GNOME Bugzilla – Bug 712574
I cannot connect to work account (ucm.es) handled by google
Last modified: 2015-01-30 10:49:14 UTC
When I try to add my work (Universidad Complutense de Madrid, Spain, http://www.ucm.es), account handled by google I get a ssl handshake problem I'm running Fedora 20, gnome-online-accounts-3.10.2-1.fc20.x86_64 * I click on add account * Select Google * I enter my work mail and password on the google sign-on page shown inside the gnome window * Google identifies the account as being handle by domain ucm.es * And I endup in an error page with Unable to load page Problem occurred while loading the URL https://sso.ucm.es/simplesaml/saml2/idp/SSOService.php?SAMLRequest=asdkakdsjkasdjkasdjkasdjfrom_loginaslkjskadjkasd SSL handshake failed I I copy and paste the URL in firefox I arrive to the sigon page for my institution https://sso.ucm.es/ I would like to know how to debug the problem to see if this is something that needs to be fixed in goa or my institution needs to modify the certificates in the sigon page or if it is something completely different.
Created attachment 260101 [details] Screenshot of certificate details from Epiphany If I go to https://sso.ucm.es/ in Epiphany and click the broken lock icon, this is what I see. Looks like the certificate is less than perfect.
Created attachment 260109 [details] Screenshot of the firefox cert manager The certificate is in firefox's certificate manager. It is listed as "software certificate device" instead of "default trust", whatever that means
Created attachment 260112 [details] Screenshot of seahorse I'm not sure how, but I have imported TERENA SSL CA into seahorse from epiphany. The certs are in "Gnome2 Key Storage", which seems odd. Epiphany is not aware of them, because it still shows "The identity of this website has not been verified"
Other URL with less than perfect certificate. https://koji.fedoraproject.org/koji/ The certificate is signed by Fedora Project CA. The certificate is here https://admin.fedoraproject.org/ca/cacert.pem If I paste that URL in epiphany I see the ASCII representation of the certificate. There's no clear method of importing the certificate so that epiphany trusts it. So the problem is not with the certificate of my institution. The same would happen with others.
Tried with cacert.org Certificates http://www.cacert.org/?id=3 It seems that epiphay knows how to import certificates in DER format. The imported certificates go to the "Gnome 2 Key Storage". But later epiphany still shows "The identity of this website has not been verified" icon. Do I need to trust the cacert certificate somehow? There is no way of doing it in seahorse.
I created a new account in my workstation and tried again. In seahorse, the Gnome 2 Key Storage has disappeared. I try to import the DER and PEM certificates, but the Import button is greyed out. A tooltip on that button says "Cannot import because there are not valid importers". End of game. So, the question remains. Is there a way so that goa (epiphany, gnome) accepts a given CA certificate as valid and trusts it?
I have opened this new bug https://bugzilla.gnome.org/show_bug.cgi?id=712719 related to epiphany to using the CA certificate. It may be related
I'm seeing this same problem with gnome-online-accounts-3.13.3-2.fc21.x86_64
The problem seems fixed in current (2014-09-19) Fedora Rawhide. If I connect to https://sso.ucm.es in Rawhide with epand click in the lock icon I get "identity verified" If I do the same in Fedora 20, the lock icon has an orange ! sign, "identity not verified" The online account works also in Fedora Rawhide gnome-online-accounts-3.13.92 epiphany-3.13.90 As both epiphany and goc are fixed, I imagine that this is related with a change in the cryptography libraries gnome uses I should check also Fedora 21 Alpha
(In reply to comment #9) > If I connect to https://sso.ucm.es in Rawhide with epand click in the lock icon > I get "identity verified" If I connect to https://sso.ucm.es in Rawhide with epiphany and click in the lock icon I get "identity verified" Sorry, I mistyped "epiphany"
I have installed the last RC of Fedora 21 Alpha and it doesn't work, ie Open https://sso.ucm.es in epiphany, orange ! in the certificate lock, use gnome-online-accounts, error message, Unable to load page In Fedora Rawhide, everything works, no orange !, I can log ing in my account using gnome-online-accounts Fedora 21 Alpha epiphany-3.13.90-1.fc21 gnome-online-accounts-3.13.91-1.fc21 ca-certificates-2014.2.1-1.0.fc21 Fedora Rawhide epiphany-3.13.91-1.fc22 gnome-online-accounts-3.13.92-1.fc22 ca-certificates-2014.2.1-2.fc21
I have updated Fedora 21 Alpha and now it works, versions are epiphany-3.13.91-1.fc21 gnome-online-accounts-3.13.92-1.fc21 ca-certificates-2014.2.1-1.0.fc21 I wonder where the bug was, anyway
As this works in current gnome, I'm closing it. Thank you