Autopkg and Firefox autoconfig
144 views
Skip to first unread message
John Lockwood
Jul 3, 2018, 7:48:44 AM7/3/18
to autopkg-discuss
We perhaps fortunately mainly use Google Chrome at my current organisation and I personally also use Safari, however I finally bit the bullet and decided to try and fix the certificate issue caused by Firefox not respecting the various operating system standard certificate stores - KeyChain in the case of the Mac.
I therefore obtained a copy of Firefox 56 and installed the CCK2 plugin. (The cck2 plugin does not work on Firefox Quantum.)
Via this I generated an autoconfig.zip file and placed it in the same location as my autopkg override file for the Greg Neagle authored recipe for a customised Firefox installer pkg.
Autopkg is working fine, it downloads Firefox and using the recipe builds the customised Firefox installer pkg which includes the config from the autoconfig.zip. I have run this installer and examined the resulting copy of Firefox and I can see that there is indeed the expected customisations at the following location -
/Applications/Firefox.app/Contents/Resources/cck2.cfg
/Applications/Firefox.app/Contents/Resources/cck2/resources/certs/
This contains the three self-signed rootCA certificates that I wanted.
Unfortunately when I run this resulting copy of Firefox it still rejects our internal websites as being untrusted. This suggests something has gone wrong.
I am very confident that this is not down to Autopkg or the recipe. It is therefore likely to be down to either cck2 or Firefox itself, or my own inadequacies. :) However the cck2 forum is very light on Mac specific details and as people here are more likely to have dealt with this issue I am hoping someone here can provide assistance.
I am testing on a client Mac running Sierra 10.12.6 and version of Firefox generated is 61.0
Does anyone have any advice?
Nick McSpadden
Jul 3, 2018, 11:51:08 AM7/3/18
to autopkg...@googlegroups.com
If I recall correctly, providing the certs alone isn't sufficient for AutoConf. You also have to specify the trust level. For CA certs, that should be: "C,,"
We do this in our Chef recipe: https://github.com/facebook/IT-CPE/tree/master/chef/cookbooks/cpe_firefox#certificates
Although this documentation is nearly unreadable, search for 'trustargs' on this page to see what Firefox's certutil expects: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil
--
You received this message because you are subscribed to the Google Groups "autopkg-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to autopkg-discu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
John Lockwood
Jul 3, 2018, 12:15:04 PM7/3/18
to autopkg-discuss
The user interface of cck2 gives you a list of options you can enable for the cert you are importing and it then dynamically lists the flags C,, etc. that corresponds to. I started off by ticking the first option which did indeed generate C,, however I also tried all three which gives CTc,, this still did not work :(
Gregory Neagle
Jul 3, 2018, 12:22:38 PM7/3/18
to autopkg...@googlegroups.com
If I look at the json for my cck2.config, I see:
"certs": {
"ca": [
{
"url": "/Users/Shared/code/Firefox CCK/certs/redacted1_ca.pem",
"trust": "C,C,C"
},
{
"url": "/Users/Shared/code/Firefox CCK/certs/redacted2_ca.pem",
"trust": "C,C,C"
}
]
}
I assume that means I checked the first box on all three sections...
CA certs seem to work as expected here -- for now.
John Lockwood
Jul 4, 2018, 7:16:23 AM7/4/18
to autopkg-discuss
Thanks for the response Greg. My own matching section from /Applications/Firefox.app/Contents/Resources/cck2.cfg looks like this
"certs": {
"ca": [
{
"url": "resource://cck2_me.firefox.config/certs/myCA0.pem",
"trust": "C,C,C"
},
{
"url": "resource://cck2_me.firefox.config/certs/myCA1.pem",
"trust": "C,C,C"
},
{
"url": "resource://cck2_me.firefox.config/certs/myCA2.pem",
"trust": "C,C,C"
}
]
}
I am interpreting this as it referring to the certs that have been added inside Firefox.app from the autoconfig.zip via your recipe. As a test I edited the cck2.cfg inside Firefox.app to point to files already on my drive like your example. Sadly this did not work either, exactly the same as before it did not trust our internal websites.
Should this still take effect if a user already has a Firefox profile in their Library folder? Hmm, not sure this made a difference, also tried renaming ~/Library/Application Support/Firefox so as to cause a brand new profile, still not working.
This is being done for the first time with Firefox 61.0 I wonder if the idiots at Mozilla have broken this. Since you and others will have started this with earlier versions you may have already had it do the setup before upgrading to 61.0.
(The ca files work fine for Google Chrome and Safari when added to the System keychain.)
