Every time our LE cert is renewed, Pidgin throws up an untrusted certificate confirmation dialog. Does it not trust it or does the OS not trust it (Lin, Win)?
If Pidgin does not trust it, then why?
I would need to see the the information about the cert to know for certain. There might be some information in the debug window when this happens as well.
You haven’t given a lot of detail here so I’m going to assume you’re running an xmpp, irc, or some other server that pidgin is connecting to?
If that’s true, are you sure the renewed cert is being loaded into the server that’s using it? Generally speaking, after a cert is updated the service needs to be told that it’s changed and to reload it. If that step is skipped it will usually keep serving the old expired cert which would cause issues.
Let’s Encrypt is a free, public service. You can request a cert for any domain and then inspect it.
I’m well versed in lets encrypt. You’ll notice that all of our sites use it as well.
However, you didn’t answer my question about the service reloading the certificate which is the most likely culprit.
How, do you suppose, I learn that Pidgin does not trust the certs? By the error message that it throws every time the cert is renewed.
See? I am not really as dumb as you suggest I am.
There can be a couple of reasons that Pidgin will display a certificate popup after a certificate changes.
The main one that I’ve seen is when intermediate certificates (which Pidgin will cache) change without the server sending the intermediate certificate again. This can be dependent on the SSL/TLS server software which can be configured to not send intermediate certificates to clients that have already connected in order to save a bit of bandwidth, which is unfortunately incompatible with Pidgin.
The best way to see exactly why would be to look in the debug log (from the buddy list, Help->Debug Window) however Pidgin will only show the log from the time you open it, so you’d need to keep it open or potentially reconnect to the account and it might trigger again. For the above case, this will show as a “partial certificate chain” warning.
Completely understandable if you don’t want to share the server address, but if you do we might be able to have a look into it further and see why 
A potential workaround on Windows is to use the “win32 certificate loader” plugin, which will load certificates from the OS instead of the ca-bundle that ships with Pidgin, and might skip any intermediate certificate issues. You can grab it from GitHub - EionRobb/pidgin-win32-nss-cert-import: Imports Windows system certificates into Pidgin's NSS SSL plugin if you want to give it a try.
1 Like
It’s on the intranet.
We have a few users on Windows; I can give it a try.
The server’s vendor confirms that they do send intermediate certificates from the full chain, at every renewal.
@smogr did you have any luck getting a debug log? That’ll be the best way to see what’s happening.
The cert will expire on Sep 28, as in the above screenshot. Until then there is nothing I can do.