Upgrade StorageThe root CA certificate in the "Current User" store is not recognised by Zotero (Windows)
Use case:
Use custom certificates for WebDAV file syncing with HTTPS on Windows.
Issue:
The root CA certificate in the "Current User" store is not recognised by Zotero.
Steps to reproduce:
1. Close any Zotero instance.
2. Install the root CA certificate of the server's certificate with options "Store location: Current User" and "Certificate Store: Trusted Root Certification Authorities".
3. Verify the certificate chain by accessing the WebDAV page with HTTPS protocol via both Microsoft Edge and Firefox. The connection should be secured.
4. Launch a Zotero instance. Navigate to Preference -> Sync. Verify the server in the File Syncing section.
5. Zotero returns the error code: SEC_ERROR_UNKNOWN_ISSUER.
6. Close the Zotero instance.
7. Repeat step 2, but install the certificate to "Store location: Local Machine" instead.
8. Repeat step 4 to verify the server again.
9. Zotero returns: File sync is successfully set up.
Expected behaviour:
Zotero for Windows should automatically use the system root certificate store, which in most cases should allow it to work automatically like other browsers on the system.
See: https://www.zotero.org/support/kb/cert_override
Zotero should use both the Local Machine store and Current User store to behave like browsers.
Solution via cert_override.txt will not work as Firefox will not generate that file for automatically trusted sites.
Other Info:
OS version: Windows 11 Pro 22H2 (OS Build 22621.2861)
Zotero version: 6.0.30
Microsoft Edge version: 120.0.2210.91 (Official Build) (64-bit)
Firefox version: 121.0 (64-bit)
Certificate chaining: web server certificate -(Issued by)-> root CA certificate
Log of step 5:
```
(3)(+0000007): Starting file syncing
(3)(+0000001): Starting file sync for My Library
(3)(+0000000): Caching WebDAV credentials
(3)(+0000001): HTTP OPTIONS https://hide:********@webdav.hide.com/zotero/
(3)(+0000002): CookieBlocker: Ignoring cookies for https://hide:********@webdav.hide.com/zotero/
(1)(+0000016): HTTP OPTIONS https://hide:********@webdav.hide.com/zotero/ failed with status code 0
(3)(+0000002): File sync failed for library 1
(1)(+0000001): Error: webdav.hide.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER Zotero Error: webdav.hide.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER Zotero.HTTP</this.SecurityException@chrome://zotero/content/xpcom/http.js:97:18 Zotero.HTTP</this.checkSecurity@chrome://zotero/content/xpcom/http.js:1460:15 Zotero.HTTP</this._requestInternal/xmlhttp.onloadend<@chrome://zotero/content/xpcom/http.js:516:13 From previous event: runFunc@resource://zotero/concurrentCaller.js:224:22 ConcurrentCaller.prototype._processNext@resource://zotero/concurrentCaller.js:265:3 ConcurrentCaller.prototype.start@resource://zotero/concurrentCaller.js:156:12 serial/<@chrome://zotero/content/xpcom/utilities_internal.js:1905:14 ZoteroPane</this.sync@chrome://zotero/content/zoteroPane.js:2720:5 oncommand@chrome://zotero/content/standalone/standalone.xul:1:1
(1)(+0000001): Error: webdav.hide.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER Zotero Error: webdav.hide.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER Zotero.HTTP</this.SecurityException@chrome://zotero/content/xpcom/http.js:97:18 Zotero.HTTP</this.checkSecurity@chrome://zotero/content/xpcom/http.js:1460:15 Zotero.HTTP</this._requestInternal/xmlhttp.onloadend<@chrome://zotero/content/xpcom/http.js:516:13 From previous event: runFunc@resource://zotero/concurrentCaller.js:224:22 ConcurrentCaller.prototype._processNext@resource://zotero/concurrentCaller.js:265:3 ConcurrentCaller.prototype.start@resource://zotero/concurrentCaller.js:156:12 serial/<@chrome://zotero/content/xpcom/utilities_internal.js:1905:14 ZoteroPane</this.sync@chrome://zotero/content/zoteroPane.js:2720:5 oncommand@chrome://zotero/content/standalone/standalone.xul:1:1
(3)(+0000001): Done with file syncing
```
Use custom certificates for WebDAV file syncing with HTTPS on Windows.
