Open Bug 1925853 Opened 16 days ago Updated 14 days ago

Not able to automate importing trusted roots on Linux

Categories

(Core :: Security: PSM, enhancement)

Product:
Core
Component:
Security: PSM
Version:
Firefox 125
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: nsh, Unassigned, NeedInfo)

Details

Steps to reproduce:

There is a functionality to import trusted roots:
https://mozilla.github.io/policy-templates/#certificates

This still seems not to be working on Linux

There is an existing closed problem.
1600509 Enterprise root certs option not working in linux.

It looks like the only way to automate certificate import programmatically is to write a local cert db per user.

Actual results:

Cannot get trusted root installation on Linux automated

Expected results:

Have automated certificate imports work using the enterprise functionality or any comparable functionality.

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core

To be clear, you're talking about Certificates | ImportEnterpriseRoots and not Certificates | Install, right?

Flags: needinfo?(nsh)

It's not clear from documentation if those are two different functionalities or if they work together.
Is the Install working in combination with the ImportEnterpriseRoots or are those two different functionalities?

In any case both don't work for me on Ubuntu 24.04 LTS.
I got it working on Alpine Linux.

From what I see the functionality adds certificates into the cert9.db so that Firefox can read it.
I got one certificate pushed. But this seems not to work on Ubuntu. I spent hours troubleshooting and did not find any logging that could help me.

IMHO we first need a clarification what should exactly work and how the two settings are expected to work.
What I saw on Alpine Linux is setting those two options I got the certificate pushed to my user's cert0.db.

Is this how it is intended to work also on Ubuntu? what steps can I take to troubleshoot it?
If I use the certutil to dump the certs on Alpine I see the cert pushed after creating the mentioned policy.json.

I am not sure if the snap installation causes any different behavior? It has an impact on the place where Firefox profiles are created.
The documentation says the policy settings are still read from the mentioned standard location.
I verified policy.json is read by adding some custom bookmarks which show up.

Flags: needinfo?(nsh)

Just noticed Firefox on Ubuntu now seems to be updated to 131.0.3 but the same behavior remains.
So it might not be version depending but might be distribution depending?

(In reply to DanielNashed from comment #3)

It's not clear from documentation if those are two different functionalities or if they work together.
Is the Install working in combination with the ImportEnterpriseRoots or are those two different functionalities?

They're two separate mechanisms. ImportEnterpriseRoots is not supported on linux. Install should work on linux.

I am not sure if the snap installation causes any different behavior? It has an impact on the place where Firefox profiles are created.
The documentation says the policy settings are still read from the mentioned standard location.
I verified policy.json is read by adding some custom bookmarks which show up.

If you open about:preferences -> View Certificates... -> Authorities, are the certificates you're trying to add there?

Flags: needinfo?(nsh)

On Ubuntu the root is not listed under Authorities.
On Alpine the root is listed.
Both have the exact same configuration.
Having some debug to trace what is going on would be helpful.

I have not found any tracing and I also tried strace without luck.
Not sure what the difference is.

Thanks for clarifying that only Install certs works on Linux.
IMHO this could be made a bit more clear in documentation.

Having enterprise certs work and being able to disable a local db in the user's profile would be desirable from security point of view.
Anyone with access to the local account could add more roots into the certs db in the user's profile.
Having a strict way to deploy enterprise certs would be important from security point of view.
But that's a different type of request.

What I am looking for first is an user independent way to provide trusted roots. The "Install" functionality would be sufficient.

Maybe this is really Ubuntu specific and not a general issue? It works on Alpine.

I could try another distribution to compare. But maybe there is debug logging which could help?

Flags: needinfo?(nsh)

Try setting browser.policies.loglevel to debug in about:config, restarting, and inspecting the browser console? (ctrl + shift + j)

Flags: needinfo?(nsh)

Thanks! the value you are describing looks like a boolean value in my environment (I also cross checked on Windows).
The value is enabled already and I don't see anything message in the browser console.

I still have the feeling this is somehow Ubuntu related. I might double check on a different environment or maybe should I try the standard version and not SNAP installed version?
I am out of ideas what to try and I am open for suggestions. More detailed logging on the machine where it happens would be probably the best way forward.

Flags: needinfo?(nsh)

(In reply to DanielNashed from comment #8)

Thanks! the value you are describing looks like a boolean value in my environment (I also cross checked on Windows).
The value is enabled already and I don't see anything message in the browser console.

Try deleting that and adding it as a string with the value debug.

I still have the feeling this is somehow Ubuntu related. I might double check on a different environment or maybe should I try the standard version and not SNAP installed version?

You could certainly try that.

Flags: needinfo?(nsh)
You need to log in before you can comment on or make changes to this bug.