EionRobb
commented
7 years ago Open EionRobb opened 7 years ago
EionRobb
commented
7 years ago EionRobb
commented
7 years ago Original comment by Eion Robb (Bitbucket: EionRobb, GitHub: EionRobb).
I think this is because the intermediate Google certificate isn't part of Pidgin, and that the server isn't providing it as an intermediate. I'm still playing around, but I think that saving the Google Internet Authority G2 intermediate certificate into the ca-certs folder should do the trick, but I'll try it first and see.
EionRobb
commented
7 years ago Original comment by tfphumorblog (Bitbucket: tfphumorblog, ).
I'm experiencing this exact issue currently. Anything I can do to help test, please let me know. Thanks!
EionRobb
commented
7 years ago Original comment by Daniel Lenski (Bitbucket: [Daniel Lenski](https://bitbucket.org/Daniel Lenski), ).
I only get this issue when I'm connecting to a wifi hotspot with a captive portal.
(Since that captive portal is trying to hijack my connection to the Google servers, in this particular case I think it's actually a feature-not-a-bug that Pidgin shows the warning.)
EionRobb
commented
7 years ago EionRobb
commented
7 years ago Original comment by tfphumorblog (Bitbucket: tfphumorblog, ).
I added the cert into the folder (just to try). So far so good! Hasn't come back yet, but it's only been 10 min. :) I'll let you know.
Also, this is happening on my home connection - no hotspot.
EionRobb
commented
7 years ago Original comment by Eion Robb (Bitbucket: EionRobb, GitHub: EionRobb).
I've been having more luck since adding the Google intermediate cert into my ca-certs folder, almost a week now without being harassed about the certificate. I'll look at adding it into the Windows installer, but you can download it from https://pki.google.com/
EionRobb
commented
7 years ago Original comment by Anonymous.
Hi. I started having the same issue today. It has already happened multiple times in a few hours. I'm running purple-hangout with pidgin on debian. In which directory precisely should I put the certificate in order to stop it from happening? Thanks!
EionRobb
commented
7 years ago Original comment by Anthony Parrott (Bitbucket: anthony_parrott, ).
In pidgin you can use the GUI to add it. Tools -> Certificates, then click Add and point it to the cert you downloaded.
EionRobb
commented
7 years ago Original comment by Anonymous.
Thanks @anthony_parrott ! I added like you said and it stopped happening. I've used it for the whole day and I haven't had other warning messages. If something changes I'll let you know.
EionRobb
commented
7 years ago Original comment by Chris (Bitbucket: cbenard, GitHub: cbenard).
Edit: Still not working. See below.
The @anthony_parrott method didn't work for me, using Pidgin Portable on Windows. What I did was download the Google Internet Authority G2 certificate from Google which gave me GIAG2.crt. I used Bash for Windows 10 with the following command to turn it into a PEM for Pidgin:
openssl x509 -inform DER -in GIAG2.crt -out Google_Internet_Authority_G2.pem -outform PEMI copied that into \PidginPortable\App\Pidgin\ca-certs and it seems to have resolved the warnings at least for now. I'll report back if that stops working.
Edit: Still getting the certificate errors. No idea what to do now.
EionRobb
commented
7 years ago EionRobb
commented
7 years ago Original comment by dennis (Bitbucket: zsxzs, ).
Did you install the proper cert? https://bitbucket.org/EionRobb/purple-hangouts/src/7c0a620ffe730a645066575d41a5a8be8ef7880e/Google%20Internet%20Authority%20G2.pem?fileviewer=file-view-default
Haven't seen a popup in months since adding it.
EionRobb
commented
7 years ago EionRobb
commented
7 years ago Original comment by dennis (Bitbucket: zsxzs, ).
That cert should treat all of googles signed certificates as valid.
What I can think of possible causes: 1)User error, installed wrong location 2)Pidgin+Your os requires cert to be placed somewhere else
EionRobb
commented
7 years ago EionRobb
commented
7 years ago Original comment by Daniel Lenski (Bitbucket: [Daniel Lenski](https://bitbucket.org/Daniel Lenski), ).
