Evolution with GOA for gmail is not working with a self-signed certificate

Applications
,
1

Hi,

I’m using Evolution on my professional laptop running Fedora 43, with GOA configured to access my professional gmail account.

I also have a standard personal email account using imap / smtp.

Everything is working fine.

Now, I have to install a new security client (Checkpoint / Perimeter81) that does MITM all the traffic, with its own self-signed certificate.

At the installation step, it installed the certificate in the linux store and in the Firefox store so I get no issue with that.

Although, Evolution stopped pulling emails because of certs errors.

I could add the certificate to the evolution store, and it fixed the issue with my personal email server.

Although, for the gmail GOA one, I still have the error.

The error (in french) is:

L’erreur signalée était « L’authentification a échoué: Impossible d’obtenir un jeton d’accès pour « xx@yy.com » : Échec de l’actualisation du jeton d’accès (goa-error-quark, 0) : Code 200 attendu lors de la requête du jeton d’accès, code 0 ((null)) reçu à la place ».

Translated, that would be:

The error reported was "Authentication failed: Unable to obtain an access token for “xx@yy.com”: Failed to refresh access token (goa-error-quark, 0): Expected code 200 when requesting access token, received code 0 ((null)) instead."

I could see there was once issues to mount folders autheticated with GOA and self-signed certificates, but this is now solved.

Is there a place where I could add the root certificate to have GOA + gmail + evolution working?

Or is this a known issue?

Or maybe I’m not doing things properly?

Thanks,

2

Hi,
the first thing: it’s failing on the GOA side. Anybody wanting to use
the Gmail account from GOA should fail the same way.

The last time I saw “code 0 ((null))” from libsoup3, it was related to
a cancelled request. It’s not necessarily it though. You might ask GOA
folks to investigate this [1].

I suggest you configure the account directly in the Evolution. That
should fix the problem, at least for the Evolution itself.

Bye,
Milan

[1] Issues · GNOME / gnome-online-accounts · GitLab

1 Like
3

Thanks,

I opened an issue on their gitlab but for now I have no anwser.
For the Evolution part though, it’s not working either.

So I autodetect the auth method and it select oauth.
Then it open an in-app browser to authenticate me:

image
image564×426 26.1 KB

I pass the login phase, password, MFA by clicking yes it’s me on my phone, and then:
image
image568×723 18.6 KB

If I try to “open in browser” (firefox, I also tried with chromium with the behaviour), I get the authorization page:

image
image1063×1040 95.3 KB

Then it asks me to allow to use the evolution oauth2 module:
image
image663×240 24.6 KB

And on Firefox I’m redirected to https://www.google.com while on Evolution I stay stuck on:
image
image569×721 29.6 KB

It says it cannot accept the certificate for https://oauth2.googleapis.com/token

Oh, and also, I did al this with the CA cert imported already:

image
image1363×966 90.1 KB

Do you have any idea how to use Evolution without GOA to authenticate against gmail while I have my MITM security software?

Edit: when starting Evolution from a terminal, running the in-app oauth login prints nothing, running the in browser oauth login prints this in the terminal:

[4067771:4068388:1216/160323.043482:ERROR:google_apis/gcm/engine/registration_request.cc:292] Registration response error message: DEPRECATED_ENDPOINT
4

Hello, in the end I found the client was not installing the ca-cert in the right place.
When done properly, GOA and Evolution are working fine.

1 Like
5

Hi,
good you found it. It is odd to see one browser accepting the (TLS)
certificate, but Evolution not. My idea would be to check the
certificate installation place, and the trust settings for it, just as
you figured on your own.

Bye,
Milan
6

This topic was automatically closed 45 days after the last reply. New replies are no longer allowed.