[Bug 543183] Re: Updating system certificates requires rebuild
What is the status of the error at the moment? In Fedora 31/32 add sefl- signed cert to system store allow Firefox to trust self-signed cert on sites. I use Ubuntu 18.04 in my enterprise and it's big problem, that I can not add self-signed root cert in computers. Our users use different browsers, different workplace. And when user first login on computer, he must add self-signed cert to a browser. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 543183] Re: Updating system certificates requires rebuild
** Changed in: firefox Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 543183] Re: Updating system certificates requires rebuild
** Changed in: firefox Status: Unknown => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 543183] Re: Updating system certificates requires rebuild
** Changed in: firefox Status: Confirmed => Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 543183] Re: Updating system certificates requires rebuild
Launchpad has imported 43 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=546221. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2009-12-10T13:37:00+00:00 David wrote: There is a system-wide NSS db in /etc/pki/nssdb. I have added my company's internal CA certificates there. However, firefox still doesn't trust our internal web sites. It doesn't seem to be using the system database. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/543183/comments/1 On 2009-12-10T13:59:20+00:00 Martin wrote: I don't believe it's a firefox bug... Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/543183/comments/2 On 2009-12-12T09:57:57+00:00 David wrote: I tried installing the nss-sysinit package and installing certs with 'certutil -d /etc/pki/nssdb'. But it doesn't seem to make any difference -- neither Evolution nor Firefox seem to know anything about these certificates. /proc/$PID/maps seems to suggest that they don't have /usr/lib64/libnsssysinit.so mapped. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/543183/comments/3 On 2009-12-13T14:18:11+00:00 David wrote: Test procedure... First we fetch a signing cert (just an example; it doesn't matter which it is), import it into a new application-specific NSS DB, and it works. We remove it from the app's DB, and it doesn't. All is well so far... [root@macbook dwmw2]# curl -k https://www.cacert.org/certs/root.crt > cacert.crt % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 102 2569 102 25690 0 10740 0 --:--:-- --:--:-- --:--:-- 51380 [root@macbook dwmw2]# mkdir /tmp/nssdb [root@macbook dwmw2]# certutil -d /tmp/nssdb -t TC,TC,TC -E -i cacert.crt -n cacert [root@macbook dwmw2]# /usr/lib64/nss/unsupported-tools/tstclnt -d /tmp/nssdb -h www.cacert.org -p 443 subject DN: E=supp...@cacert.org,CN=www.cacert.org,O=CAcert Inc.,L=Sydney,ST=NSW,C=AU issuer DN: E=supp...@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA 0 cache hits; 1 cache misses, 0 cache not reusable 0 stateless resumes ^C [root@macbook dwmw2]# certutil -d /tmp/nssdb -D -n cacert [root@macbook dwmw2]# /usr/lib64/nss/unsupported-tools/tstclnt -d /tmp/nssdb -h www.cacert.org -p 443 tstclnt: read from socket failed: Peer's Certificate issuer is not recognized. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/543183/comments/4 On 2009-12-13T14:26:31+00:00 David wrote: And this shows the failure... this one ought to _work_, surely? [root@macbook dwmw2]# setup-nsssysinit.sh on [root@macbook dwmw2]# certutil -d /etc/pki/nssdb -t TC,TC,TC -E -i cacert.crt -n cacert [root@macbook dwmw2]# /usr/lib64/nss/unsupported-tools/tstclnt -d /tmp/nssdb -h www.cacert.org -p 443 tstclnt: read from socket failed: Peer's Certificate issuer is not recognized. The issuer _should_ be recognised -- I just added it to the system database! It's not just tstclnt that fails; evolution and firefox fail too. curl does work, but I think that's because it actually uses /etc/pki/nssdb as its "application" database. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/543183/comments/5 On 2009-12-13T14:30:31+00:00 Kamil wrote: The behavior looks slightly similar to bug 545779. Could you please try the patch from there (including the change from comm. #20)? Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/543183/comments/6 On 2009-12-13T14:55:50+00:00 David wrote: You mean just the patch to nsssysinit.c in comm. #18, with the extra one-liner? I built that and installed the resulting libnsssysinit.so library. But when I run 'tstclnt' as described, the atime on the library doesn't change -- it isn't even being loaded. The atime on /etc/pki/nssdb/pkcs11.txt doesn't change either. Are you able to reproduce the problem using the commands given above? It should be fairly simple. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/543183/comments/7 On 2009-12-13T16:32:41+00:00 David wrote: I've been playing with this, and reading the documentation at https://wiki.mozilla.org/NSS_Shared_DB_And_LI
[Bug 543183] Re: Updating system certificates requires rebuild
So what is the status on this? With Fedora's p11-kit-trust.so, the pieces to solve this seem to be in place. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 543183] Re: Updating system certificates requires rebuild