Okay, here's a public service announcement for Ubuntu users on how to fix this:
# download the certificate file
$ wget 'https://bitbucket.org/EionRobb/purple-hangouts/raw/7c0a620ffe730a645066575d41a5a8be8ef7880e/Google%20Internet%20Authority%20G2.pem'
# move it to /usr/local/share/ca-certificates and give it a .crt extension
$ sudo mv Google\ Internet\ Authority\ G2.pem /usr/local/share/ca-certificates/Google_Internet_Authority_G2.crt
# tell the system to use it as a trusted CA certificate
# IMPORTANT! update-ca-certificates only looks for files with .crt extension
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Adding debian:Google_Internet_Authority_G2.pem
done.
$Finally, shut down and restart Pidgin. See man update-ca-certificates if you want more information on what it's doing.
Maybe this will reduce the traffic on this thread… :-P
EionRobb
commented
7 years ago Original comment by Chris (Bitbucket: cbenard, GitHub: cbenard).
It's probably due to a lack of restarting Pidgin. That pretty much only happens when I reboot, so that I don't lose my tabs. It's odd that it massively improved the situation without a restart, but hasn't totally solved it @EionRobb. Either way, sounds like it will go away the rest of the way when I restart Pidgin. I won't update this again unless it comes back after a Pidgin restart.
EionRobb
commented
7 years ago EionRobb
commented
7 years ago Original comment by G (Bitbucket: searedapollo, ).
Issue 120 is not a duplicate. Methods outlined here have no impact and no resolve to the issue being experienced. Issue #120 is experiencing an infinite loop where the application continuously retries to verify the certificate after successfully verifying the certificate.
EionRobb
commented
6 years ago EionRobb
commented
6 years ago EionRobb
commented
6 years ago EionRobb
commented
6 years ago EionRobb
commented
6 years ago Original comment by Ryan Kistner (Bitbucket: AzuiSleet, GitHub: AzuiSleet).
Recently I was getting this warning for 0.client-channel.google.com which uses the GIA G3 certificate. Attached is a screenshot and the certificate you need to place in the ca-certs folder.
https://www.dropbox.com/s/kmj1m1y1y6yvgut/Google%20Internet%20Authority%20G3.pem?dl=0
EionRobb
commented
6 years ago EionRobb
commented
6 years ago EionRobb
commented
6 years ago EionRobb
commented
6 years ago EionRobb
commented
6 years ago Original comment by Alex (Bitbucket: alexolog, GitHub: alexolog).
Maybe this can help: https://pki.goog/roots.pem
EionRobb
commented
6 years ago Original comment by Alex (Bitbucket: alexolog, GitHub: alexolog).
I am getting multiple expired certificate errors for clients6.google.com, it is very annoying as there's a popup every minute or less.
The log (filtered by errors) says:
#!
(20:23:07) nss: partial certificate chain
(20:23:13) certificate/x509/tls_cached: Peer cert did NOT match cached
(20:23:13) nss: CERT 0. CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US :
(20:23:13) nss: ERROR -8162: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
(20:23:13) nss: CERT 1. CN=Google Internet Authority G2,O=Google Inc,C=US [Certificate Authority]:
(20:23:13) nss: ERROR -8162: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
(20:23:13) certificate: Failed to verify certificate for clients6.google.com
(20:23:13) socket: invalid state: 3 (should be: 2)(20:23:13) hangouts: Error from server: (Unable to connect to clients6.google.com: SSL peer presented an invalid certificate)
(20:23:29) nss: partial certificate chain
(20:23:51) nss: partial certificate chain
(20:24:56) nss: partial certificate chain
(20:25:13) certificate/x509/tls_cached: Peer cert did NOT match cached
(20:25:13) nss: CERT 0. CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US :
(20:25:13) nss: ERROR -8162: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
(20:25:13) nss: CERT 1. CN=Google Internet Authority G2,O=Google Inc,C=US [Certificate Authority]:
(20:25:13) nss: ERROR -8162: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
(20:25:13) certificate: Failed to verify certificate for clients6.google.com
(20:25:13) socket: invalid state: 3 (should be: 2)(20:25:13) hangouts: Error from server: (Unable to connect to clients6.google.com: SSL peer presented an invalid certificate)
(20:25:39) nss: partial certificate chain
(20:26:01) nss: partial certificate chain
(20:26:23) nss: partial certificate chain
(20:26:45) nss: partial certificate chain
(20:27:13) certificate/x509/tls_cached: Peer cert did NOT match cached
(20:27:13) nss: CERT 0. CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US :
(20:27:13) nss: ERROR -8162: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
(20:27:13) nss: CERT 1. CN=Google Internet Authority G2,O=Google Inc,C=US [Certificate Authority]:
(20:27:13) nss: ERROR -8162: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
(20:27:13) certificate: Failed to verify certificate for clients6.google.com
(20:27:13) socket: invalid state: 3 (should be: 2)(20:27:13) hangouts: Error from server: (Unable to connect to clients6.google.com: SSL peer presented an invalid certificate)
(20:27:53) nss: partial certificate chain
(20:28:15) nss: partial certificate chain
(20:28:37) nss: partial certificate chainAd nauseum.
