Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#926388: let Firefox trust /etc/ssl/certs/ca-certificates.crt
73 views
Skip to first unread message
Mike Gabriel
Apr 4, 2019, 6:40:03 AM4/4/19
to
Package: debian-edu-config
Severity: wishlist
Hi,
today I have played with Firefox and custom CA certificate import into
the browser. This over-all sucks. Firefox does not consider the
system-wide CA cert store as trustworthy by default.
However, there is a simple solution to this: the trust cryptography
module in p11-kit-modules.
For this, to be doable on Debian Edu sites, we need to add this content:
```
library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
name=PKCS#11 Trust Module
NSS=trustOrder=100
```
to debian-edu-config's file
etc/skel/.mozilla/firefox/debian-edu.default/pkcs11.txt
With this file in place in fresh mozilla profiles, Firefox will
activate the pkcs11 trust module and trust CA certificates in
/etc/ssl/certs/ca-certificates.crt.
A similar solution must be found for chromium.
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.g...@das-netzwerkteam.de, http://das-netzwerkteam.de
Severity: wishlist
Hi,
today I have played with Firefox and custom CA certificate import into
the browser. This over-all sucks. Firefox does not consider the
system-wide CA cert store as trustworthy by default.
However, there is a simple solution to this: the trust cryptography
module in p11-kit-modules.
For this, to be doable on Debian Edu sites, we need to add this content:
```
library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
name=PKCS#11 Trust Module
NSS=trustOrder=100
```
to debian-edu-config's file
etc/skel/.mozilla/firefox/debian-edu.default/pkcs11.txt
With this file in place in fresh mozilla profiles, Firefox will
activate the pkcs11 trust module and trust CA certificates in
/etc/ssl/certs/ca-certificates.crt.
A similar solution must be found for chromium.
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.g...@das-netzwerkteam.de, http://das-netzwerkteam.de
Wolfgang Schweer
Apr 4, 2019, 8:40:03 AM4/4/19
to
Moin Mike,
On Thu, Apr 04, 2019 at 10:31:54AM +0000, Mike Gabriel wrote:
> to debian-edu-config's file
> etc/skel/.mozilla/firefox/debian-edu.default/pkcs11.txt
While this was valid for Stretch, in Buster /etc/skel isn't used
anymore. Certificate related configuration is done in gosa-create.
(Works for Firefox-ESR, Thunderbird, Konqueror and Chromium).
See also:
https://wiki.debian.org/DebianEdu/Documentation/Buster/Features#Other_changes_compared_to_the_previous_release
for SSL/TLS related changes.
There's also a tool (share/debian-edu-config/tools/update-cert-dbs)
which will be called upon upgrades from Stretch to configure this for
existing user accounts.
Wolfgang
On Thu, Apr 04, 2019 at 10:31:54AM +0000, Mike Gabriel wrote:
> to debian-edu-config's file
> etc/skel/.mozilla/firefox/debian-edu.default/pkcs11.txt
anymore. Certificate related configuration is done in gosa-create.
(Works for Firefox-ESR, Thunderbird, Konqueror and Chromium).
See also:
https://wiki.debian.org/DebianEdu/Documentation/Buster/Features#Other_changes_compared_to_the_previous_release
for SSL/TLS related changes.
There's also a tool (share/debian-edu-config/tools/update-cert-dbs)
which will be called upon upgrades from Stretch to configure this for
existing user accounts.
Wolfgang
Mike Gabriel
Apr 4, 2019, 9:10:02 AM4/4/19
to
HI Wolfgang,
While the above named approach and scripts are good for handling the
DebianEdu root-CA, it cannot be used for site-specific adaptations.
Of course, I could have copied and adapted update-cert-dbs to my
purpose, but for generic CA rollouts, I find the pkcs11.txt approach
much more elegant.
Btw, for Chrome/Chromium, pkcs11.txt as given above in the bug report
needs to be placed into ~/.pki/nssdb/pkcs11.txt.
I needed this as I set up an e2guardian with SSL MitM and https deep
package introspection (I know, this can be seen as "URGH..."). I also
had a user-specific import script, but that did not scale well with
many users on site. Handling this via pkcs11.txt and the trust pki
module came in much smarter.
Feel free to keep this bug open for bullseye, so we can re-discuss
this approach or close it. (In IT-Zukunft Schule, we will use it).
