Observe the warning: “Connection verified by a certificate issuer that is not recognized by Mozilla”.įirefox should not show warnings about not recognized certificate issuers when the site certificate was issued by a well-known public certificate authority (not by some local CA added via policy). Click the padlock icon to the left of the URL bar to open the site information popup.Ĥ. Start Firefox with an empty profile it helpfully opens the “Firefox Privacy Notice” page from (you can also open, , …)ģ. Install Firefox on NixOS 21.05 from the unmodified `pkgs.firefox` package.Ģ. See as example /NixOS/nixpkgsįirefox (from `pkgs.firefox`) shows “Connection verified b … y a certificate issuer that is not recognized by Mozilla” even for well-known public certificate authorities (DigiCert, Let's Encrypt, …).ġ. Which may be rather confusing and give impression that CA is not recognized. That said, Mozilla still differentiates between “approved” CA and arbitrary other one (even system-wide), so even with p11-kit-nss-trust it will warn user that “Connection verified by a certificate issuer that is not recognized by Mozilla”. So I am pretty sure it cannot work on default Leap installation unless you specifically configured your system or your Mozilla to use alternative CA source. I have scratch Leap 15.5 I did a couple of days ago to verify some other issue and it includes the standard mozilla-nss-certs. It is installed on two Leap systems here and I see explicit zypper invocation in /var/log/zypp/history. But to my best knowledge this package is not installed automatically either on Leap or on Tumbleweed. It gets CA from the well known locations like /usr/share/pki or /etc/pki. One alternative implementation is provided by p11-kit, specifically p11-kit-nss-trust package. It is possible to replace this library with alternative implementation or explicitly add additional compatible library as “Security Device” in Firefox settings. Default implementation that is part of Mozilla is provided by mozilla-nss-certs subpackage and simply contains static built-in list of approved CA. The CA certificates used by Mozilla come from libnssckbi.so library. But if that doesn’t work with Tumbleweed, I would consider it a bug worth reporting. That’s working fine for me with Leap 15.5.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |