On 15/4/19 11:36 am, Alexander V. Makartsev wrote: >> On 13.04.2019 23:21, Tyler A wrote: >> I found a temporary solution that at least lets me visit the sites in >> Firefox. >> >> However this doesn't fix OpenSSL (thus things like curl, wget). >> >> #!/usr/bin/env bash >> >> sudo apt-get install libnss3-tools >> >> downloadCerts=(http://cacerts.thawte.com/ThawteRSACA2018.crt >> http://cacerts.geotrust.com/GeoTrustRSACA2018.crt) >> >> wget -c "${downloadCerts[@]}" >> >> for f in *.crt; do >> fbasename=${f%.crt} >> openssl x509 -inform der -outform pem -in "$f" -out "$fbasename".pem >> find ~ -name cert9.db -printf '%h\0' | >> while IFS= read -rd '' certDir; do >> certutil -A -n "${fbasename}" -t "TCu,Cuw,Tuw" -i "${fbasename}".pem >> -d sql:"$certDir" >> done >> done > > This script imports certificates into Mozilla Firefox own NSS DB. > You can do the same procedure more easily in Firefox GUI with > "Certificate Manager". ("Preferences" >> "Privacy & Security", click > "View Certificates")
Yes I know. I wrote it :), it was a improved version of https://stackoverflow.com/a/48424709 On 15/4/19 11:29 am, Alexander V. Makartsev wrote: > Yes, my mistake, I've neglected that and now was able to repro your issue. > As for your question about certificate installation. Apparently (I hope > somebody will correct me on that), > p11-kit doesn't provide a writable software pkcs#11 token for user to > add/remove CA certificates, but > 'gnome-keyring' does, and you should use it if you want to work with personal > certificates, private keys, etc. Ah yes. I have that and gnome-keyring and polkit-gnome on my Archlinux machine. I should mention, it appears hostplus.com.au has fixed their site and it now issues the certificate so we can no longer test against that. If you look at the ssllabs.com test it now says (whereas they were both Incomplete before. Sent by server GeoTrust RSA CA 2018 Chain issues Incorrect order, Contains anchor Whereas if you look at bdm.cbs.sa.gov.au Extra download Thawte RSA CA 2018 Chain issues Incomplete The latter one still doesn't work so we can test with that. > However, most applications won't recognize the objects from gnome-keyring > pkcs#11 module automatically and > should be configured to use it by providing correct pkcs#11 module URI. > > So, that aside, in order to add CA certificates to "System Trust" token, > provided by "p11-kit-trust" pkcs#11 module, > you have to use "update-ca-certificates" utility. > 1. Download CA certificates. > 2. Process them with "openssl" to make them trusted and put them in special > folder recognized by "update-ca-certificates" utility. > $ sudo openssl x509 -inform der -in ./ThawteRSACA2018.crt -trustout -out > /usr/local/share/ca-certificates/ThawteRSACA2018.crt > $ sudo openssl x509 -inform der -in ./GeoTrustRSACA2018.crt -trustout > -out /usr/local/share/ca-certificates/GeoTrustRSACA2018.crt > > 3. Start "update-ca-certificates" utility > $ sudo update-ca-certificates -f > > 4. Check that certificates were added with "trust" utility. > $ trust list --filter=ca-anchors --purpose=server-auth | egrep "GeoTrust > RSA CA 2018|Thawte RSA CA 2018" > label: GeoTrust RSA CA 2018 > label: Thawte RSA CA 2018 > > That is it. Now a few remarks. Mozilla Firefox uses it's own NSS DB to store > certificates and don't use other pkcs#11 modules and tokens, such as "System > Trust", by default, so you have to configure it. > In Firefox browser, open "Preferences" >> "Privacy & Security", click > "Security Devices" and click "Load". > Type in module name and module path: > Name: "p11-kit-trust PKCS#11 Module" > Path: "/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so" > New module should appear on the left pane with "System Trust" token. If you > select it, it will have "/etc/ssl/certs/ca-certificates.crt" in its > Description. > After that, problem sites should work without any additional actions. > > Any program that automatically uses compiled certificates in > "/etc/ssl/certs/ca-certificates.crt" (updated by "update-ca-certificates"), > like curl, wget, openssl, etc, should work with those sites too. > Additionally you can specify a pkcs#11 token URI to use in their command line > parameters: > $ p11tool --list-tokens > Token 0: > URL: > pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust > Label: System Trust > Type: Trust module > Manufacturer: PKCS#11 Kit > Model: p11-kit-trust > Serial: 1 > Module: p11-kit-trust.so On ArchLinux I noticed that under: Preferences" >> "Privacy & Security", >> "Security Devices" there is: "Builtin Roots Module" /etc/ca-certificates/trust-source Status Ready Description /etc/ca-certificates/trust-source Manufacturer PKCS#11 Kit HW Version 0.23 FW Version 0.0 Label System Trust Manufacturer PKCS#11 Kit Serial Number 1 HW Version 0.23 FW Version 0.0 I wonder if this has anything to do with the --with-system-nss[1] compile option? I wrote this script which seems to work: #!/usr/bin/env bash downloadCerts=(http://cacerts.thawte.com/ThawteRSACA2018.crt) wget -c "${downloadCerts[@]}" for f in *.crt; do fbasename=${f%.crt} sudo openssl x509 -inform der -in "$f" -trustout -out /usr/local/share/ca-certificates/"$f" done sudo update-ca-certificates -f find ~ -name pkcs11.txt -printf '%h\0' | while IFS= read -rd '' pkcs11Files; do if grep -Fxq "name=p11-kit-trust PKCS#11 Module" "$pkcs11Files"/pkcs11.txt then echo "Not adding device to $pkcs11Files/pkcs11.txt" else echo "Adding device to $pkcs11Files/pkcs11.txt" cat <<EOF >> "$pkcs11Files"/pkcs11.txt library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so name=p11-kit-trust PKCS#11 Module NSS=trustOrder=100 EOF fi done [0]: https://support.mozilla.org/en-US/questions/1022183 [1]: https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox#n86 -- Tyler (tya99) rsa4096/0x9C9954F88E388859