0

My company has implemented an upstream device that does decryption and this requires all boxes to have the root CA certificate installed.

I copied the ca certificate in pem format and did the below. The update acknowledged one certificate was added. The last cert in /etc/ssl/certs/ca-certifcates.crt, shows the root.crt certificate. I have also installed the intermediate certificate.

sudo apt-get install -y ca-certificates sudo cp root.crt /usr/local/share/ca-certificates sudo update-ca-certificates

However, when using Firefox or Brave the following error occurs. This error is from Firefox . It's clearly a certificate issue, I think the browsers aren't seeing the certificate?

"Did Not Connect: Potential Security Issue"

Someone could be trying to impersonate the site and you should not continue.

Websites prove their identity via certificates. Firefox does not trust www.google.com because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

Error code: SEC_ERROR_UNKNOWN_ISSUER

Improve this question
4
  • More information is needed. Is www.google.com just a placeholder and the cert for your company's site which you are trying to access from Firefox on a Ubuntu 24 system? If not, edit the question and add an explanation of what it is exactly that you are trying to do. Commented Sep 7, 2024 at 0:38
  • @NasirRiley I am trying to use the browser normally, goto any website, well, any https website, and I get those cert errors, it's because my company implemented some upstream network device that requires their CA cert. this affects wget, curl, anything that utilizes ssl, ithought installing the root ca cert and intermediate certs would resolve but no luck Commented Sep 7, 2024 at 1:03
  • 1
    Firefox may be using the OS store or not (see answer) but wget and curl definitely are, so if they are still getting errors you probably didn't import the correct cert. Try openssl s_client -showcerts -connect $host:$port </dev/null which will show exactly the cert chain received (as PEM blocks) and validated -- or not -- in the callback trace at the beginning. Commented Sep 7, 2024 at 4:51
  • In that case, Firefox and some other browsers do not trust the certs from your company that aren't signed by a certificate authority. What you are seeing is normal. Commented Sep 7, 2024 at 11:40

1 Answer 1

Reset to default
4

This is expected behavior, as both Firefox and Brave do not trust system CA certificates but implement their own certificate stores.

Firefox

Firefox does not have a centralized certificate store, but the certificate databases are stored on each profile individually. The path is under the users home directory and has a randomized part, making it a bad option for centrally managing the certificates.

$HOME/.mozilla/firefox/randompart.default/cert8.db

However, Firefox has policy-templates that enables you to modify the settings via a JSON file in /etc/firefox/policies/policies.json. You could...

  • install a single certificate with Certificates | Install: 
    { "policies": { "Certificates": { "Install": [ "appliance.der", "/usr/local/share/ca-certificates/root.crt" ] } } }
  • trust the entire system certificate store with Certificates | ImportEnterpriseRoot: 
    { "policies": { "Certificates": { "ImportEnterpriseRoots": true } } }
Improve this answer
1
  • 2
    Since about 2 years ago Firefox has an option to use 'enterprise_roots' meaning the platform store in addition to its own. I don't believe this option would be set on (new) Ubuntu, but it's worth checking. Commented Sep 7, 2024 at 4:48

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.