Empathy gives ‘untrusted connection’ certificate warning when connecting to Facebook via XMPP

Empathy users may have experienced a rather annoying problem if connecting to Facebook via XMPP using Empathy. This problem may affect other services too, such as Gwibber, but I’m not using Gwibber — so I’m only writing about this.

When trying to connect, you’ll receive a message like the following:

Even if you check “Remember this choice for future connections”, you’ll still get it next time you launch Emapthy.

It seems the root cause is a certificate not being installed in ca-certificates during installation. The original issue and solution are described in Launchpad bug #746973, and is root caused in Launchpad bug #742889.

I’ve rewritten the solution here with some adjustments to the steps for clarity and where instructions were incomplete or needed explanation.

Start by opening Firefox to get the correct certificate out of the certificate store.

In Firefox, go to edit > preferences > advanced > encryption > view certificates > authorities

Scroll down to DigiCert Inc, and find “DigiCert High Assurance CA-3”

Click “Export” and save the file somewhere you can find it later.

I called it DigiCertHighAssuranceCA-3.crt (you will probably have to add the extension, which is important).

It automatically exports in PEM (X.509) format, which is what we need.

Verify by opening a terminal and typing

file DigiCertHighAssuranceCA-3.crt

You should get:

DigiCertHighAssuranceCA-3.crt: PEM certificate

Now, become root (sudo su) and execute the following commands to move the file to the ca-certificates installation source:

mv DigiCertHighAssuranceCA-3.crt /usr/share/ca-certificates/mozilla
chown root:root /usr/share/ca-certificates/mozilla/DigiCertHighAssuranceCA-3.crt
dpkg-reconfigure ca-certificates

Select “yes”, then scroll down the list and place a mark (using the space bar) next to the certificate we just added. Press the TAB key to move the cursor to OK then press space again to confirm.
You will likely see output similiar to the following:

Updating certificates in /etc/ssl/certs... 
WARNING: Skipping duplicate certificate
WARNING: Skipping duplicate certificate Go_Daddy_Class_2_CA.pem
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
updating keystore /etc/ssl/certs/java/cacerts...
added: /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem

Confirm that it’s fixed by exiting empathy if you had it opened (Chat > Quit) waiting a moment or two and then restarting it. You should automatically be signed into Facebook XMPP without the certificate warning.

Questions, comments, and feedback about this are welcome and appreciated.


, ,