Apache OpenOffice (AOO) Bugzilla – Issue 59968
openoffice not finding installed client certificates
Last modified: 2018-08-02 07:37:14 UTC
Package: openoffice Version: 2.x ooo is supposed to find ssl certificates which are installed in mozilla, Thunderbird or Firefox. I have both Thunderbird & Firefox installed. I have certificates in both. Ooo is not finding any in either place. There have been others who have submitted this: http://www.openoffice.org/issues/show_bug.cgi?id=47496 http://www.openoffice.org/issues/show_bug.cgi?id=52069 Both were marked as duplicates of each other & closed!!! It still does not work, so please don't close this as a dupe. On the ooo forums there is some discussion about setting an environment variable called MOZILLA_CERTIFICATE_FOLDER. I cannot find *anything* in ooo documentation nor wiki about what an environment variable is nor where to find/set one, so I'm not sure that is reliable information. I take that back, there was a list of several variables on the wiki, but no explanation of how to set them. Ooo *should* be able to find the certificates. If the location of the mozilla certificates /does/ have to be hand-fed to ooo, there needs to be a browse button to find it--not to mention instructions. I am using SimplyMEPIS 3.4.2 rc1 Debian GNU/Linux 2.6.12-1-586tsc -- Thanks! Lance W. Haverkamp Lance@TheHaverkamps.net Contact & encryption info: http://thehaverkamps.net/?Lance:Contact_Me ><> ><> ><>
TM->FST: Please have a look.
Hi Lance, there did you get the SSL Cert from ? Is the profile for Thunderbird and Firefox in the default place ? Setting an environment variable depends on the shell used. For BASH it's export MOZILLA_CERTIFICATE_FOLDER=path to profile folder. for tcsh setenv MOZILLA_CERTIFICATE_FOLDER path to profile folder Frank
Hi Frank & all, > there did you get the SSL Cert from ? I have certificates from CAcert & IdealX installed & functional. > Is the profile for Thunderbird and Firefox in the default place ? They're in the default for all Debian based distro's; /home/lance/.mozilla-thunderbird/3bbi4b8u.default & /home/lance/.mozilla/firefox/utlr5uby.default if I understand your question. > Setting an environment variable depends on the shell used. For BASH it's export MOZILLA_CERTIFICATE_FOLDER=path to profile folder. for tcsh setenv MOZILLA_CERTIFICATE_FOLDER path to profile folder As I could find nothing in the context help, documentation nor wiki explaining what an environment variable is, how to set one or why I'd want or need to; I'm afraid this means absolutely nothing to me. Perhaps that's why others have reported difficulty as well??? Since you mentioned BASH, I'm wild-guessing this is something that needs to be done through the command console & may be a "Linux thing" rather than an "OpenOffice thing"--in which the Debianized version may not be setting it, if that's the problem...How do we tell if that *is* the problem? Thanks, Lance
needs some ui (path settings?) and configuration.
Created attachment 34179 [details] Document with Macro started by a click on a Button to find the installed Profiles
The attached document contains a macro which will search the Mozilla profiles and show it's path if it have found something. The Macro was published by MT on http://wiki.services.openoffice.org/wiki/Certificate_Detection Checked it on a Debian 3.0 with Mozilla installed and neither the Office itself nor the BASIC Code could find the Profile. So I assume that the profile for Moziulla on these systems are somewhat different to the normally used ones. Joachim, should we use a more agressive detection method here ? Frank
lancehaverkamp do have started once a Mozilla browser (not firefox)? If you cannot remember, could you write down here the contents of the .mozilla directory in your home? I suppose that this was the case and now OOo uses the mozilla profile rather your Firefox profile.
Hi, I do not have Mozilla installed. Only Firefox & Thunderbird. I do have konqueror installed, but rarely use it. I think Konqueror uses the KDE crypto folder which has at least one of my certificates installed. OOo is still not finding any of these. My .mozilla directory has a sub-directory called firefox, another called plugins (which only contains links for the helix media player) and a mozver.dat file. Thanks, Lance
That is, there is only the .mozilla/firefox and no other file/directory? I am asking because, I do not see why your certificate is not found. On my debian it works. What you could still try out is this: - copy your .mozilla to a save place -delete .mozilla -start firefox (that will create a new .mozilla) -import your pkcs12 file ( certificate + key) into "Your certificates" in firefox. -try to sign the office document let us know what the result is.