Greets,
DebianEdu root-CA, it cannot be used for site-specific adaptations.
Of course, I could have copied and adapted update-cert-dbs to my
purpose, but for generic CA rollouts, I find the pkcs11.txt approach
much more elegant.
Btw, for Chrome/Chromium, pkcs11.txt as given above in the bug report
needs to be placed into ~/.pki/nssdb/pkcs11.txt.
I needed this as I set up an e2guardian with SSL MitM and https deep
package introspection (I know, this can be seen as "URGH..."). I also
had a user-specific import script, but that did not scale well with
many users on site. Handling this via pkcs11.txt and the trust pki
module came in much smarter.
Feel free to keep this bug open for bullseye, so we can re-discuss
this approach or close it. (In IT-Zukunft Schule, we will use it).
Greets,
Wolfgang Schweer
Apr 4, 2019, 11:30:03 AM4/4/19
to
On Thu, Apr 04, 2019 at 01:03:50PM +0000, Mike Gabriel wrote:
> Feel free to keep this bug open for bullseye, so we can re-discuss this
> approach or close it.
Yes, let's consider this for bullseye.
> Feel free to keep this bug open for bullseye, so we can re-discuss this
> approach or close it.
Just for the record:
[ pkcs11.txt ]
On a 64-bit PC Buster system this is working ok:
> library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
> name=PKCS#11 Trust Module
> NSS=trustOrder=100
To get it working for a mixed 64-bit / 32-bit setup this content
> name=PKCS#11 Trust Module
> NSS=trustOrder=100
seems to work:
library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
library=/usr/lib/i386-linux-gnu/pkcs11/p11-kit-trust.so
name=PKCS#11 Trust Module
NSS=trustOrder=100
For already existing accounts:
[ Firefox-ESR ]
Checking the existence and then removing
~/.mozilla/firefox/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}
after replacing the exsting pkcs11.txt file seems to work.
[ Thunderbird ]
Similar to Firefox-ESR; location:
~/.thunderbird/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}
[ Chromium, Konqueror, and others using PKI ]
Check the existence and then remove
~/.pki/{cert9.db,key4.db}
after replacing the exsting pkcs11.txt file
Wolfgang
Mike Gabriel
Apr 4, 2019, 5:50:03 PM4/4/19
to
Hi Wolfgang.
On Do 04 Apr 2019 17:18:38 CEST, Wolfgang Schweer wrote:
> On Thu, Apr 04, 2019 at 01:03:50PM +0000, Mike Gabriel wrote:
>> Feel free to keep this bug open for bullseye, so we can re-discuss this
>> approach or close it.
>
> Yes, let's consider this for bullseye.
Yep.
> Just for the record:
>
> [ pkcs11.txt ]
> On a 64-bit PC Buster system this is working ok:
>> library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
>> name=PKCS#11 Trust Module
>> NSS=trustOrder=100
Nice.
> To get it working for a mixed 64-bit / 32-bit setup this content
> seems to work:
> library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
> library=/usr/lib/i386-linux-gnu/pkcs11/p11-kit-trust.so
> name=PKCS#11 Trust Module
> NSS=trustOrder=100
Nice add-on information.
> For already existing accounts:
>
> [ Firefox-ESR ]
> Checking the existence and then removing
> ~/.mozilla/firefox/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}
> after replacing the exsting pkcs11.txt file seems to work.
That is not necessary IMHO. If pkcs11.txt exists, the above text
config block needs to be appended to it. If it does not exist, copying
over the above pkcs11.txt is sufficient.
> [ Thunderbird ]
> Similar to Firefox-ESR; location:
> ~/.thunderbird/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}
Same here. The .db files can stay. If pkcs11.txt exists, append the
above config block.
> [ Chromium, Konqueror, and others using PKI ]
> Check the existence and then remove
> ~/.pki/{cert9.db,key4.db}
> after replacing the exsting pkcs11.txt file
Same here. Again, not replacing pkcs11.txt, but appending to it, if it
exists. The .db files can stay.
On Do 04 Apr 2019 17:18:38 CEST, Wolfgang Schweer wrote:
> On Thu, Apr 04, 2019 at 01:03:50PM +0000, Mike Gabriel wrote:
>> Feel free to keep this bug open for bullseye, so we can re-discuss this
>> approach or close it.
