps to reproduce the problem: 1. Create a new X.509 email cert at http://www.cacert.org/ and save it to disk. 2. Import the certificate (Edit -> Preferences, Certificates, Import). 3. Assign it to an email account (Edit -> Preferences, Mail Accounts, <select account>, Edit, Security, S/MIME Signing). 4. Compose a new email message from that account. 5. Specify signing it (Security -> S/MIME Sign). Uncheck any other security stuff. 6. Enter any values (that won't otherwise cause errors) for To: and the message body. 7. Click "Send". Actual Results: A message box comes up saying: Could not create message. Because "Cannot add SMIMEEncKeyPrefs attribute", you may need to select different mail options. Expected Results: Send an S/MIME signed message. How often does this happen? Every time. Additional Information: I imported my cert before importing cacert.org's root cert. When I got around to importing the root cert, Evolution said it already knew the root cert. I'm not sure if it matters for this bug.
do you have the key also set as your "encryption certificate" in the security settings page? the above can only happen if you have this option set. try unsetting this option. perhaps the cert isn't setup for encryption?
This seems to happen if you don't trust the signing CA, and thus don't trust the encryption certificate. That in mind, it's probably not a bug, per se, but incomplete error reporting. Go into the Certificate settings, and over to Authorities. Edit the trust settings for CACert to say you trust them for signing email keys.
changing sense of bug. above is actually "user error", but the error message is meaningless (this may be a duplicate now)
*** Bug 323539 has been marked as a duplicate of this bug. ***
*** Bug 325029 has been marked as a duplicate of this bug. ***
https://launchpad.net/distros/ubuntu/+source/evolution/+bug/41602 discusses the bug as well, part of the comment: "This error message does not explain anything! I found out that the error occurs when a) the certificate is not capable of signing b) the certificate's CA certificate is not installed Evolution should find out what's wrong and print an appropriate error-message. This problem was observed with evolution 2.6.1" (bumping version)
https://answers.launchpad.net/ubuntu/+source/evolution/+question/14871 seems to provide a solution.
I also got this error for a few days and had no idea what was wrong with my setup. Turns out my thawte freemail cert had expired a few days ago, and I just had to re-issue it on thawte’s website. A more informational message would be more obvious: "S/Mime cert for xyz has expired on xxxx/yy/zz."
*** Bug 335984 has been marked as a duplicate of this bug. ***
Created attachment 129422 [details] [review] proposed eds patch for evolution-data-server; No new translatable string had been added here. Note: I'm looking forward to see NSS exposing SECU_Strerror function to others. Even those strings are not translated, why should everyone have them in each module?
Matt: review?
camel_exception_setv (ex, CAMEL_EXCEPTION_SYSTEM, "%s (%d) - %s", err_str, (int) err_code, def_error); Are you sure this is the format you want? Wouldn't it make more sense to put the shorter error message first? (def_error, err_code, err_str)
As we chatted on IRC, yes, it is what I wanted. Our error is mostly useless, just something like "function call failed", but it's probably better than nothing, in case no special error from the NSS library.
Committed to trunk. Committed revision 10098.