Hi, That's correct, I have no other folders in .mozilla than what I listed above. OK I just tried it--to be extra sure I also backed-up & deleted the Thunderbird directory as well. I had the exact same results: Their are no certificates listed to choose from, and when I click "add" a new window opens but their are no certificates their to add. I'm using: Thunderbird version 1.0.7 (20051017) Firefox/1.5.0.1 OOo-core 2.0.1-1 Since submitting this issue, I have upgraded my SimplyMEPIS to version 3.4-3 (final) so I am basically using a pre KDE 3.5 version of Etch, which I did as a clean install--formating the hard drive. Their are very minor differences between MEPIS & Etch (basically just the live-CD installer & media configuration), but as MEPIS is a member of the Debian Core Consortium, they should not be significant (especially since other non-MEPIS & non-Debian users have reported the same issue--see links in original posting). In addition to the above, I also tried adding: export MOZILLA_CERTIFICATE_FOLDER=/home/lance/.mozilla/firefox/XXXXXXXXX.default to my ~/.bashrc file as described here: http://wiki.cacert.org/wiki/OpenOffice with no success I have not tried modifying the mozilla crypto files as mentioned here: http://www.openoffice.org/issues/show_bug.cgi?id=52069 If you like, I can try upgrading to the current KDE 3.5 testing version of Debian, but I understand it's still kind of unsettled from the major changes involved in going from KDE 3.4 to 3.5. Thanks, Lance
In order to avoid any miscommunication, please delete the whole .mozilla directory. I could not find out from your las post that you did. Please do not start thunderbird. Only start firefox. Add the certificate in firefox and try out office again. Please make also sure that you have restarted your office after you have added any certificates. There may be a potential bug that the profile in thunderbird are not found, thats why you should try this with firefox only.
Hi, OK, With all applications closed, I renamed the .mozilla folder to backup.mozilla then copied it to the desktop & deleted it from home. Started only firefox, imported the .p12 file into "Your certificates", visually made sure my personal certificates/keys were listed, closed firefox. Opened an .odt with OOo writer, went to: file > digital signatures > Add Nothing there to choose... I did the exact same thing deleting both the .mozilla AND .mozilla-thunderbird directories from my /home/lance directory & installing the .p12 only in firefox again but still no certificates were there to select. Yesterday, when I tried adding: export MOZILLA_CERTIFICATE_FOLDER=/home/lance/.mozilla/firefox/XXXXXXXXX.default to my ~/.bashrc file as described here: http://wiki.cacert.org/wiki/OpenOffice I opened a console & entered: echo $MOZILLA_CERTIFICATE_FOLDER I received the correct firefox xxxxxxxxxxx.default directory, but no certificates were available to select in OOo. Yes, I have removed that line from my .bashrc file; but it makes me wonder, if their are no certificates to display even when the MOZILLA_CERTIFICATE_FOLDER is set & echoing properly...maybe it's not a file detection problem, but something else entirely? Linux file permissions? Mozilla security device passphrase? Thanks, Lance
I downloaded & burned a copy of the Live-CD for both Ubuntu dapper drake (test flight 3) which is gnome based & SimplyMEPIS 3.4-3 (final) which is KDE. This eliminates ANY possibility that the issue is related to my system's configuration. I could not get a newly imported set of certificates to appear in OOo running either Live-CD. But the certificates were installed correctly in both of those systems as I was able to log into CAcert.org using those newly installed certificates with Firefox on both Live-CD installations. Lance
Ok, thanks for the thorough investigation. So this does not seem to be related to the recognition of the profiles. By the way, I noticed that you are running OOo on a 64 bit machine. Do you have your Debian installed in a way as to execute 32 bit application? As far as I know there is a 64bit port on the way, but currently the office needs to be executed in a 32 bit environment. Maybe this could be the cause.
Hmmm, That's not correct & don't see a way to change that setting...I'm using an AMD Athlon 1800+ 32 bit CPU. Sorry for the confusion! Lance
The platform field of this issue showed Opteron/x86_64. That's why I made this assumption. I will set it to all, to avoid further confusion. I'am sorry but currently I am out of ideas. I'll refer this issue to the QA team, hoping that they are able to reproduce this strange behaviour.