In desperation I have tried a couple of other more visible options and hence easier to test from cck2. I set a default home page - this works, I tried the option to add an entry to the Help menu - this does not work, I tried the option to disable updates in Firefox - this works.
I also tried a fresh Mac with a fresh User account to make sure no previous Firefox config had an effect, this made no difference.
So I am getting the impression that a lot of possible options in cck2 do not work either on a Mac or in the current FF 61.0, this of course frustratingly including certs.
If anyone is able to confirm it works it with the latest FF without it already having inherited this from an older Firefox install it would be helpful.
Anthony Reimer
Jul 4, 2018, 11:39:41 AM7/4/18
to autopkg...@googlegroups.com
Just to make certain there is no little glitch related to the issues Mike Kaply raised in this blog post:
https://mike.kaply.com/2018/05/09/an-enterprising-future/
1. You built the CCK2 config file using Firefox 52 ESR or some non-Quantum release (you said you used Firefox 56, which should be OK).
2. The version of the CCK2 extension you used to build the CCK2 config is May 8 or later (latest release appears to be June 20); this added support for v. 60.
If I'm reading his post correctly, using CCK2 will break in Firefox 62 regardless; you need to use the 60 ESR branch to continue using CCK2. The alternative is to use the new policy engine, which I believe mosen is attempting to do in his FirefoxESRPolicies recipes (which borrows liberally from Greg's FirefoxAutoconfig recipes):
https://github.com/autopkg/mosen-recipes/tree/master/Mozilla
I think I have that right. But I've been wrong more than once this week, so YMMV.
Anthony Reimer
https://mike.kaply.com/2018/05/09/an-enterprising-future/
1. You built the CCK2 config file using Firefox 52 ESR or some non-Quantum release (you said you used Firefox 56, which should be OK).
2. The version of the CCK2 extension you used to build the CCK2 config is May 8 or later (latest release appears to be June 20); this added support for v. 60.
If I'm reading his post correctly, using CCK2 will break in Firefox 62 regardless; you need to use the 60 ESR branch to continue using CCK2. The alternative is to use the new policy engine, which I believe mosen is attempting to do in his FirefoxESRPolicies recipes (which borrows liberally from Greg's FirefoxAutoconfig recipes):
https://github.com/autopkg/mosen-recipes/tree/master/Mozilla
I think I have that right. But I've been wrong more than once this week, so YMMV.
Anthony Reimer
John Lockwood
Jul 4, 2018, 12:17:11 PM7/4/18
to autopkg-discuss
Hi Anthony,
Yes using FF 56.0.2
Using CCK2 2.2.5 no idea what date that corresponds to.
Thanks for the pointer about FF 62 and the new approach. I will have a look at that as well.
Gregory Neagle
Jul 4, 2018, 12:19:05 PM7/4/18
to autopkg...@googlegroups.com
On Jul 4, 2018, at 9:17 AM, John Lockwood <jeloc...@gmail.com> wrote:Hi Anthony,Yes using FF 56.0.2Using CCK2 2.2.5 no idea what date that corresponds to.Thanks for the pointer about FF 62 and the new approach. I will have a look at that as well.
On Wednesday, 4 July 2018 16:39:41 UTC+1, Anthony Reimer wrote:Just to make certain there is no little glitch related to the issues Mike Kaply raised in this blog post:
https://mike.kaply.com/2018/05/09/an-enterprising-future/
1. You built the CCK2 config file using Firefox 52 ESR or some non-Quantum release (you said you used Firefox 56, which should be OK).
2. The version of the CCK2 extension you used to build the CCK2 config is May 8 or later (latest release appears to be June 20); this added support for v. 60.
If I'm reading his post correctly, using CCK2 will break in Firefox 62 regardless; you need to use the 60 ESR branch to continue using CCK2. The alternative is to use the new policy engine, which I believe mosen is attempting to do in his FirefoxESRPolicies recipes (which borrows liberally from Greg's FirefoxAutoconfig recipes):
https://github.com/autopkg/mosen-recipes/tree/master/Mozilla
Last I checked, though, the new policy engine had no support for custom certificates...
Gregory Neagle
Jul 4, 2018, 3:47:37 PM7/4/18
to autopkg...@googlegroups.com
Still seems to be the case. https://github.com/mozilla/policy-templates/blob/master/README.md
If they extend this policy to work on macOS, Firefox could just use the System keychain:
Certificates
This is a Windows only policy that tells Firefox to read certificates from the Windows certificate store.
{
"policies": {
"Certificates": {
"ImportEnterpriseRoots": [true|false]
}
}
}I am also annoyed at the number of policies that are for ESR only. Leaves out orgs that want to manage certain features and also be on a more current release.
-Greg
Reply all
Reply to author
Forward
0 new messages