Opened 9 years ago

Closed 9 years ago

Last modified 8 years ago

#11753 closed defect (cantfix)

Certificate Validation Prompt for '' Server on Pidgin 2.6.6

Reported by: compengi Owned by: QuLogic
Milestone: Component: MSN
Version: 2.6.6 Keywords:


I received today a prompt on pidgin 2.6.6 for a certificate validation for server. The prompt message looks as follows:

Accept certificate for

The certificate for could not be validated. The certificate claims to be from "" instead. This could mean that you are not connecting to the service you believe you are.

Certificate details are such:

Common name:

Fingerprint (SHA1): b9:c2:9e:f8:92:c1:2c:ee:55:7e:c6:d5:d1:91:0c:d2:10:87:1e:aa

Activation date: Wed Dec 2 01:07:13 2009

Expiration date: Thu Dec 2 01:07:13 2010

I've exported that certificate and I'm attaching the file with this ticket.

Attachments (2)

certificate.pem (2.1 KB) - added by compengi 9 years ago. (2.2 KB) - added by acruise 9 years ago.
Current * certificate

Download all attachments as: .zip

Change History (10)

Changed 9 years ago by compengi

comment:1 Changed 9 years ago by darkrain42

  • Component changed from unclassified to MSN
  • Owner changed from rekkanoryo to QuLogic

We don't distribute end-site certificates. You're getting the prompt because of the name mismatch. This is either a misconfiguration on MSN's side or they've changed the server name (back?).

comment:2 Changed 9 years ago by QuLogic

  • Resolution set to cantfix
  • Status changed from new to closed

This appears to be a temporary server-side thing.

comment:3 Changed 9 years ago by cgoudie

If you're looking at this bug today (November 11th 2010) You may want to look at this page:

The certificate for could not be validated. The certificate chain presented is invalid.

If you have an error when trying to connect to MSN messenger with your pidgin today, this is the easy and quick way to fix the problem: just delete the SSL certificate.

rm ~.purple/certificates/x509/tls_peers/

This way, pidgin will download again the SSL certificate and everything will be working again.

I found that I needed to delete * in that directory to connect.

comment:4 Changed 9 years ago by acruise

I don't know whether anything has *changed* as such, but is using a three-element certificate chain, in which the L1 is a globally trusted CA (CyberTrust?), the L2 is Microsoft's own CA certificate, and the L3 (end entity cert) uses a wildcard CN. There are an awful lot of programs and libraries that don't support third- (and bigger) certificate chains properly, and a lot that don't support wildcards properly, so I don't think this really deserves to be a cantfix.

If you do openssl -connect -showcerts you'll see all three certificates in the chain.

comment:5 Changed 9 years ago by cgoudie

Based on the fact deleting them (forcing a redownload) resolves the issue, my guess is that the old cert expired today, and the new cert wasn't retrieved or some such. <shrug>

This is one of the first hits on google for this issue, so I thought I'd add my comments here to help those looking for a fix to the same problem.

Changed 9 years ago by acruise

Current * certificate

comment:6 Changed 9 years ago by acruise

Oh, and replacing ~/.purple/certificates/x509/tls_peers/ with just the end entity certificate works fine. I had a look at the certificate that was attached previously, and it's also a third-level certificate, but it doesn't use a wildcard CN.

I've attached the current wildcard certificate as

comment:7 Changed 9 years ago by nosnilmot

This 6 month old ticket is not the same issue as is happening now. See #12906 for that.

comment:8 Changed 9 years ago by cgoudie

For whatever reason deleting the certs no longer works. In case you're here looking for a fix, you can see #12906, or you can visit for a quick fix.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!