Issue:
The root CA certificate in the "Current User" store is not recognised by Zotero.
Steps to reproduce:
1. Close any Zotero instance.
2. Install the root CA certificate of the server's certificate with options "Store location: Current User" and "Certificate Store: Trusted Root Certification Authorities".
3. Verify the certificate chain by accessing the WebDAV page with HTTPS protocol via both Microsoft Edge and Firefox. The connection should be secured.
4. Launch a Zotero instance. Navigate to Preference -> Sync. Verify the server in the File Syncing section.
5. Zotero returns the error code: SEC_ERROR_UNKNOWN_ISSUER.
6. Close the Zotero instance.
7. Repeat step 2, but install the certificate to "Store location: Local Machine" instead.
8. Repeat step 4 to verify the server again.
9. Zotero returns: File sync is successfully set up.
Expected behaviour:
Zotero for Windows should automatically use the system root certificate store, which in most cases should allow it to work automatically like other browsers on the system.
See: https://www.zotero.org/support/kb/cert_override
Zotero should use both the Local Machine store and Current User store to behave like browsers.
Solution via cert_override.txt will not work as Firefox will not generate that file for automatically trusted sites.
Other Info:
OS version: Windows 11 Pro 22H2 (OS Build 22621.2861)
Zotero version: 6.0.30
Microsoft Edge version: 120.0.2210.91 (Official Build) (64-bit)
Firefox version: 121.0 (64-bit)
Certificate chaining: web server certificate -(Issued by)-> root CA certificate
Log of step 5:
```
(3)(+0000007): Starting file syncing
(3)(+0000001): Starting file sync for My Library
(3)(+0000000): Caching WebDAV credentials
(3)(+0000001): HTTP OPTIONS https://hide:********@webdav.hide.com/zotero/
(3)(+0000002): CookieBlocker: Ignoring cookies for https://hide:********@webdav.hide.com/zotero/
(1)(+0000016): HTTP OPTIONS https://hide:********@webdav.hide.com/zotero/ failed with status code 0
(3)(+0000002): File sync failed for library 1
(1)(+0000001): Error: webdav.hide.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER Zotero Error: webdav.hide.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER Zotero.HTTP</this.SecurityException@chrome://zotero/content/xpcom/http.js:97:18 Zotero.HTTP</this.checkSecurity@chrome://zotero/content/xpcom/http.js:1460:15 Zotero.HTTP</this._requestInternal/xmlhttp.onloadend<@chrome://zotero/content/xpcom/http.js:516:13 From previous event: runFunc@resource://zotero/concurrentCaller.js:224:22 ConcurrentCaller.prototype._processNext@resource://zotero/concurrentCaller.js:265:3 ConcurrentCaller.prototype.start@resource://zotero/concurrentCaller.js:156:12 serial/<@chrome://zotero/content/xpcom/utilities_internal.js:1905:14 ZoteroPane</this.sync@chrome://zotero/content/zoteroPane.js:2720:5 oncommand@chrome://zotero/content/standalone/standalone.xul:1:1
(1)(+0000001): Error: webdav.hide.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER Zotero Error: webdav.hide.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER Zotero.HTTP</this.SecurityException@chrome://zotero/content/xpcom/http.js:97:18 Zotero.HTTP</this.checkSecurity@chrome://zotero/content/xpcom/http.js:1460:15 Zotero.HTTP</this._requestInternal/xmlhttp.onloadend<@chrome://zotero/content/xpcom/http.js:516:13 From previous event: runFunc@resource://zotero/concurrentCaller.js:224:22 ConcurrentCaller.prototype._processNext@resource://zotero/concurrentCaller.js:265:3 ConcurrentCaller.prototype.start@resource://zotero/concurrentCaller.js:156:12 serial/<@chrome://zotero/content/xpcom/utilities_internal.js:1905:14 ZoteroPane</this.sync@chrome://zotero/content/zoteroPane.js:2720:5 oncommand@chrome://zotero/content/standalone/standalone.xul:1:1
(3)(+0000001): Done with file syncing
```