Accidentally accepted a TLS certificate, how can I revoke it?

I accidentally accepted a TLS certificate by clicking “accept permanently” in the same dialogue as in Gnome-calendar SSL/TLS Certificate Trust Issue - how can I revoke the certificate?

more details, how did this happen:

  • I opened the laptop and it connected to a public wifi with a capture portal.
  • I guess that gnome online accounts or gnome calendar then wanted to start TLS connections in order to sync with caldav backends. it was presented with a certificate from the capture portal
  • I was presented with a screen asking if I wanted to accept the TLS certificate. I accidentally clicked “accept permanently”.

thx, Johannes

Hi,
I’m afraid gnome-calendar doesn’t show this information in the calendar
Preferences, even it depends what account type (and part) you accepted
the certificate for.

When you install Evolution and go to the Calendar view, then you can
view Properties of the calendars in the context menu of the respective
calendar and those calendars using the SSL/TLS trust have a button
“Unset trust for SSL/TLS certificate” shown there, which can be
clicked, if there is any trust set.

Alternative, search ~/.config/evolution/sources/ files for
SslTrust= lines, where those with it set have there stores something
like:

   SslTrust=accept|HOSTNAME|HASH

thus you can see what host the trust is set for. Simply make it

   SslTrust=

and save the changes. It should propagate into the background processes
shortly after the changes are saved, but if you want to be sure, then
run:

    evolution --force-shutdown

or when Evolution is not installed kill background processes in this
order:

   evolution-alarm-notify
   evolution-addressbook-factory
   evolution-source-registry
   evolution-calendar-factory

which you can see with ps ax | grep evolution, using either command:

   kill -TERM $PID

or

   kill -9 $PID

where the PID is a process ID from the ps command. Note that some
desktop environments can restart the processes when they disappear
(GNOME Shell does that for the calendar factory), thus the order
matters and it’s possible the processes will be started under the hood,
which is okay, as long as their PID changes.

Bye,
Milan

thank you very much, Milan, for your detailed and helpful response, very much appreciated!

to my surprise, I could not find any custom trust…

  • evolution’s gui did not show custom trust (i.e., the button “Unset trust for SSL/TLS certificate” in all of evolution’s calendar properties was disabled)
  • none of the files in ~/.config/evolution/sources/ had custom trust set in the SslTrust= lines.
  • I also checked .var/app/org.gnome.Evolution/config/evolution/sources, none of the files had custom trust.

…I don’t really have an explanation. Maybe evolution did not store the trust setting because its attempted sync failed?

next steps, I can offer to contribute back and add the info from this thread to evolutions’ (or gnome calendar’s? or gnome online accounts’?) documentation… Would that be a welcome addition? Any hints where to get started?

none of the files in ~/.config/evolution/sources/ had custom trust
set in the SslTrust= lines.

Hi,

there is also ~/.cache/evolution/sources/, but I’d not expect it to
contain these, unless they are copied from the main .source file under
the ~/.config/evolution/sources/ . If it failed to connect, then maybe
it did not store the trust permanently. Hard to say.

I also checked .var/app/org.gnome.Evolution/config/evolution/sources,
none of the files had custom trust.

These are for Flatpak Evolution. I thought you use the version provided
by your distribution.

(or gnome calendar’s? or gnome online accounts’?) documentation…
Would that be a welcome addition? Any hints where to get started?

I cannot speak much about this. No idea what they would do with it,
it’s very low level. Nothing for an average user. People can link this
thread if needed, but as I said, I cannot speak for the other projects.

Bye,
Milan