Bug#926388: let Firefox trust /etc/ssl/certs/ca-certificates.crt
Hi, Bullseye will be frozen soon. Let's manage to get this sorted out 😀️. I think the maintainable solution to this is to replace (dpkg-divert) libnssckbi.so (/usr/lib//nss/libnssckbi.so) with /usr/lib//pkcs11/p11-kit-trust.so if a package p11-kit-trust is installed. The package p11-kit-trust can be built from: https://packages.debian.org/source/sid/p11-kit as described here (the package name here is still p11-kit-nssckbi, but that can be changed easily): https://salsa.debian.org/gnutls-team/p11-kit/-/commit/2bc43fb58fc491d2a845a321cadd90a7f33f371e Solution found here: https://salsa.debian.org/gnutls-team/p11-kit/commits/tmp-704180-divertnss taken from bug report https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180#80 Internet sources which describe the same solution: https://superuser.com/a/1312419 https://www.bachmann-lan.de/linux-mit-eigenen-ssl-zertifikaten-root-ca-installieren/ (In Fedora/Red Hat/etc. it's done this way by default, package name for this is p11-kit-trust) I think this bug report is a duplicate of #704180 BR DI(FH) Holger Fischer, MSc
Bug#926388: let Firefox trust /etc/ssl/certs/ca-certificates.crt
Hi, as someone who got bitten by this and spent like half day figuring it
out I fully support this.
I found out that diverting/replacing that file is not enough as Firefox and
Thunderbird are shipped with their own versions (not sure if applies to
Bullseye too, I only checked Buster).
I wrote this script:
function replace_libnssckbi() {
# TODO: support other archs
dpkg-divert --rename --package selfhost-clearnet-certbot --add "$1"
|| return 1
ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so "$1"
}
# TODO: support other archs
replace_libnssckbi /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
replace_libnssckbi /usr/lib/firefox-esr/libnssckbi.so
replace_libnssckbi /usr/lib/thunderbird/libnssckbi.so
I guess it will need some checks or calls to mkdir but works at least for
me.
Side note: Firefox will not accept a self-signed server certificate added
to ca-certificates. You have to create a CA, add its certificate to
ca-certificates, generate a separate server certificate signed by that CA
and use it for server. I think this is OK, just mentioning in case someone
finds this and wants to set it up.
Bug#926388: let Firefox trust /etc/ssl/certs/ca-certificates.crt
Package: debian-edu-config Severity: wishlist Hi, today I have played with Firefox and custom CA certificate import into the browser. This over-all sucks. Firefox does not consider the system-wide CA cert store as trustworthy by default. However, there is a simple solution to this: the trust cryptography module in p11-kit-modules. For this, to be doable on Debian Edu sites, we need to add this content: ``` library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so name=PKCS#11 Trust Module NSS=trustOrder=100 ``` to debian-edu-config's file etc/skel/.mozilla/firefox/debian-edu.default/pkcs11.txt With this file in place in fresh mozilla profiles, Firefox will activate the pkcs11 trust module and trust CA certificates in /etc/ssl/certs/ca-certificates.crt. A similar solution must be found for chromium. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp89fAn7MAzc.pgp Description: Digitale PGP-Signatur
Bug#926388: let Firefox trust /etc/ssl/certs/ca-certificates.crt
Moin Mike, On Thu, Apr 04, 2019 at 10:31:54AM +, Mike Gabriel wrote: > to debian-edu-config's file > etc/skel/.mozilla/firefox/debian-edu.default/pkcs11.txt While this was valid for Stretch, in Buster /etc/skel isn't used anymore. Certificate related configuration is done in gosa-create. (Works for Firefox-ESR, Thunderbird, Konqueror and Chromium). See also: https://wiki.debian.org/DebianEdu/Documentation/Buster/Features#Other_changes_compared_to_the_previous_release for SSL/TLS related changes. There's also a tool (share/debian-edu-config/tools/update-cert-dbs) which will be called upon upgrades from Stretch to configure this for existing user accounts. Wolfgang signature.asc Description: PGP signature
Bug#926388: let Firefox trust /etc/ssl/certs/ca-certificates.crt
HI Wolfgang, On Do 04 Apr 2019 14:19:31 CEST, Wolfgang Schweer wrote: Moin Mike, On Thu, Apr 04, 2019 at 10:31:54AM +, Mike Gabriel wrote: to debian-edu-config's file etc/skel/.mozilla/firefox/debian-edu.default/pkcs11.txt While this was valid for Stretch, in Buster /etc/skel isn't used anymore. Certificate related configuration is done in gosa-create. (Works for Firefox-ESR, Thunderbird, Konqueror and Chromium). See also: https://wiki.debian.org/DebianEdu/Documentation/Buster/Features#Other_changes_compared_to_the_previous_release for SSL/TLS related changes. There's also a tool (share/debian-edu-config/tools/update-cert-dbs) which will be called upon upgrades from Stretch to configure this for existing user accounts. Wolfgang While the above named approach and scripts are good for handling the DebianEdu root-CA, it cannot be used for site-specific adaptations. Of course, I could have copied and adapted update-cert-dbs to my purpose, but for generic CA rollouts, I find the pkcs11.txt approach much more elegant. Btw, for Chrome/Chromium, pkcs11.txt as given above in the bug report needs to be placed into ~/.pki/nssdb/pkcs11.txt. I needed this as I set up an e2guardian with SSL MitM and https deep package introspection (I know, this can be seen as "URGH..."). I also had a user-specific import script, but that did not scale well with many users on site. Handling this via pkcs11.txt and the trust pki module came in much smarter. Feel free to keep this bug open for bullseye, so we can re-discuss this approach or close it. (In IT-Zukunft Schule, we will use it). Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpXAZYB6xgfO.pgp Description: Digitale PGP-Signatur
Bug#926388: let Firefox trust /etc/ssl/certs/ca-certificates.crt
On Thu, Apr 04, 2019 at 01:03:50PM +, Mike Gabriel wrote:
> Feel free to keep this bug open for bullseye, so we can re-discuss this
> approach or close it.
