Open aeris opened 5 months ago
We are unfortunately not familiar with Arch Linux, its also not a Linux distribution we support - have you tried it on a supported Linux distribution?
I found this which looks related, have you tried that? https://superuser.com/questions/1717914/make-chrome-trust-the-linux-system-certificate-store-or-select-certificates-via
(Playwright's Chromium is the same as a normal Chromium, we don't do any certificate related changes. Actually no changes at all on the Chromium side as of today.)
Hello I got the same trouble on Node LTS + Debian 12 Minimal reproducible docker image available here https://github.com/aeris/playwrigth-system-ca
For the "solution" on the superuser forum, it's not possible for playwright, certificate store only exists in browser profile, and so is just clean each time you restart playwright (no persistence)
$find ~/.mozilla -name cert9.db
/home/aeris/.mozilla/firefox/qw3pv9fs/cert9.db
/home/aeris/.mozilla/firefox/aeris/cert9.db
And I can't find a reliable and portable way to get the running profile directory from inside playwright execution to be able to inject a new ca certificate.
I don't also know the difference between playwright browsers and standard user browsers, but there is a different behavior. Everyday browsers seem using system certificates, even noticing change without a restart, but the ones playwright start seem to be totally isolated and don't notice system store change.
For Chromium it seems doable via:
# For Chromium
# https://chromium.googlesource.com/chromium/src/+/master/docs/linux/cert_management.md
RUN apt install libnss3-tools
RUN mkdir -p $HOME/.pki/nssdb
RUN certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n badssl-com -i badssl-com.pem
For Firefox it wasn't working for me, since as you said we are using in-memory browser profiles which end up creating temp browser profiles. My attempt on following this didn't work.
Would be nice to have a way to either supply policies.json
to be able to add certificates to Firefox or some other workaround. For now disabling SSL errors seems like the only solution. Similar discussion in https://github.com/microsoft/playwright/issues/18115
Currently it seems Playwright don't consider additional system certificate authorities when starting a new browser and have no way to add manually one.
Normal browser, for example Firefox, notice any system store change even without a restart Installing ca-cert authority with system package manager just show the certificate at the end on a running browser![image](https://github.com/microsoft/playwright-python/assets/51246/9ab57ca9-3d35-4503-8f7a-02876bfa802c)
Playwright browser don't notice the additional authority even at start, and seem to use a static predefined list.
It leads to no way to test for website using authority outside the static list without skipping totally the TLS verification for all and any website and so remove every piece of security, as asked for such case here.
System info
Source code
Steps
[Describe expected behavior]
Test OK, using system certificate to access the site
[Describe actual behavior]
Test KO