[Zotero 7 Flatpak] WebDAV Won't Recognize Custom Certificate Authority

rkabelitz
Until recently, I was using Zotero (non-flatpak) on my Fedora 40 computer, and after getting some help here in the forums (https://forums.zotero.org/discussion/114197/zotero-7-beta-webdav-wont-recognize-custom-certificate-authority) I was able to sync my attachments using WebDAV into my Nextcloud, which is signed with a custom CA that I have control over. However, I recently swapped over to Kionite, which is the same setup but immutable, meaning that essentially everything should be installed inside containers. As such, I installed Zotero as a flatpak, but with it, I have been unable to get it to recognize my custom CA.

I am, of course, aware that the flatpak is not managed by the official Zotero team. However, I thought I would still check here in case anyone has any ideas of what I could potentially be doing wrong.

Last time I had this problem, what I did to resolve it was
1. Download Firefox ESR 115 using the official tarball
2. Adding my certificate for my CA
3. Copying the cert9.db, key4.db, and pkcs11.txt into Zotero
4. Restarting Zotero

However, this did not work this time - Zotero still doesn't recognize my CA.

I have a very strong feeling this is flatpak-related, as I noticed that the Firefox flatpak does not have cert9.db, key4.db, and pkcs11.txt anywhere within it, which makes me think that an entirely different process would be needed for the Zotero flatpak as well. However, I do not know what this process would be.

Is there anything I can try, or should I give up on the Zotero flatpak and try and run Zotero in some kind of other container? (the container being necessary because, again, this is an immutable OS, so everything should be run in containers.)

  • rkabelitz
    In case someone else finds this in the future:

    In the end, what I ended up doing was uninstalling the flatpak and installing zotero through distrobox. I made a seperate box for Zotero, based on a Debian image, then installed it using this information here:

    https://www.zotero.org/support/installation
    https://github.com/retorquere/zotero-deb

    That made the process super easy. From there, I was able to follow the steps I had followed in the past to get my custom CA recognized, and everything synced. I can also confirm, installing Zotero this way, despite being in a container, still works with both the Libreoffice connector and the Firefox connector.
  • samvimes
    I don't have experience with immutable distros, but I assume the /home-folder is still mutable - so shouldn't it also be possible to just unpack the official tarball into your home-folder and run Zotero from there?
  • rkabelitz
    I'm quite new to immutable distros myself and the documentation for the Fedora immutable family is admittedly lacking, so I can't say with 100% confidence, but from my understanding it is considered best practice to use apps from
    1. Flatpak
    2. RPM-Ostree (a method to use RPMs on immutable distros)
    3. Distrobox/Toolbx
    and only use AppImages and tarballs if no other option is available, although they do still work. Snaps, on the other hand, don't work at all.

    So while I could use the official tarball, it seems to be working perfectly in distrobox, so I think that's possibly better practice to do. Again, though, I could be being stupid haha
  • rkabelitz
    Returning even later just to potentially help future people with this admittedly niche usecase:

    Tarball
    Installing Zotero through the official tarball probably is not recommended on Immutable OS' to my understanding

    Flatpak:
    Seemingly, there is no way to get the (unofficial) flatpak version of zotero to recognize Custom CAs at the moment.

    Distrobox:
    This is what I last reported using, but I now find problems there too: after installing zotero through distrobox, links from within zotero would no longer open in my browser

    Appimage:
    The best solution I can find at this time. I have found no issues with the (unofficial) Appimage version of Zotero, it has worked well for several weeks now with daily usage.
  • samvimes
    I mean if the AppImage works for you, that's good - but I don't really see any reason against just unpacking the Tarball into your /home and running Zotero from there. Especially for less experienced users this method, which is the officially supported one, is gonna be easier and if problems arise they will be easier to troubleshoot.
  • rkabelitz
    This is likely a situation of me not understanding tarballs and what they are - are they containerized? If so, then I see no reason for me not to use it, and definitely should, as like you said it's the official method.
  • samvimes
    Tarballs are not containerized but just a way of compressing and sharing folders (and you're right that they're thus not the usual method of installing software on immutable systems). However - why would Zotero need to be containerized? It has a self-updating mechanism, if you download it from the official website there's not really a security risk (arguably the risk is higher running unofficial versions) and it doesn't have complicated dependencies.
  • rkabelitz
    For me, it's less a worry over security (I have a lot of trust in Zotero at this point) and more a concern over reliability. If I keep everything containerized in my system, nothing can mess with each other, which reduces possible risks of breakages. I swapped to an immutable OS from regular Fedora because I was getting a little frustrated at various problems caused, admittedly, by my own lack of experience with linux systems. With everything containerized, the risk of things breaking is significantly lower, and it becomes easier to troubleshoot problems that do arise as well.

    Even though installing just the official zotero tarball is very unlikely to break anything, as like you said the dependencies aren't complicated, I still think it makes sense to try and maintain a fully containerized system to reduce risks anyway.
Sign In or Register to comment.