Trac is being migrated to new services! Issues can be found in our new YouTrack instance and WIKI pages can be found on our website.

Changes between Version 9 and Version 10 of MSNCertIssue


Ignore:
Timestamp:
Jan 21, 2013, 10:46:18 PM (11 years ago)
Author:
QuLogic
Comment:

Update page for new MSN cert problem

Legend:

Unmodified
Added
Removed
Modified
  • MSNCertIssue

    v9 v10  
    22MSN recently changed the certificate used on some of their servers.  This certificate is used to negotiate a secure socket layer (SSL) session, an encrypted connection, between the client (Windows Live Messenger, Pidgin, etc.) and the server(s).
    33
    4 Unfortunately, not all the servers that are using this new certificate present the correct information to Pidgin for us to validate the certificate properly.  Additional wrinkles are that not all omega.contacts.msn.com servers have been migrated to the new certificate, and that some of the servers that have been migrated are also correctly configured.  Because of this, given enough attempts, you may actually achieve an occasional successful connection.  Most of the time, however, you'll get an error message.
    5 
    6 The error message you'll see is something like this:
     4Unfortunately, this new certificate is signed by a root certificate that Pidgin does not provide. You may not see this problem if your distribution provides the root certificate and has configured Pidgin to use it. The error message you'll see is something like this:
    75
    86'''Unable to validate certificate:'''[[BR]]
    9 The certificate for omega.contacts.msn.com could not be validated. The certificate chain presented is invalid.
     7The certificate for local-bay.contacts.msn.com could not be validated. The certificate chain presented is invalid.
     8
     9or:
     10
     11'''Unable to validate certificate:'''[[BR]]
     12The certificate for local-blu-people.directory.live.com could not be validated. The certificate chain presented is invalid.
    1013
    1114If you're reading this page, you're probably experiencing this problem.  Here is the solution.
    1215
    13 [[BR]]
    14 
    1516= How Do I Fix It? =
    1617
    17 == Upgrade to Pidgin 2.7.7 or newer ==
    18 In Pidgin 2.7.6, we began distributing the additional intermediate certificates that some of MSN's servers are not sending us.  Although we thought this was enough, after we released 2.7.6 we discovered that some additional work was necessary.  To fix that, we released Pidgin 2.7.7 with what we believe to be a complete fix to the problem.
     18== Upgrade to Pidgin 2.10.7 or newer ==
     19'''Note:''' ''Pidgin 2.10.7 has not yet been released, but you should follow these instructions when that happens.''
     20
     21In Pidgin 2.10.7, we will began distributing the additional root certificates that the MSN's servers are  using.
    1922
    2023=== I upgraded but it's still broken! ===
     
    2326If you did restart Pidgin, the reason is probably that you built the new version of Pidgin yourself.  You also probably neglected to remove the copy of Pidgin you installed through your package manager.  Try running `ldconfig` as root (`sudo ldconfig` or similar).  If that doesn't work, you can remove the packaged version of libpurple (`libpurple0` on Debian and Ubuntu systems; it will have different names elsewhere) and try `ldconfig` again.  Ideally, however, you should install a packaged version of Pidgin, as you won't have to compile it and you won't have to play with `ldconfig` or removing packages to make it work.
    2427
    25 [[BR]]
     28== If upgrading is not possible ==
     29If you can't upgrade to Pidgin 2.10.7 or newer, then here's how to partially fix the problem.
    2630
    27 == If upgrading is not possible ==
    28 If you can't upgrade to Pidgin 2.7.7 or newer, then here's how to partially fix the problem.  This should work for any version of Pidgin from 2.5.0 to 2.7.5, inclusive, but only if your SSL plugin is Mozilla NSS.  (GNUTLS acts differently; this fix does not work for GNUTLS users without the additional changes that went into Pidgin 2.7.7.)
     31Note that while we verified the certificates we instruct you to download below, there is always a risk involved in downloading certificates, especially ones you have not personally verified, from a website and adding them to your trusted CA store.  Ordinarily you should avoid this practice.  Instead of following the instructions below, we strongly recommend upgrading to Pidgin 2.10.7 or newer, which include the certificates and other fixes.
    2932
    30 Note that while we verified the certificates we instruct you to download below, there is always a risk involved in downloading certificates, especially ones you have not personally verified, from a website and adding them to your trusted CA store.  Ordinarily you should avoid this practice.  Instead of following the instructions below, we strongly recommend upgrading to Pidgin 2.7.7 or newer, which include the certificates and other fixes.
     33=== Get the new root certificate ===
     34''If you have followed other (incorrect) instructions to replace the 'local-bay.contacts.msn.com' or 'local-blu-people.directory.live.com' certificate, then you must delete that certificate from `Tools->Certificates` first.''
    3135
    32 === Get the new intermediate certificates ===
    33 ''If you have followed other (incorrect) instructions to replace the 'omega.contacts.msn.com' certificate, then you must delete that certificate from `Tools->Certificates` first.''
    34 
    35 Download [http://hg.pidgin.im/pidgin/main/raw-file/default/share/ca-certs/Microsoft_Internet_Authority_2010.pem Microsoft_Internet_Authority_2010.pem] and [http://hg.pidgin.im/pidgin/main/raw-file/default/share/ca-certs/Microsoft_Secure_Server_Authority_2010.pem Microsoft_Secure_Server_Authority_2010.pem] then follow the appropriate set of directions below.
     36Download [http://hg.pidgin.im/pidgin/main/raw-file/default/share/ca-certs/Baltimore_CyberTrust_Root.pem Baltimore_CyberTrust_Root.pem], then follow the appropriate set of directions below.
    3637
    3738=== Windows ===
     
    4243 * Save the files to /usr/share/purple/ca-certs (or /usr/local/share/purple/ca-certs as appropriate)
    4344 * Restart Pidgin
    44 
    45 Thanks to Kaurin/SQuID for blogging this solution earlier.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!