>
> Yes, let's consider this for bullseye.
> Just for the record:
>
> [ pkcs11.txt ]
> On a 64-bit PC Buster system this is working ok:
>> library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
>> name=PKCS#11 Trust Module
>> NSS=trustOrder=100
> To get it working for a mixed 64-bit / 32-bit setup this content
> seems to work:
> library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
> library=/usr/lib/i386-linux-gnu/pkcs11/p11-kit-trust.so
> name=PKCS#11 Trust Module
> NSS=trustOrder=100
> For already existing accounts:
>
> [ Firefox-ESR ]
> Checking the existence and then removing
> ~/.mozilla/firefox/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}
> after replacing the exsting pkcs11.txt file seems to work.
config block needs to be appended to it. If it does not exist, copying
over the above pkcs11.txt is sufficient.
> [ Thunderbird ]
> Similar to Firefox-ESR; location:
> ~/.thunderbird/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}
above config block.
> [ Chromium, Konqueror, and others using PKI ]
> Check the existence and then remove
> ~/.pki/{cert9.db,key4.db}
> after replacing the exsting pkcs11.txt file
exists. The .db files can stay.
Holger Fischer
Feb 7, 2021, 12:10:04 PM2/7/21
to
Hi,
Bullseye will be frozen soon. Let's manage to get this sorted out 😀️.
I think the maintainable solution to this is to
replace (dpkg-divert)
libnssckbi.so (/usr/lib/<ARCH>/nss/libnssckbi.so)
with
/usr/lib/<ARCH>/pkcs11/p11-kit-trust.so
if a package
p11-kit-trust
is installed.
The package p11-kit-trust can be built from:
https://packages.debian.org/source/sid/p11-kit
as described here (the package name here is still p11-kit-nssckbi, but
that can be changed easily):
https://salsa.debian.org/gnutls-team/p11-kit/-/commit/2bc43fb58fc491d2a845a321cadd90a7f33f371e
Solution found here:
https://salsa.debian.org/gnutls-team/p11-kit/commits/tmp-704180-divertnss
taken from bug report
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180#80
Internet sources which describe the same solution:
https://superuser.com/a/1312419
https://www.bachmann-lan.de/linux-mit-eigenen-ssl-zertifikaten-root-ca-installieren/
(In Fedora/Red Hat/etc. it's done this way by default, package name for
this is p11-kit-trust)
I think this bug report is a duplicate of #704180
BR
DI(FH) Holger Fischer, MSc
Bullseye will be frozen soon. Let's manage to get this sorted out 😀️.
I think the maintainable solution to this is to
replace (dpkg-divert)
libnssckbi.so (/usr/lib/<ARCH>/nss/libnssckbi.so)
with
/usr/lib/<ARCH>/pkcs11/p11-kit-trust.so
if a package
p11-kit-trust
is installed.
The package p11-kit-trust can be built from:
https://packages.debian.org/source/sid/p11-kit
as described here (the package name here is still p11-kit-nssckbi, but
that can be changed easily):
https://salsa.debian.org/gnutls-team/p11-kit/-/commit/2bc43fb58fc491d2a845a321cadd90a7f33f371e
Solution found here:
https://salsa.debian.org/gnutls-team/p11-kit/commits/tmp-704180-divertnss
taken from bug report
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180#80
Internet sources which describe the same solution:
https://superuser.com/a/1312419
https://www.bachmann-lan.de/linux-mit-eigenen-ssl-zertifikaten-root-ca-installieren/
(In Fedora/Red Hat/etc. it's done this way by default, package name for
this is p11-kit-trust)
I think this bug report is a duplicate of #704180
BR
DI(FH) Holger Fischer, MSc
Martin Habovštiak
Feb 12, 2021, 4:20:04 AM2/12/21
to
Hi, as someone who got bitten by this and spent like half day figuring it out I fully support this.
I found out that diverting/replacing that file is not enough as Firefox and Thunderbird are shipped with their own versions (not sure if applies to Bullseye too, I only checked Buster).
