SSL certificate validation error for api.twitter.com

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Log into twitter
2. Wait.
3. SSL Certificate validation error.

What is the expected output? What do you see instead?
No error expected. Instead, Pidgin throws an error:

=====
Accept certificate for api.twitter.com?
The certificate for api.twitter.com could not be validated.
The certificate is not trusted because no certificate that can verify it is 
currently trusted.
=====
My options are View Certificate, Reject, Accept. Accepting it does not prevent 
the error from occurring again.

What version of the product are you using? On what operating system?
0.3.0-1 on Ubuntu 10.04, 0.3.0 on Windows 7

Please provide any additional information below.
Right now, api.twitter.com is moving between two certificates: an Equifax one 
for api.twitter.com and a Verisign one for *.twitter.com. Because of this, the 
error is intermittent (from multi/hour to 1/multi hours) and I'm only receiving 
errors for the Verisign one.

Original issue reported on code.google.com by brightla...@gmail.com on 17 Jul 2011 at 5:07

[GoogleCodeExporter]

Correction. (Dammit)

The Equifax one is for *.twitter.com.
The Verisign one is for api.twitter.com. This is the one I'm receiving the 
error for.

Original comment by brightla...@gmail.com on 17 Jul 2011 at 5:10

[GoogleCodeExporter]

Hi,
do you still have this problem?
It didn't occur for me - not on the 16. nor since then. 

Original comment by andresen.nils@gmail.com on 26 Jul 2011 at 8:12

[GoogleCodeExporter]

I think that installing the "Root 2 - GeoTrust Global CA" certificate from 
http://www.geotrust.com/resources/root-certificates/ in pidgin/ca-certs (on 
windows; not sure of the equivalent Linux directory) has solved this. Can the 
OP confirm?

Original comment by mikeage on 2 Aug 2011 at 5:35

[GoogleCodeExporter]

per comment 3,  if you try this, you'll want the DER version, and then perform
the following to convert it to PEM for use in the pidgin cert directoy:

openssl x509 -in GeoTrust_Global_CA_DER.cer -inform DER -outform PEM -out 
GeoTrust_Global_CA.pem

Original comment by ak.hep...@gmail.com on 12 Aug 2011 at 9:50

[GoogleCodeExporter]

followup -   I'm still getting the cert error for api.twitter.com  even after 
performing the above steps to install the GeoTrust cert mentioned above.

clicking on 'veiw cert'  shows that it's actually receiving the equifax cert 
for *.twitter.com  while expecting one for 'api...'

i've also downloaded and installed the Equifax_Secure_Certificate_Authority_DER 
and GeoTrust_Primary_CA.pem  to see if adding these as well fix the issue, 
however upon restarting pidgin, it appears that it does not.

Original comment by ak.hep...@gmail.com on 12 Aug 2011 at 10:14

[GoogleCodeExporter]

after getting 
http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Primar
y_CA.pem this, the problem seems to be solved for me

Original comment by ShadowPh...@gmail.com on 13 Aug 2011 at 8:25

[GoogleCodeExporter]

cancel that, error persists

Original comment by ShadowPh...@gmail.com on 13 Aug 2011 at 8:44

[GoogleCodeExporter]

I've been having this problem also. It appears that api.twitter.com is 
presenting 1 of 2 certificates (seemingly at random).  One is from VeriSign, 
for api.twitter.com, SHA1 
Fingerprint=DB:79:1F:CF:45:7D:FE:CF:77:31:E6:5A:42:37:B5:1A:3B:30:F1:71.  It 
works fine.

The problem certificate is this one:

Common name: *.twitter.com
Fingerprint (SHA1): 59:3f:87:4d:e3:5c:49:a1:a4:f7:8a:14:3c:79:e5:8f:03:2c:f9:92
Activation date: Jul 17 11:13:11 2011 GMT
Expiration date: Sep 17 18:59:59 2013 GMT

After several tries, I was able to download that certificate using openssl 
s_client (attached here as twitter_rapidssl.pem). It was issued by RapidSSL.  
Their CA certificate is http://rapidssl-aia.geotrust.com/rapidssl.crt.  That's 
in DER format, so you'd need to use

openssl x509 -in rapidssl.crt -inform DER -outform PEM -out rapidssl.pem

to convert it before installing it in Pidgin.

Original comment by cma...@gmail.com on 13 Aug 2011 at 1:12

Attachments:

• twitter_rapidssl.pem

[GoogleCodeExporter]

Followed the instructions in Comment #8:

curl -sO http://rapidssl-aia.geotrust.com/rapidssl.crt 
openssl x509 -in rapidssl.crt -inform DER -outform PEM -out rapidssl.pem

... the resulting file does not match what is attached to Comment #8.  I tested 
again with a different machine with different architecture: the two machines I 
own make identical 'rapidssl.pem' files, but neither matches the file attached 
to Comment #8.