EionRobb
commented
6 years ago EionRobb
commented
6 years ago Original comment by Zoltan Hawryluk (Bitbucket: zoltandulac, ).
So, #136 (which is a bug I previously posted about 9 months) seems to have the same issue. At the time, it seemed to be specific to my build, so I didn't push it. Given all the other problems from different OSes, I thought I'd share what I have found. I worked around this by using a shell script to update the certificates:
#!/bin/sh
cd $HOMEq/.purple/certificates/x509/tls_peers
for i in 0.client-channel.google.com 1.client-channel.google.com 2.client-channel.google.com 3.client-channel.google.com 4.client-channel.google.com 5.client-channel.google.com 6.client-channel.google.com accounts.google.com clients6.google.com googleusercontent.com lh1.googleusercontent.com lh2.googleusercontent.com lh3.googleusercontent.com lh3.googleusercontent.com.cert lh4.googleusercontent.com lh5.googleusercontent.com lh6.googleusercontent.com plus.google.com talk.google.com www.googleapis.com people-pa.clients6.google.com
do
rm $i
getCert $i
done
/opt/local/bin/pidginNote that getCert is another script:
#!/bin/sh
if [ "$#" != "1" -a "$#" != "2" ]
then
echo "Usage: $0 <domain> (<portnumber>)"
exit 1
fi
HOST="$1"
PORT="$2"
if [ "$PORT" = "" ]
then
PORT="443"
fi
echo -n | openssl s_client -connect $HOST:$PORT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $HOSTThis has been happening on my OSX machine for a while, and this is the only way I could work around it. Note that after a while (sometimes a few hours, but usually a few days) it will give SSL errors again, but closing pidgin through the Quit menu item and then running the first shell script fixes the issue (until I have to do it again a few days later).
Don't know if this helps other users, but maybe it'll be a starting point to finding a proper solution. (I hope).
EionRobb
commented
6 years ago EionRobb
commented
6 years ago Original comment by Fer Jackson (Bitbucket: kusuriurikun, GitHub: kusuriurikun).
For those curious, here's an optimized version of that script that should work in Ubuntu and other *nixes, is known to be able to work in the Ubuntu Bash shell in Windows, and which should theoretically work in any environment where bash and sed are available (note, you'll need to modify part of this to write to specific Pidgin directory). We'll see if the scripts pulled actually help any with the situation with this bug...
#!c
#!/bin/sh
# CertGrabber: A little script for pulling clean certs for the purple-hangouts plugin.
#
# This is more for pulling raw certs and copying elsewhere.
#
# Many thanks to Zoltan Dudac (https://bitbucket.org/zoltandulac/) for original macOS version of a pull script from
# which this was heavily modified and genericised.
#
# Kusuriurikun (https://bitbucket.org/kusuriurikun)
#
echo "Making working directory..."
mkdir ~/certs
# Now that we've got in the right place (relatively speaking) now we can pull certs
echo "Pulling scripts from Google..."
