I am having problems with pidgin both with IRC and with XMPP. pidgin
uses gnutls.
I know about mozilla-root-certs-openssl and have that installed. And I
know that's not for gnutls.
Both servers use letsencrypt and have valif dcerts, and openssl s_client
is happy with both.
On pidgin startup, I get:
1) a warning about libera.chat:
Accept certificate for irc.libera.chat?
The certificate for irc.libera.chat could not be validated.
The certificate is not trusted because no certificate that can verify it is currently trusted.
and then I can click accept and I get logged in.
2) a complaint for the xmpp server that it had an invalid certificate.
It seems the issue, with pidgin -d, is not having a trust anchor for
ISRG X1.
I was able to take the certificate (just the EE cert) and place it in
.purple/certificates/x509/tls_peers and then I can connect without a
prompt. I had a previous such file, but it was the old cert because
they get renewed every 9 weeks.
Searching, I am unable to find answers to "how do I configure trust
anchors for gnutls". It seems obvious that many people would have that
problem, and would want to configure the mozilla rootcert, as a system
trust store.
p11-kit has 'trust list' which seems to have a lot of trust anchors,
including ISRG X1. This seems to come from
/usr/pkg/share/mozilla-rootcerts/cacert.pem
which is in mozilla-root-certs which is a dependency of p11-kit, and
gnutls depends on p11-kit. That makes sense.
Using
gnutls-cli --port 6697 irc.libera.chat
gnutls-cli --starttls-proto xmpp --port 5222 jabber.example.com
works fine.
I wonder if the problem is that pidgin is invoking gnutls in a way which
tells it to ignore the system trust store, and then doesn't really cope.
Clues apprecaited,
Gteg
Attachment:
signature.asc
Description: PGP signature