#926388 let Firefox trust /etc/ssl/certs/ca-certificates.crt

Package:
debian-edu-config
Source:
debian-edu-config
Submitter:
Mike Gabriel
Date:
2026-05-22 22:32:02 UTC
Severity:
wishlist
Tags:
#926388#5
Date:
2019-04-04 10:31:54 UTC
From:
To:
Package: debian-edu-config
Severity: wishlist

Hi,

today I have played with Firefox and custom CA certificate import into
the browser. This over-all sucks. Firefox does not consider the
system-wide CA cert store as trustworthy by default.

However, there is a simple solution to this: the trust cryptography
module in p11-kit-modules.

For this, to be doable on Debian Edu sites, we need to add this content:

```
library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
name=PKCS#11 Trust Module
NSS=trustOrder=100
```

to debian-edu-config's file
etc/skel/.mozilla/firefox/debian-edu.default/pkcs11.txt

With this file in place in fresh mozilla profiles, Firefox will
activate the pkcs11 trust module and trust CA certificates in
/etc/ssl/certs/ca-certificates.crt.

A similar solution must be found for chromium.

Mike
#926388#10
Date:
2019-04-04 12:19:31 UTC
From:
To:
Moin Mike,
anymore. Certificate related configuration is done in gosa-create.
(Works for Firefox-ESR, Thunderbird, Konqueror and Chromium).

See also:
https://wiki.debian.org/DebianEdu/Documentation/Buster/Features#Other_changes_compared_to_the_previous_release
for SSL/TLS related changes.

There's also a tool (share/debian-edu-config/tools/update-cert-dbs)
which will be called upon upgrades from Stretch to configure this for
existing user accounts.

Wolfgang
#926388#15
Date:
2019-04-04 13:03:50 UTC
From:
To:
HI Wolfgang,

While the above named approach and scripts are good for handling the
DebianEdu root-CA, it cannot be used for site-specific adaptations.

Of course, I could have copied and adapted update-cert-dbs to my
purpose, but for generic CA rollouts, I find the pkcs11.txt approach
much more elegant.

Btw, for Chrome/Chromium, pkcs11.txt as given above in the bug report
needs to be placed into ~/.pki/nssdb/pkcs11.txt.

I needed this as I set up an e2guardian with SSL MitM and https deep
package introspection (I know, this can be seen as "URGH..."). I also
had a user-specific import script, but that did not scale well with
many users on site. Handling this via pkcs11.txt and the trust pki
module came in much smarter.

Feel free to keep this bug open for bullseye, so we can re-discuss
this approach or close it. (In IT-Zukunft Schule, we will use it).

Greets,
Mike
#926388#20
Date:
2019-04-04 15:18:38 UTC
From:
To:
Yes, let's consider this for bullseye.

Just for the record:

[ pkcs11.txt ]
On a 64-bit PC Buster system this is working ok:
seems to work:
library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
library=/usr/lib/i386-linux-gnu/pkcs11/p11-kit-trust.so
name=PKCS#11 Trust Module
NSS=trustOrder=100

For already existing accounts:

[ Firefox-ESR ]
Checking the existence and then removing
~/.mozilla/firefox/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}
after replacing the exsting pkcs11.txt file seems to work.

[ Thunderbird ]
Similar to Firefox-ESR; location:
~/.thunderbird/debian-edu.default/{cert8.db,key3.db,cert9.db,key4.db}

[ Chromium, Konqueror, and others using PKI ]
Check the existence and then remove
~/.pki/{cert9.db,key4.db}
after replacing the exsting pkcs11.txt file


Wolfgang
#926388#25
Date:
2019-04-04 21:42:21 UTC
From:
To:
Hi Wolfgang.

Yep.

Nice.

Nice add-on information.

That is not necessary IMHO. If pkcs11.txt exists, the above text
config block needs to be appended to it. If it does not exist, copying
over the above pkcs11.txt is sufficient.

Same here. The .db files can stay. If pkcs11.txt exists, append the
above config block.

Same here. Again, not replacing pkcs11.txt, but appending to it, if it
exists. The .db files can stay.

Mike
#926388#30
Date:
2021-02-07 16:54:26 UTC
From:
To:
Hi,
Bullseye will be frozen soon. Let's manage to get this sorted out šŸ˜€ļø.

I think the maintainable solution to this is toĀ 

replaceĀ (dpkg-divert)
libnssckbi.soĀ (/usr/lib/<ARCH>/nss/libnssckbi.so)

with
/usr/lib/<ARCH>/pkcs11/p11-kit-trust.so

if a packageĀ 
p11-kit-trustĀ 
is installed.