for name in 0.client-channel.google.com 1.client-channel.google.com 2.client-channel.google.com 3.client-channel.google.com 4.client-channel.google.com 5.client-channel.google.com 6.client-channel.google.com accounts.google.com clients6.google.com googleusercontent.com lh1.googleusercontent.com lh2.googleusercontent.com lh3.googleusercontent.com lh3.googleusercontent.com.cert lh4.googleusercontent.com lh5.googleusercontent.com lh6.googleusercontent.com plus.google.com talk.google.com www.googleapis.com people-pa.clients6.google.com
do
rm $name
echo -n | openssl s_client -connect $name:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $name
done
echo "Certificates copied. Unix/Linux users should copy these to the following dir:"
echo "~/.pidgin/certificates/x509/tls_peers"
echo "Windows users such as those using Bash on Ubuntu on Windows should copy here:"
echo "$USER\AppData\Roaming\.pidgin\certificates\x509\tls_peers"Of note, the reason I didn't make this Linux-specific/Unix-specific is I'm trying to keep it kind of open (trying to write directly to the Windows directory for a specific user is kind of kludgy in the various Linux shells for Windows, so really a better approach for these users would be to actually write the files to a directory in /mnt/c/certs and then copy (in Windows proper) to the relevant Pidgin directory. (Maybe someone is much better in Powershell and can convert this to something PS-friendly? :D Yeah right)
EionRobb
commented
6 years ago Original comment by Reuben Thomas (Bitbucket: rrt, GitHub: rrt).
Just a note that anyone who's installed the G2 certificate as per Daniel Lenski's comment from 2017-02-03, I guess it's probably out of date, as it was actually breaking SSL certificate verification for some Google domains for me just now; removing it from my installed certificates fixed the problem. This suggests that Fer Jackson's script for installing certificates only in Pidgin may be a better workaround for the Hangouts issue, as any changes it makes won't affect your entire system!
EionRobb
commented
6 years ago Original comment by Reuben Thomas (Bitbucket: rrt, GitHub: rrt).
Further, a couple of comments on Fer Jackson's script: you probably want to "mkdir certs" (not specifically in the home directory, just wherever you're executing it, to avoid overwriting a specific directory), then you probably want to cd into that directory (otherwise creating it was not so useful!) and finally the correct path to copy to, at least on non-Windows systems, starts with ~/.purple, not ~/.pidgin.
EionRobb
commented
6 years ago Original comment by tofof (Bitbucket: tofof, GitHub: tofof).
I do not have the expired G2 certificate installed. Nor do these scripts stop the barrage of certificate error popups; I have my own version of the script (pointed at the correct directory) running every 4 hours. At best they only diminish the errors.
If I go away for 2 hours I come back to more than a half dozen message boxes complaining about certificate validation.
This bug deserves a proper fix (it's been 15 months), or purple-hangouts should be marked experimental.
EionRobb
commented
6 years ago Original comment by Eion Robb (Bitbucket: EionRobb, GitHub: EionRobb).
Windows users who are experiencing this can download an updated installer from https://eion.robbmob.com/purple-hangouts.exe which has the updated certificates for Google's G3 and G2 intermediate certs.
EionRobb
commented
6 years ago EionRobb
commented
6 years ago EionRobb
commented
6 years ago Original comment by Bruce Momjian (Bitbucket: bmomjian, GitHub: bmomjian).
Here is a URL explaining the new G3 intermediate certificate: https://textslashplain.com/2017/10/23/google-internet-authority-g3/ . Fortunately there is no Google G4 certificate so installing G2 and G3 should fix the problem for the foreseeable future.
EionRobb
commented
6 years ago EionRobb
commented
6 years ago EionRobb
commented
5 years ago EionRobb
commented
5 years ago EionRobb
commented
5 years ago Original comment by Eion Robb (Bitbucket: EionRobb, GitHub: EionRobb).
There’s a new intermediate cert that’s being used that was added in https://bitbucket.org/EionRobb/purple-hangouts/commits/c65b74d3472430c07abb170415e2622ab5ba453b
There’s also a new .exe installer with the updated certs at https://bitbucket.org/EionRobb/purple-hangouts/downloads/
The issue is still the same one as last year; Google servers will send the intermediate cert only in the first response and expect the client to cache it, which libpurple does not
EionRobb
commented
5 years ago EionRobb
commented
5 years ago Original comment by Eion Robb (Bitbucket: EionRobb, GitHub: EionRobb).
@{557058:3d3b3b43-9691-4897-aeb5-c0cd7e9e2d43} yeah, you’ll need to restart Pidgin as it only loads certs at startup
(I should really take another stab at making a Plugin to load certificates from the system instead of its own ca-certs dir)
Original report by dennis (Bitbucket: zsxzs, ).
Get these pops on occasion
http://i.imgur.com/2ibJeOY.png