Yes, let's consider this for bullseye.
Just for the record:
[ pkcs11.txt ]
On a 64-bit PC Buster system this is working ok:
> library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
> name=PKCS#11 Trust Module
> NSS=trustOrder=100
To get it working for a mixed 64-bit / 32-bit setup this content
seems to work:
library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
library=/usr/lib/i386-linux-gnu/pkcs11/p11-kit-trust.so
name=PKCS#11 Trust Module
NSS=trustOrder=100
For already existing accounts:
[ Firefox-ESR ]
Checking the existence and then removing
~/.mozilla/firefox/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}
after replacing the exsting pkcs11.txt file seems to work.
[ Thunderbird ]
Similar to Firefox-ESR; location:
~/.thunderbird/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}
[ Chromium, Konqueror, and others using PKI ]
Check the existence and then remove
~/.pki/{cert9.db,key4.db}
after replacing the exsting pkcs11.txt file
Wolfgang
signature.asc
Description: PGP signature
Bug#926388: let Firefox trust /etc/ssl/certs/ca-certificates.crt
Hi Wolfgang.
On Do 04 Apr 2019 17:18:38 CEST, Wolfgang Schweer wrote:
On Thu, Apr 04, 2019 at 01:03:50PM +, Mike Gabriel wrote:
Feel free to keep this bug open for bullseye, so we can re-discuss this
approach or close it.
Yes, let's consider this for bullseye.
Yep.
Just for the record:
[ pkcs11.txt ]
On a 64-bit PC Buster system this is working ok:
library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
name=PKCS#11 Trust Module
NSS=trustOrder=100
Nice.
To get it working for a mixed 64-bit / 32-bit setup this content
seems to work:
library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
library=/usr/lib/i386-linux-gnu/pkcs11/p11-kit-trust.so
name=PKCS#11 Trust Module
NSS=trustOrder=100
Nice add-on information.
For already existing accounts:
[ Firefox-ESR ]
Checking the existence and then removing
~/.mozilla/firefox/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}
after replacing the exsting pkcs11.txt file seems to work.
That is not necessary IMHO. If pkcs11.txt exists, the above text
config block needs to be appended to it. If it does not exist, copying
over the above pkcs11.txt is sufficient.
[ Thunderbird ]
Similar to Firefox-ESR; location:
~/.thunderbird/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}
Same here. The .db files can stay. If pkcs11.txt exists, append the
above config block.
[ Chromium, Konqueror, and others using PKI ]
Check the existence and then remove
~/.pki/{cert9.db,key4.db}
after replacing the exsting pkcs11.txt file
Same here. Again, not replacing pkcs11.txt, but appending to it, if it
exists. The .db files can stay.
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpNRw998Klis.pgp
Description: Digitale PGP-Signatur
Bug#926388: let Firefox trust /etc/ssl/certs/ca-certificates.crt
On Fri, Feb 12, 2021 at 10:15:36AM +0100, Martin Habovštiak wrote:
> # TODO: support other archs
> replace_libnssckbi /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
> replace_libnssckbi /usr/lib/firefox-esr/libnssckbi.so
> replace_libnssckbi /usr/lib/thunderbird/libnssckbi.so
As of Debian 12 ("bookworm"), firefox-esr and thunderbird no longer ship
their own libnssckbi.so files:
So I thing this bug can be resolved as a duplicate of
.
--
Sam Morris
