Version 7 (modified by 13 years ago) (diff) | ,
---|
MSN Certificate Error
MSN recently changed the certificate used on some of their servers. This certificate is used to negotiate a secure socket layer (SSL) session, an encrypted connection, between the client (Windows Live Messenger, Pidgin, etc.) and the server(s).
Unfortunately, not all the servers that are using this new certificate present the correct information to Pidgin for us to validate the certificate properly. Additional wrinkles are that not all omega.contacts.msn.com servers have been migrated to the new certificate, and that some of the servers that have been migrated are also correctly configured. Because of this, given enough attempts, you may actually achieve an occasional successful connection. Most of the time, however, you'll get an error message.
The error message you'll see is something like this:
Unable to validate certificate:
The certificate for omega.contacts.msn.com could not be validated. The certificate chain presented is invalid.
If you're reading this page, you're probably experiencing this problem. Here is the solution.
How Do I Fix It?
Upgrade to Pidgin 2.7.7 or newer
In Pidgin 2.7.6, we began distributing the additional intermediate certificates that some of MSN's servers are not sending us. Although we thought this was enough, after we released 2.7.6 we discovered that some additional work was necessary. To fix that, we released Pidgin 2.7.7 with what we believe to be a complete fix to the problem.
If upgrading is not possible
If you can't upgrade to Pidgin 2.7.7 or newer, then here's how to partially fix the problem. This should work for any version of Pidgin from 2.5.0 to 2.7.5, inclusive, but only if your SSL plugin is Mozilla NSS. (GNUTLS acts differently; this fix does not work for GNUTLS users without the additional changes that went into Pidgin 2.7.7.)
Note that while we verified the certificates we instruct you to download below, there is always a risk involved in downloading certificates, especially ones you have not personally verified, from a website and adding them to your trusted CA store. Ordinarily you should avoid this practice. Instead of following the instructions below, we strongly recommend upgrading to Pidgin 2.7.7 or newer, which include the certificates and other fixes.
Get the new intermediate certificates
If you have followed other (incorrect) instructions to replace the 'omega.contacts.msn.com' certificate, then you must delete that certificate from Tools->Certificates
first.
Download Microsoft_Internet_Authority_2010.pem and Microsoft_Secure_Server_Authority_2010.pem then follow the appropriate set of directions below.
Windows
- Save the files to C:\Program Files\Pidgin\ca-certs (or C:\Program Files (x86)\Pidgin\ca-certs as appropriate)
- Restart Pidgin
Linux
- Save the files to /usr/share/purple/ca-certs (or /usr/local/share/purple/ca-certs as appropriate)
- Restart Pidgin
Thanks to Kaurin/SQuID for blogging this solution earlier.