Inject self-signed certificate into Firefox root of trust

[keyctl]

The Firefox installation of the client does not trust our WebServer.

Run a fresh environment using make build, start Firefox and visit https://aslweb01/ to confirm.

[keyctl]

I think this bug is due to a race condition in the Vagrant script. On some occasions, the update of the truststore is successful and echoed, while on others, there is no sign of execution of the script.

@Miro-H What is the timeout for in this line of the Vagrantfile?

sudo su - #{CLIENT_UNAME} -c "timeout 3 firefox-esr -migration -no-remote -headless 2> /dev/null"

[Miro-H]

@Miro-H What is the timeout for in this line of the Vagrantfile?

This command starts firefox in headless mode, but it doesn't terminate by itself. The timeout aborts it after 3s. Maybe this is too early in some cases? The command is needed to initialize the cert9.db of firefox and I found no cleaner way that does this.

[keyctl]

This command starts firefox in headless mode, but it doesn't terminate by itself. The timeout aborts it after 3s. Maybe this is too early in some cases? The command is needed to initialize the cert9.db of firefox and I found no cleaner way that does this.

The -A flag should create one according to the documentation. Have you tried it without creating a profile first?

[keyctl]

Firefox also comes with the -CreateProfile parameter, at least according to the documentation. I could not find this in the man pages, so I don't know if this is available for us. If I look at some examples, it seems that Firefox is not directly run. We could replace the migration and hope that the new profile is automatically selected as the default.

[keyctl]

Note that -no-remote must be specified for -CreateProfile, otherwise it's silently ignored.

[Miro-H]

I think I tried that, -CreateProfile with -no-remote but it didn't create a cert9.db... You can try it if you want, delete the cert9.db and then run those commands and check if it is there again.

[Miro-H]

If that doesn't work, I thought we can run the command above and kill it as soon as the cert9.db file appears

[keyctl]

It does work, but I struggle creating a new profile that's selected as the default.

[Miro-H]

It does work, but I struggle creating a new profile that's selected as the default.

@keyctl What's the state here? Should I look into this now?

[Miro-H]

@keyctl The following command sudo certutil -A -n "iMovies Root CA" -t "TCu,Cu,Tu" -i /vagrant/key_store/iMovies_Root_CA.crt -d sql:/home/user/.mozilla/firefox/4bl7mx22.default-esr/cert9.db

is still not working for me, it does not generate a cert9.db but fails with certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

What command were you using?

[Miro-H]

Found another hack that seems to initialize the DB as well: firefox --screenshot /dev/null https://google.com 2> /dev/null"

[keyctl]

@keyctl The following command sudo certutil -A -n "iMovies Root CA" -t "TCu,Cu,Tu" -i /vagrant/key_store/iMovies_Root_CA.crt -d sql:/home/user/.mozilla/firefox/4bl7mx22.default-esr/cert9.db

is still not working for me, it does not generate a cert9.db but fails with certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

What command were you using?

-d specifies a directory. The correct directory should be $HOME/.mozilla/firefox/4bl7mx22.default-esr/ in your case.

[Miro-H]

My bad, I though I tried that, but maybe with another profile directory...

[Miro-H]

The following would create a cert9.db, however it does not work since the whole .mozilla folder does not exist when the machine is created. I put it here in case we want to improve later, but I'm going to push the hack from above now. Let's see if that works for others as well.

for profilePath in $(find "$homefolder" -name "*.default-esr")
do
    echo "Add certificate '${certname}' to '$profilePath/cert9.db'"
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${profilePath}
done

[keyctl]

Closed by #58.