Thanks so much! They should have no trouble reproducing it given copies of the Live-CDs for both Ubuntu dapper drake (test flight 3) which is gnome based & SimplyMEPIS 3.4-3 (final) which is KDE. I could not get a newly imported set of certificates to appear in OOo running either Live-CD. But the certificates were installed correctly in both of those systems as I was able to log into CAcert.org using those newly installed certificates with Firefox on both Live-CD installations. Lance
changed target as it could not be fixed for 2.0.3
Hi, tried to reproduce with the Live CD for Ubuntu 5.10 and was able to reproduce the initial problem with the not common default profile naming for Firefox provided by Debian. If the environment variable MOZILLA_CERTIFICATE_FOLDER is set correctly, the imported Certificate is detected and shown in the Digital Signatures Add Dialog. So please follow these steps : 1.) Import your cert into Firefox 2.) open a terminal 3.) type (without quotes): 'export MOZILLA_CERTIFICATE_FOLDER=~/.mozilla/firefox/' 4.) press TAB two times to show the content of the folder. Type the first number of the *.default folder and press TAB to complete it 5.) Press Return 6.) start OpenOffice.org from the commandline, maybe ooffice2 does the job. Check the Digital Signatures dialog. Thanks for your help. Frank
This is impractical at best. After hitting tab twice it asks me if I want to display all 2800 results!?! Even answering "yes", I see nothing listed that ends with .default (not that anyone wants to look through 2800 results to find it). Am I supposed to be in a certain directory before issuing the command or ????? The average user like me (non hobbyist) isn't going to understand this. RE: Debian, It may have some non-standard aspects (I'll take your word for it--I wouldn't know), but keep in mind, HALF of the top-ten linux distros are Debian based, including the most used, Ubuntu. [source: DistroWatch.com] Only one other distro has occupied even two of the top ten slots for years. (Mandriva & pcLinuxOS just this month). So by far, Ooo's largest Linux user base is in Debian systems. Thanks, Lance -------------- 1.) Import your cert into Firefox 2.) open a terminal 3.) type (without quotes): 'export MOZILLA_CERTIFICATE_FOLDER=~/.mozilla/firefox/' 4.) press TAB two times to show the content of the folder. Type the first number of the *.default folder and press TAB to complete it 5.) Press Return 6.) start OpenOffice.org from the commandline, maybe ooffice2 does the job.
Hi Lance, sorry for5 the late reply. In the mean time we have implemented a new detection mechanism for the Debian based distros. Please check this Issue again with a new build of OOo2.1 from the OpenOffice.org website. Does the problem persist ? Thanks for your Help. Frank
Thanks so much for all you do! I have downloaded the official Linux tar.gz file. As we are talking about Debian based distro's here, I have NO idea what to do with this folder full of RPM's, and the readme says nothing about how to install OOo on ANY Linux Distro. I found a set of instructions here: http://news.softpedia.com/news/Install-OpenOffice-org-2-1-in-Ubuntu-Kubuntu-46182.shtml It discusses converting all the RPM's to Deb's; which is usually done by the Distro package maintainers, as some tweaking is often required. I can try this method, unless you have a better suggestion. What do you recommend? Thanks, Lance P.S. 2.1 is currently in Debian Experimental (which is even less stable than unstable), so it's going to be a while before official packages are available in Debian/Ubuntu.