The package p11-kit-trust can be built from:
https://packages.debian.org/source/sid/p11-kitĀ 

as described here (the package name here is still p11-kit-nssckbi, but
that can be changed easily):
https://salsa.debian.org/gnutls-team/p11-kit/-/commit/2bc43fb58fc491d2a845a321cadd90a7f33f371e

Solution found here:
https://salsa.debian.org/gnutls-team/p11-kit/commits/tmp-704180-divertnss

taken from bug report
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180#80

Internet sources which describe the same solution:
https://superuser.com/a/1312419

https://www.bachmann-lan.de/linux-mit-eigenen-ssl-zertifikaten-root-ca-installieren/

(In Fedora/Red Hat/etc. it's done this way by default, package name for
this is p11-kit-trust)

I think this bug report is a duplicate of #704180

BR
DI(FH) Holger Fischer, MSc
#926388#35
Date:
2021-02-12 09:15:36 UTC
From:
To:
Hi, as someone who got bitten by this and spent like half day figuring it
out I fully support this.
I found out that diverting/replacing that file is not enough as Firefox and
Thunderbird are shipped with their own versions (not sure if applies to
Bullseye too, I only checked Buster).

I wrote this script:
function replace_libnssckbi() {
        # TODO: support other archs
        dpkg-divert --rename --package selfhost-clearnet-certbot --add "$1"
|| return 1
        ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so "$1"
}

# TODO: support other archs
replace_libnssckbi /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
replace_libnssckbi /usr/lib/firefox-esr/libnssckbi.so
replace_libnssckbi /usr/lib/thunderbird/libnssckbi.so

I guess it will need some checks or calls to mkdir but works at least for
me.

Side note: Firefox will not accept a self-signed server certificate added
to ca-certificates. You have to create a CA, add its certificate to
ca-certificates, generate a separate server certificate signed by that CA
and use it for server. I think this is OK, just mentioning in case someone
finds this and wants to set it up.
#926388#40
Date:
2023-06-14 06:49:19 UTC
From:
To:
As of Debian 12 ("bookworm"), firefox-esr and thunderbird no longer ship
their own libnssckbi.so files:
<https://packages.debian.org/search?searchon=contents&keywords=libnssckbi.so>

So I thing this bug can be resolved as a duplicate of
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180>.
#926388#43
Date:
2023-09-13 06:24:07 UTC
From:
To:
Hello,

Bug #926388 in debian-edu-config reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/ff60890762e335382af9f40a2e634221d5fb2436
------------------------------------------------------------------------
Stop adding the DebianEdu root CA to NSS shared database

NSS consumers like Firefox, Thunderbird, Chromium should use the system trusted
root CA store via p11-kit (Closes: #926388).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/926388
#926388#48
Date:
2023-09-14 09:10:56 UTC
From:
To:
Hello,

Bug #926388 in debian-edu-config reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/24bd34d806fe9bc106ae7f8d5421fc1da371759d
------------------------------------------------------------------------
Stop adding the DebianEdu root CA to NSS shared database

NSS consumers like Firefox, Thunderbird, Chromium should use the system trusted
root CA store via p11-kit (Closes: #926388).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/926388
#926388#51
Date:
2023-09-15 14:10:14 UTC
From:
To:
Hello,

Bug #926388 in debian-edu-config reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/124070c677508d1b2021e6f2e1bfb556990d48cc
------------------------------------------------------------------------
Stop adding the DebianEdu root CA to NSS shared database

NSS consumers like Firefox, Thunderbird, Chromium should use the system trusted
root CA store via p11-kit (Closes: #926388).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/926388
#926388#54
Date:
2023-10-09 12:59:41 UTC
From:
To:
Hello,

Bug #926388 in debian-edu-config reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4b63838ab777314d4611195f0be58c29203b8f1a
------------------------------------------------------------------------
Stop adding the DebianEdu root CA to NSS shared database

NSS consumers like Firefox, Thunderbird, Chromium should use the system trusted
root CA store via p11-kit (Closes: #926388).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/926388
#926388#59
Date:
2023-12-25 11:06:52 UTC
From:
To:
control: tags -1 - pending
thanks

hi,

#926388 "let Firefox trust /etc/ssl/certs/ca-certificates.crt"
has been marked as pending with
https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4b63838ab777314d4611195f0be58c29203b8f1a
but this commit was never merged into the master branch, thus I'm
removing the pending tag now.

Do we need this for bookworm or is just cruft?
#926388#66
Date:
2023-12-25 12:06:55 UTC
From:
To:
Am 25.12.23 um 12:06 schrieb Holger Levsen:

The fix is only applicable for unstable and cannot be backported to bookworm.
#926388#71
Date:
2023-12-25 12:17:34 UTC
From:
To:
thanks for the clarifications, Guido!
#926388#74
Date:
2025-06-01 20:17:26 UTC
From:
To:
Hello,

Bug #926388 in debian-edu-config reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/909c45c1bbc30a57ab510ed9eb2c4aa80375c6d9
------------------------------------------------------------------------
Stop adding the DebianEdu root CA to NSS shared database

NSS consumers like Firefox, Thunderbird, Chromium should use the system trusted
root CA store via p11-kit (Closes: #926388).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/926388
#926388#79
Date:
2026-05-22 22:31:30 UTC
From:
To:
Hello,

Bug #926388 in debian-edu-config reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/28d7a3cca794779a06679e631faa715ddee4ee7f
------------------------------------------------------------------------
Stop adding the DebianEdu root CA to NSS shared database

NSS consumers like Firefox, Thunderbird, Chromium should use the system trusted
root CA store via p11-kit (Closes: #926388).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/926388