Launchpad has imported 12 comments from the remote bug at https://bugzilla.mozilla.org/show_bug.cgi?id=449498. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2008-08-06T23:14:04+00:00 Kai Engert wrote: Fedora has started to ship an NSS database in the OS global location /etc/pki/nssdb, which contains system-wide certificates or security modules that all applications should have access to. I think the proposal is to open that additional database automatically on NSS init time. We'd like to do this at least on Linux, and maybe we should start with #ifdef'ed code. We could add other platforms, too, if there is interest and a standardized location for this kind of database (with the initial version or at a later time). Reply at: https://bugs.launchpad.net/firefox/+bug/543183/comments/0 On 2010-06-15T19:23:04+00:00 dwmw2 wrote: Created attachment 451345 xulrunner patch to make firefox use system nssdb It shouldn't be an additional database; the application should open sql:/etc/pki/nssdb _instead_ of its old database. The libnsssysinit.so module automatically handles opening the user's own database in ~/.pki/nssdb as an 'overlay'. With the NSS bugs fixed as described in https://bugzilla.redhat.com/show_bug.cgi?id=603313 this works as expected; merging the old DBM database from the profile directory into the user's SQL database. If the system database isn't configured, then it just uses the DBM database as before. Reply at: https://bugs.launchpad.net/firefox/+bug/543183/comments/2 On 2010-06-15T23:18:32+00:00 dwmw2 wrote: Created attachment 451412 revised patch to try system db only on unix Reply at: https://bugs.launchpad.net/firefox/+bug/543183/comments/3 On 2010-06-16T14:59:52+00:00 Kai Engert wrote: This bug was initially filed against the NSS component with the expectation to Reply at: https://bugs.launchpad.net/firefox/+bug/543183/comments/4 On 2010-06-16T15:45:26+00:00 Nelson-bolyard wrote: David, Are you requesting that this patch be reviewed and considered for inclusion? Or is this merely a "work in progress"? If you believe this patch is ready for submission, please request that it be reviewed by k...@kuix.de Reply at: https://bugs.launchpad.net/firefox/+bug/543183/comments/5 On 2010-06-16T16:52:37+00:00 dwmw2 wrote: Comment on attachment 451412 revised patch to try system db only on unix I think it's ready for inclusion. There are NSS bugs which need to be fixed -- but this part only triggers if the system NSS DB is enabled anyway; if it's not enabled you get the old behaviour. Reply at: https://bugs.launchpad.net/firefox/+bug/543183/comments/6 On 2010-06-16T17:09:02+00:00 Wan-Teh Chang wrote: Comment on attachment 451412 revised patch to try system db only on unix Bob Relyea is the best person to review this patch. Bob, it'd be bad if an application had to read pkcs11.txt directly and look for "library=libnsssysinit.so". This should be done by the NSS initialization functions. If we have a good error code that NSS initialization functions can return to indicate a missing pkcs11.txt unambiguously, an application can simply try initializing NSS with "sql:/etc/pki/nssdb", and fall back on the home/profile directory if it gets that error code. Reply at: https://bugs.launchpad.net/firefox/+bug/543183/comments/7 On 2010-06-16T17:17:12+00:00 dwmw2 wrote: (In reply to comment #6) > Bob, it'd be bad if an application had to read pkcs11.txt > directly and look for "library=libnsssysinit.so". Yeah, it sucks that we have to do this. cf. https://bugzilla.mozilla.org/show_bug.cgi?id=490238#c37 I'd rather have NSS just do the right thing rather than returning an error when we attempt to open sql:/etc/pki/nssdb r/w though. Reply at: https://bugs.launchpad.net/firefox/+bug/543183/comments/8 On 2010-07-30T23:02:51+00:00 Rrelyea wrote: Comment on attachment 451412 revised patch to try system db only on unix Way behind on my reviews. I'm OK with this patch with the following caveats. 1) this is PSM code so Kai should have the final say since he'll have to support what goes in. 2) explicity checking for libnssysinit.so may fail in the future is we suppor
[Bug 543183] Re: Updating system certificates requires rebuild
Thank you for reporting this to Ubuntu. While I do recognize the value in this for enterprises, we currently aren't even using the system NSS in our Firefox builds. I notice the upstream bug is about opening a second read only system NSS DB. This is why I marked this triaged instead of won't fix. We'll follow upstream if they choose to allow this. Please report any other issues you may find. ** Changed in: firefox (Ubuntu) Importance: Undecided => Wishlist ** Changed in: firefox (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 543183] Re: Updating system certificates requires rebuild
The attached patch is not a full solution. Removing the compiled in certificates would be needed, but this might be good enough for basic enterprise needs to add root certificates to FireFox. Drew Daniels http://www.boxheap.net/ddaniels/blog -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 543183] Re: Updating system certificates requires rebuild
** Bug watch added: Red Hat Bugzilla #546221 https://bugzilla.redhat.com/show_bug.cgi?id=546221 ** Also affects: firefox (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=546221 Importance: Unknown Status: Unknown ** Tags added: patch ** Patch added: "F14 1.9.2 patch to allow use of system certificate store" https://bugs.launchpad.net/fedora/+source/firefox/+bug/543183/+attachment/2374493/+files/fc14-mozilla-1.9.2-use_certificate_store.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 543183] Re: Updating system certificates requires rebuild
** Bug watch added: Mozilla Bugzilla #449498 https://bugzilla.mozilla.org/show_bug.cgi?id=449498 ** Also affects: firefox via https://bugzilla.mozilla.org/show_bug.cgi?id=449498 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 543183] Re: Updating system certificates requires rebuild
To remove fraudulent certificates like this recent one: https://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/ a rebuild is required. See the discussion at lwn.net at: http://lwn.net/Articles/456798/#Comments Note the comment about how Internet Explorer doesn't have to be rebuilt and the Microsoft Advisory at: https://www.microsoft.com/technet/security/advisory/2607712.mspx Maybe better Certificate Revocation List (CRL) support is needed. I haven't yet submitted a bug upstream as Ubuntu may just want to fork for better enterprise support. Drew Daniels http://www.boxheap.net/ddaniels/blog -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/543183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs