Closed
Bug 1506734
Opened 6 years ago
Closed 6 years ago
Allow additional locations for certificate policy import
Categories
(Firefox :: Enterprise Policies, defect, P1)
Firefox
Enterprise Policies
Tracking
()
VERIFIED
FIXED
Firefox 65
People
(Reporter: mkaply, Assigned: mkaply)
References
Details
Attachments
(1 file)
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta-
RyanVM
:
approval-mozilla-esr60+
|
Details | Review |
For Linux, we need to allow support for full paths and distribution directory.
|
Assignee | |
Comment 1•6 years ago
|
||
Would be good for the Mac platform if there was somewhere in the 'distribution' folder that we could store the certificates.
i.e if we're distributing the policies.json file and any extensions etc and certificates if we're referencing everything else from the 'distribution' folder in the json file, why not also have the certificates in there if that is part of the companies distributed management.
How does that sound?
|
|
Assignee | |
Comment 3•6 years ago
|
||
(In reply to Rob from comment #2)
> Would be good for the Mac platform if there was somewhere in the
> 'distribution' folder that we could store the certificates.
>
> i.e if we're distributing the policies.json file and any extensions etc and
> certificates if we're referencing everything else from the 'distribution'
> folder in the json file, why not also have the certificates in there if that
> is part of the companies distributed management.
>
> How does that sound?
That's one of the things this patch adds. Certificates directory under distribution.
It also adds arbitirary paths as well.
|
|
Assignee | |
Updated•6 years ago
|
Priority: -- → P1
Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/e96d9b255d52
Allow paths and distribution directory for certificates. r=Felipe
|
||
Comment 5•6 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 65
|
|
Assignee | |
Comment 6•6 years ago
|
||
For QA:
This adds a new location - certificates directory under the the distribution directory
And allow for just paths in the certificates list.
Flags: qe-verify+
|
|
Assignee | |
Comment 8•6 years ago
|
||
Comment on attachment 9024600 [details]
Bug 1506734 - Allow paths and distribution directory for certificates.
[Beta/Release Uplift Approval Request]
Feature/Bug causing the regression: Bug 1474683
User impact if declined: On Linux in particular, more difficult to import certs.
Also needed for some Talos/Raptor changes
Is this code covered by automated tests?: No
Has the fix been verified in Nightly?: No
Needs manual test from QE?: Yes
If yes, steps to reproduce: Steps are in bug, QA has been contacted.
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): Policy only, throughly vetted based on prior changes.
String changes made/needed:
Attachment #9024600 -
Flags: approval-mozilla-beta?
|
||
Comment 9•6 years ago
|
||
I have tested this fix on all platforms, as instructed by Mike, using the latest Fx65.0a1 available. Here are my findings:
For Windows:
- the certificates can only be installed from a 'Certificates' folder, created in either "%appdata%/Mozilla" or "%localappdata%/Mozilla"
- creating a 'Certificates' folder anywhere else, containing a valid .crt and mentioning the path to that .crt does not install the certificate
- even if the certificate is in for example in the downloads folder and the path is correctly mentioned, the certificate will not be installed in Firefox
For Linux:
- besides the conventional folder (/home/svuser/.mozilla/certificates), the certificates could only be installed from a 'certificates' folder created in the 'distribution' folder where the policy resides, and the .crt file is placed there (the policy must mention the full path of the .crt file e.g: /home/cristianbaica/Desktop/Fx Builds/firefox-nightly/distribution/certificates/root.crt)
For Mac:
-the certificates can be installed from EVERYWHERE without any issues, as long as the path to the .crt file is correctly mentioned
Are those the expected results after this fix or should the user be able to install certificates from wherever he has them saved as long as he provides the correct path to them (as is the case for mac platforms)?
Flags: needinfo?(mozilla)
|
|
Assignee | |
Comment 10•6 years ago
|
||
For Windows, did you use double slashes for the path? I have verification Windows works in another bug.
For Linux, the fully qualified path should work as long as the proper permissions are on the file.
Flags: needinfo?(mozilla)
|
|
||
Comment 11•6 years ago
|
||
For Windows:
- the double slash makes it possible to install the .crt from ".../firefox/distribution/certificates/.crt"
- however, using double slash does not make it possible to install the .crt from any place where the certificate is placed
For Linux:
- I don't think any permissions have changed between trying out different paths. the path that worked is /home/cristianbaica/Downloads/Fx Builds/firefox-nightly/distribution/certificates/root.crt and the path that didn't work /home/cristianbaica/Downloads/root.crt
- the file itself has not changed (I just used copy/paste commands to create the file in the desired places)
|
||
Comment 12•6 years ago
|
||
Comment on attachment 9024600 [details]
Bug 1506734 - Allow paths and distribution directory for certificates.
I think this can ride the trains to 65.
Attachment #9024600 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
|
|
Assignee | |
Comment 13•6 years ago
|
||
Cristian: Can you ping me on slack when you get a chance (or if you are in Orlando next week).
Would love to get this figured out.
|
||
Comment 14•6 years ago
|
||
[ following up on Cristian's behalf, since he's on PTO ]
Emil, could you please have a look at this instead? When you got the time.
Flags: qe-verify+ → needinfo?(emil.ghitta)
QA Contact: emil.ghitta
|
||
Comment 15•6 years ago
|
||
This seems to work from my side (used Firefox 65.0b4).
Windows
- The certificate is successfully installed from the "certificates" or "Certificates" directory (placed under the "distribution" directory).
- The certificates can be installed from anywhere, if the full location path is being specified inside the policies.json file.
Linux
- The certificate is successfully installed from the "certificates" directory (placed under the "distribution" directory). Note: It seems that only "certificates" name is accepted. Using "Certificates" (with the capital "C") for the directory name leads to the following error : "Unable to find certificate -root.crt".
- The certificates can be installed from anywhere, if the full location path is being specified inside the policies.json file.
Mac
- The certificate is successfully installed from the "certificates" or "Certificates" directory (placed under the "distribution" directory).
- The certificates can be installed from anywhere, if the full location path is being specified inside the policies.json file.
Since the problem was raised by Cristian Baica, I would like to wait for Cristian (he will be back in office tomorrow) in order to confirm this with him as well.
Flags: needinfo?(emil.ghitta) → needinfo?(cristian.baica)
|
|
||
Comment 16•6 years ago
|
||
I have double checked the information with Emil.
I can confirm now that the certificates can be installed from anywhere, even on windows, by mentioning the full path of the certificate.
Closing the ticket as verified fixed.
Status: RESOLVED → VERIFIED
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
Flags: needinfo?(cristian.baica)
|
|
Assignee | |
Comment 17•6 years ago
|
||
[Tracking Requested - why for this release]: I'd like this for the next ESR to correspond to 65.
It's really the finishing touch on our cert code.
tracking-firefox-esr60:
--- → ?
|
|
||
Comment 18•6 years ago
|
||
Please request uplift when you get a chance.
status-firefox64:
--- → wontfix
status-firefox-esr60:
--- → affected
|
|
Assignee | |
Comment 19•6 years ago
|
||
Comment on attachment 9024600 [details]
Bug 1506734 - Allow paths and distribution directory for certificates.
[ESR Uplift Approval Request]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: Final piece of our certificate import code. Policy only
User impact if declined: Can't import certs primarily on Linux
Fix Landed on Version: Firefox 65
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): Well tested, policy only.
String or UUID changes made by this patch:
Attachment #9024600 -
Flags: approval-mozilla-esr60?
|
||
Comment 20•6 years ago
|
||
Comment on attachment 9024600 [details]
Bug 1506734 - Allow paths and distribution directory for certificates.
Policy Engine improvements for the certificate import code. Approved for 60.5.0esr to ship alongside Fx65.
Attachment #9024600 -
Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
|
|
||
Comment 21•6 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 22•6 years ago
|
||
This is verified fixed using Firefox 60.4.1esr (provided in comment 21) on Windows 10 64bit, macOS 10.14 and Ubuntu 16.04 64bit. The certificates can be successfully installed from different locations (as in comment 15).
You need to log in
before you can comment on or make changes to this bug.
Description
•