Browser rejects certificates which were added to the system.

[SaltyCybernaut]

I am using the latest stable release (OTA-7) on a nexus 5 (hammerhead). I use private Certificate Authority for my Nextcloud server. I have added my private Certificate Authority the phone's list of trusted CAs. Doing this allows me to connect to my Nextcloud server through Settings > Accounts. when I visit the login page for my Nextcloud instance in the Morph-Browser I receive a warning about the site being "untrusted", apparently the browser has a different list of trusted CA's and does not take updates from the system.

[balcy]

this might be helpful: https://doc.qt.io/qt-5/qtwebengine-features.html#client-certificates not sure how to integrate it in morph though. it is available from Qt 5.12

[aral]

I’m having this issue also while trying to get Site.js to work on an UBPorts edition PinePhone.

According to the link @balcy provided, QT WebEngine uses nss. The problem is that nss does not appear to be available for ARM64 (at least in the apt repositories). I’m going to have a further look into this (and I might just bundle nss with Site.js so that localhost certificates work out of the box on the PinePhone. Will update when/if I know more.)

[r00t-]

i think balcy's link is somewhat misleading, as it's about client certificates, not about certificate authorities.

this appears to be the official statement on CAs:

Managing Certificates Qt WebEngine uses its own network stack, and therefore QSslConfiguration is not used to open SSL connections. Instead, Qt WebEngine uses the root CA certificates from the operating system to validate the peer's certificate.

-- https://doc.qt.io/qt-5/qtwebengine-overview.html#managing-certificates

[r00t-]

did some research: so, morph-browser embeds qtwebengine which embeds chromium.

(actually there is a full chromium browser profile in /home/phablet/.local/share/morph-browser/, same as ~/.config/chromium/Default/ on desktop!
but chromium does not store certificates inside the profile.)

chromium uses nss for certificate handling, which is NOT the typical mechanism operating systems use, so the qtwebengine docs (as i quoted above) are rather misleading.

nss ships a compiled-in set of root certificates, that are used instead of /etc/ssl/certs: https://wiki.mozilla.org/NSS:Root_certs
(chromium in turn ships a blacklist of certificates it rejects even when they are in nss's list.)

chromium loads user-certificates from an nss certifiate database stored in ~/.pki/nssdb/ https://github.com/qt/qtwebengine-chromium/blob/33.0.1750.170-based/chromium/crypto/nss_util.cc#L90

for what i could find, that directory name is no standard at all and is ONLY used by chromium... there is an EXAMPLE in mozilla's NSS docs that uses it, but that same doc actually recommends AGAINST using that directory name:
https://wiki.mozilla.org/NSS_Shared_DB_Howto

chromium provides an interface for managing certificates under chrome://settings/certificates , but chrome: urls don't seem to be supported by the embedding.
if one manged to run a full chrome browser on the same system as morph-browser, one could import the cert there, then morph-browser should use it aswell.

there are actually some docs at chromium on how to manage the cert storage via commandline:
https://chromium.googlesource.com/chromium/src/+/master/docs/linux/cert_management.md
so essentially:

sudo apt-get install libnss3-tools
mkdir .pki/nssdb
certutil -N -d sql:$HOME/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -A -t C,, -n "my CA" -i my_CA.pem

but i could not get this to work as of yet. strace tells me morph is loading the file, but my certificates are still not accepted.
i also tried copying ~/.pki from my desktop. certutil can read it just fine, but morph-browser is still not accepting my certs.)

[r00t-]

i went and recompiled nss with my custom ca-cert added to the internal storage.
not exactly a user-friendly solution, has to be re-done after (ota) updates, ... but it works.
docs: https://hg.mozilla.org/projects/nss/file/tip/lib/ckfw/builtins/README
great thing about native linux, one can do this on-device without setting up a cross-compilation environment:

sudo apt-get build-dep libnss3
apt-get source libnss3
cd nss-3.28.4/
debian/rules binary # initial build required to build `addbuiltin` utility
openssl x509 -outform der -in ~/myca.pem -out ~/myca.der
nss/cmd/addbuiltin/OBJS/addbuiltin -t C,C,C -n myca -i ~/myca.der  >>nss/lib/ckfw/builtins/certdata.txt
debian/rules binary # build actual library
grep myca ./nss/lib/ckfw/builtins/OBJS/libnssckbi.so # verify myca is in there
sudo cp ./dist/lib/libnssckbi.so /usr/lib/aarch64-linux-gnu/nss/libnssckbi.so

[edit: it might not work to run debian/rules binary twice without make clean in between.]