As I feared, those instructions did not work: dpkg: regarding .../openoffice.org-debian-menus_2.1-5_all.deb containing openoffice.org-debian-menus: openoffice.org-core conflicts with openoffice.org-unbundled openoffice.org-debian-menus provides openoffice.org-unbundled and is to be installed. dpkg: error processing /home/lance/Desktop/OOE680_m6_native_packed-1_en-US.9095/RPMS/desktop-integration/openoffice.org-debian-menus_2.1-5_all.deb (--install): conflicting packages - not installing openoffice.org-debian-menus -------------- I will most likely have to wait until either MEPIS or Ubuntu issue a working Debian package (unless you've got better instructions. Thanks again! Lance
Hi, I now have 2.1 installed (found a few Debian hints and a little trial & error). I am able to display a list of certificates; this is a major step forward! However, OOo is finding 3 expired CAcert certificates and 1 unrelated certificate I never use! My CURRENT CAcert certificate is not displayed as a choice! The UNexpired cert is installed in both Thunderbird, Firefox & Konqueror. I can tell from the password that it is NOT using the firefox keystore. I can't tell where OOo is finding these certificates. When I issue the command: $ export or # export I see no MOZILLA_CERTIFICATE_FOLDER, so do you have any way to tell from where OOo is looking, but not finding my UNexpired CAcert certificate? Thanks, Lance
OK, I changed the password in order to determine where OOo was looking for Cert's. It is looking in Thunderbird. OOo is finding 3 expired CAcert certificates and 1 unrelated (but current) certificate I never use! My CURRENT CAcert certificate is not displayed as a choice! Neither are a couple of even older CAcert expired certificates. For some reason OOo is not displaying all the available certificates it finds in Thunderbird...it's not even choosing the newest. Any ideas? Thanks, Lance
according to release status meeting -> target 3.x
Hi Lance, I#ve discovered that you use SSL Certs. According to RFC 3280 such certs are not shown shown in the Keyusage section of it. So I suppose this is not a bug in OOo. Please get a Certificate valid for Signing documents and/or E-Mails. Personally I use a Cert issued by Thawte. Thanks for your Help, will try to get a SSL cert to check again. Frank
Hi Frank, This sort of works as of version 2.1--perhaps SSL is not the correct term. I do have a several regular browser certificates installed. Quoting from the thread above: I now have 2.1 installed (found a few Debian hints and a little trial & error). I am able to display a list of certificates; this is a major step forward! However, OOo is finding 3 expired CAcert certificates and 1 unrelated certificate I never use! My CURRENT CAcert certificate is not displayed as a choice! The UNexpired cert is installed in both Thunderbird, Firefox & Konqueror. I can tell from the password that it is NOT using the firefox keystore. I can't tell where OOo is finding these certificates. --------------------- I still see the same results in "genuine" OOo 2.4 (the debian install version from the official OOo website). I see a mix of some new & some old expired certificates listed; but not my current CAcert certificate. I don't know why OOo is bothering to display old, expired certificates when some other new, valid certificates are not being displayed. Thanks, Lance
Hi Lance, I've managed to get an SSL Server certificate, installed it to my keystore and tried to sign a document with it. It does not show up in the Add Cert dialog of OOo. But this was expected. Gone to CACert.org and get a Client Certificate from them. Installed into the keystore and tried to sign a document. It worked perfectly. So this seems to be a problem with either your special certificates and/or the location of the used keystore. OOo uses the following way to find the certs used and stops at the first found location : 1.) The Environment variable MOZILLA_CERTIFICATE_FOLDER 2,) The Thunderbird Profile 3.) The Mozilla Profile 4.) The Firefox Profile This is because mostly E-Mail Clients use certificates to sign documents. I'm sorry for no better reply but it seems that I have to close this Issue as worksforme. Please try a new Client Cert from CACert.org and comment on this Issue the next days, until than I leave the Issue open. Frank
For most people who have a single client certificate or two, the system now works. But for heavy crypto users, like me, there are still problems: I have ten different certificates in Thunderbird, from three different CA's. Two of those CAs' only gave me one certificate, and those are displaying properly. The problem comes when users have several old, expired certificates installed so they can decrypt old messages. I have 8 certificates from CAcert, with expiration dates ranging from 2005-2009. Six of of my eight have expired (at this writing, it's now 2009). Rather than OOo showing me the two still-valid certificates from CAcert, OOo is only displaying 3 expired certificates. They happen to have expired 3 years ago in 2006. Note that these are neither the newest, not the oldest certificates. I have no idea why OOo is choosing these particular certificates to display. There would appear the be room to display more certificates than just the 5 that I'm seeing, but if OOo is only going to display some of the installed certificates, it should at least be choosing to show the non-expired certificates. Thanks, Lance PS I am now using Genuine OOo 3.0.1 packaged for Debian/Ubuntu x86 systems.
Sorry the above post should say" "Note that these are neither the newest, *nor* the oldest certificates.
I am not sure if I ought to mention Apple OS X on this thread. I will wait to hear back from someone if they are OK with that or not. I don't want to distract. I will also keep searching for this same bug effecting OS X users. Thanks, Jason
Reset assigne to the default "issues@openoffice.apache.org".