I wrote this script:
function replace_libnssckbi() {
# TODO: support other archs
dpkg-divert --rename --package selfhost-clearnet-certbot --add "$1" || return 1
ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so "$1"
}
# TODO: support other archs
dpkg-divert --rename --package selfhost-clearnet-certbot --add "$1" || return 1
ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so "$1"
}
# TODO: support other archs
replace_libnssckbi /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
replace_libnssckbi /usr/lib/firefox-esr/libnssckbi.so
replace_libnssckbi /usr/lib/thunderbird/libnssckbi.so
replace_libnssckbi /usr/lib/firefox-esr/libnssckbi.so
replace_libnssckbi /usr/lib/thunderbird/libnssckbi.so
I guess it will need some checks or calls to mkdir but works at least for me.
Side note: Firefox will not accept a self-signed server certificate added to ca-certificates. You have to create a CA, add its certificate to ca-certificates, generate a separate server certificate signed by that CA and use it for server. I think this is OK, just mentioning in case someone finds this and wants to set it up.
Sam Morris
Jun 14, 2023, 3:40:04 AM6/14/23
to
On Fri, Feb 12, 2021 at 10:15:36AM +0100, Martin Habovštiak wrote:
> # TODO: support other archs
> replace_libnssckbi /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
> replace_libnssckbi /usr/lib/firefox-esr/libnssckbi.so
> replace_libnssckbi /usr/lib/thunderbird/libnssckbi.so
As of Debian 12 ("bookworm"), firefox-esr and thunderbird no longer ship
> # TODO: support other archs
> replace_libnssckbi /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
> replace_libnssckbi /usr/lib/firefox-esr/libnssckbi.so
> replace_libnssckbi /usr/lib/thunderbird/libnssckbi.so
their own libnssckbi.so files:
<https://packages.debian.org/search?searchon=contents&keywords=libnssckbi.so>
So I thing this bug can be resolved as a duplicate of
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180>.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
Holger Levsen
Dec 25, 2023, 6:10:05 AM12/25/23
to
control: tags -1 - pending
thanks
hi,
#926388 "let Firefox trust /etc/ssl/certs/ca-certificates.crt"
has been marked as pending with
https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4b63838ab777314d4611195f0be58c29203b8f1a
but this commit was never merged into the master branch, thus I'm
removing the pending tag now.
Do we need this for bookworm or is just cruft?
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
We can send billionaires to space but not kids to fully funded public schools.
thanks
hi,
#926388 "let Firefox trust /etc/ssl/certs/ca-certificates.crt"
has been marked as pending with
https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4b63838ab777314d4611195f0be58c29203b8f1a
but this commit was never merged into the master branch, thus I'm
removing the pending tag now.
Do we need this for bookworm or is just cruft?
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
We can send billionaires to space but not kids to fully funded public schools.
Guido Berhoerster
Dec 25, 2023, 7:20:05 AM12/25/23
to
Am 25.12.23 um 12:06 schrieb Holger Levsen:
The fix is only applicable for unstable and cannot be backported to bookworm.
--
Guido Berhoerster
> control: tags -1 - pending
> thanks
>
> hi,
>
> #926388 "let Firefox trust /etc/ssl/certs/ca-certificates.crt"
> has been marked as pending with
> https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4b63838ab777314d4611195f0be58c29203b8f1a
> but this commit was never merged into the master branch, thus I'm
> removing the pending tag now.
>
> Do we need this for bookworm or is just cruft?
This commit is currently part of a draft MR: https://salsa.debian.org/debian-edu/debian-edu-config/-/merge_requests/28
> thanks
>
> hi,
>
> #926388 "let Firefox trust /etc/ssl/certs/ca-certificates.crt"
> has been marked as pending with
> https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4b63838ab777314d4611195f0be58c29203b8f1a
> but this commit was never merged into the master branch, thus I'm
> removing the pending tag now.
>
> Do we need this for bookworm or is just cruft?
The fix is only applicable for unstable and cannot be backported to bookworm.
--
Guido Berhoerster
Holger Levsen
Dec 25, 2023, 7:30:04 AM12/25/23
to
On Mon, Dec 25, 2023 at 01:06:55PM +0100, Guido Berhoerster wrote:
> This commit is currently part of a draft MR: https://salsa.debian.org/debian-edu/debian-edu-config/-/merge_requests/28
> The fix is only applicable for unstable and cannot be backported to bookworm.
thanks for the clarifications, Guido!
> This commit is currently part of a draft MR: https://salsa.debian.org/debian-edu/debian-edu-config/-/merge_requests/28
> The fix is only applicable for unstable and cannot be backported to bookworm.
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
0 new messages