Original comment by argen...@gmail.com on 14 Aug 2011 at 2:16

[GoogleCodeExporter]

You misunderstood the attachment.  twitter_rapidssl.pem is the certificate that 
Twitter is *presenting* for *.twitter.com.  I attached it for anyone that wants 
to investigate the issue; you don't need to download it otherwise.  
rapidssl.crt is the CA certificate that signed twitter_rapidssl.pem, and that 
you need to install so that Twitter's certificate can be validated.

I haven't had the error again since I installed rapidssl.pem and restarted 
Pidgin.

Original comment by cma...@gmail.com on 14 Aug 2011 at 7:19

[GoogleCodeExporter]

I've installed the CA cert as well per #8, however I'm still seeing the error.

Original comment by ak.hep...@gmail.com on 14 Aug 2011 at 5:24

[GoogleCodeExporter]

Re #11: Did you restart Pidgin after installing the CA cert?  Also, when you 
get the error, is it the same certificate?  Do View Certificate on the error 
dialog; it should say Fingerprint (SHA1): 
59:3f:87:4d:e3:5c:49:a1:a4:f7:8a:14:3c:79:e5:8f:03:2c:f9:92, otherwise Twitter 
has another certificate causing problems.  I'm still error free, though.

I've attached the RapidSSL CA certificate in PEM format to this comment, for 
anybody who's having trouble converting it from DER.

Original comment by cma...@gmail.com on 14 Aug 2011 at 7:43

Attachments:

• rapidssl.pem

[GoogleCodeExporter]

I'm experiencing the same problem with Pidgin 2.9.0 on Windows 7. I'd try 
installing the CA cert, but I'm not sure how to go about that in Windows.

Original comment by mma...@gmail.com on 15 Aug 2011 at 8:39

[GoogleCodeExporter]

re: #13 

save the rapidssl.pem  from comment #12  into your  c:\Program 
Files(x86)\Pidgin\ca-cert  directory.

exit out of pidgin (if you're in it)  and restart it.

If you're lucky, it'll work the first time.   

Original comment by ak.hep...@gmail.com on 15 Aug 2011 at 9:53

[GoogleCodeExporter]

That appears to have fixed the problem for me. I'm not 100% certain, since it 
only happened intermittently, but it's been a while since I installed the cert, 
and I haven't had any problems. Thanks for the help!

Original comment by mma...@gmail.com on 16 Aug 2011 at 12:13

[GoogleCodeExporter]

Well, I get the same message (Linux Mint 9 fluxbox, Pidgin 2.6.6, Twitgin 
0.2.4) even after installing rapidssl.pem from post #12. Neither fingerprint 
matches any quoted here so far:
twitter.com (the one that popped in by default)

Fingerprint (SHA1): ea:9d:ef:d6:33:61:d9:76:71:e1:6c:68:9f:54:a6:59:d7:f1:0e:66

Activation date: Thu Jul  7 01:00:00 2011 / Expiration date: Sat Jul 28 
00:59:59 2012

RapidSSL CA (produced from downloading above)

Fingerprint (SHA1): c0:39:a3:26:9e:e4:b8:e8:2d:00:c5:3f:a7:97:b5:a1:9e:83:6f:47

Activation date: Fri Feb 19 22:45:05 2010 / Expiration date: Tue Feb 18 
22:45:05 2020

So I'm baffled! Tempted to just nuke the certificates and reinstall, but 
equally no reason why that should fix it. Any offers please?

Original comment by edward.b...@gmail.com on 5 Sep 2011 at 12:21

[GoogleCodeExporter]

I'm having this problem again.  This time, the problem certificate is for 
api.twitter.com:

Fingerprint (SHA1): c1:31:8b:5d:41:35:27:dc:2d:c8:a9:3b:4a:c3:04:06:39:cb:84:97

Activation date: Mon Apr 09 19:00:00 2012 / Expiration date: Sat May 17 
18:59:59 2014

I've attached the problem certificate for anybody who wants to investigate.  It 
says it was issued by "VeriSign Class 3 Secure Server CA - G3".

I'm hoping the appropriate root certificate is root 4 on this page: 
https://www.verisign.com/support/roots.html  (direct link: 
https://www.verisign.com/repository/roots/root-certificates/PCA-3G3.pem).  
That's already in PEM format, so it's ready to install in Pidgin.  I've 
installed that root cert, and the error hasn't happened again yet, but it's too 
soon to be sure.

Original comment by cma...@gmail.com on 26 Apr 2012 at 7:17

Attachments:

• problem-cert.pem