Please fix TLS certificate handling

wfolta

We recently got a firewall doing TLS inspection, which requires trusting a new TLS certificate authority (CA) used by the firewall. Zotero, apparently being based on an ancient Firefox does not work with the standard mechanism of looking at certificates trusted by the system. (On a Mac, anyhow.) So there's a crazy workaround that involves multiple steps that no other app but Zotero needs to work correctly.

This would not be so bad if there were a checkbox in Zotero to accept this certificate, or this CA, or even to ignore certificates (perhaps for a single session). It would be painful but reasonably cautious if Zotero would indicate that it was refusing to download a requested document until you did the multi-step-hop.

Zotero does none of these things. It simply allows its small dialogue box -- which always spawns when you select "Add to My Library' -- to sit on the screen without indicating progress or error. And when you're really using that feature you're going through perhaps a long RSS feed of potential articles to download and you really don't need to pay attention to the details of that box since surely an error would be brought to your attention. (And in general, you just keep adding to your library and don't have to pay attention to the box as it expands and contracts as it does its job.)

So I just wasted a couple of hours going through a long RSS feed and marking about a dozen papers out of hundreds and adding them to my library... Except at the end none of them were added to my library. Nothing. No placeholder, no ability to recover the RSS feed where I was, no ability to see what papers I'd attempted to add to my library. :-(

dstillman

Zotero, apparently being based on an ancient Firefox does not work with the standard mechanism of looking at certificates trusted by the system. (On a Mac, anyhow.)

Yes, on macOS, you currently need to follow the certificate override steps. On Windows, Zotero will use system roots automatically. Support for that on macOS will come with our next platform upgrade, hopefully later this year.

In any case, you seem to be referring specifically here to the feed feature. That's a pretty out-of-the-way feature, and we've never tested that with MITMed connections. We'll look into error feedback for it, but you're the first to report it.

Zotero tries to test the connection at startup to determine if a system proxy is being used and warn you (with an error icon in the toolbar) if it can't connect. Perhaps that's not happening with your system config. But you would generally also see an error in a much more visible feature, such as attachment downloads, syncing, Add Item by Identifier, or PDF metadata retrieval, well before you got to the feeds feature. For that matter, you shouldn't even be able to load or refresh a feed in the first place. So it's just very unlikely that this would come up for most people. Sorry for the wasted time, though.

wfolta

There is a little red exclamation mark in the upper right corner. It appears to be a warning, not an error where nothing else will work.

I believe I've been able to refresh the RSS feed multiple times. (I was too embarrassed to mention that this seems to have occurred on multiple days, so I actually lost many, many hours of work.) Again, everything LOOKS pretty much normal: I click and click and a box appears for a while then disappears. It's too painful to jump to My Library to check and then to jump back to the RSS feed -- you lose your place and have to scroll back. And it's never NOT worked before. But I have no papers saved for the last month, which corresponds to about when we got the new firewall.

I've unfortunately tried the multi-step through Firefox multiple times and it does not work. Not sure why Firefox decided they wouldn't accept PEMs and wanted proprietary files and NSS to handle the job.

I guess I can add arXiv.org to the TLS exception list and just remember to not try to use Zotero on any other site. (95% of my papers come from arXiv, which has the enormous RSS feeds for popular topics like Machine Learning. It's a firehose.)

dstillman

There is a little red exclamation mark in the upper right corner. It appears to be a warning, not an error where nothing else will work.

If you click on it, it should explain that your network connection isn't working. Does it not?

I believe I've been able to refresh the RSS feed multiple times.

If you don't have a working network connection, you obviously wouldn't be able to refresh the feed. No need to speculate — you can just look at the dates on the feed entries. Updating and saving would both try to connect to the domain in question. Anyway, obviously it should provide proper error feedback if saving fails, but I'm just pointing out that there should be a lot of signs that things aren't working before you get that far.

wfolta

No, it doesn't explain that the network connection isn't working. It says that a secure connection could not be established, which sounded to me like a warning rather than a show-stopper. (It is similar to warnings on browsers, but they let you override and continue to the page, approving the certificate. I think some browsers now also warn you about HTTP not being secure as well.) The deeper explanation also starts with talk of not having a secure connection. Perhaps it would be helpful to explain "Zotero cannot establish a secure connection (HTTPS) and will not use insecure connections (HTTP). Until this is fixed, no papers can be downloaded and no updates to Zotero can occur." (I found out the latter when I just now tried to update.)

My RSS feed has no dates for the entries. That column is empty. I believe I've refreshed it at least once. I generally go through the RSS every Monday, but may have missed a couple with everything else happening. It was what it was this time, I did not manually refresh it.

dstillman

What's the exact error?

My RSS feed has no dates for the entries. That column is empty.

What's a feed where you're not seeing anything in the Date column? I see dates on arXiv feeds.

wfolta

How do you include a screen capture here? The error starts with "Zotero could not make a secure connection." And ends with "Error code: SEC_ERROR_UNKNOWN_ISSUER".

None of my feeds (currently) have a date. I have not refreshed them since they at least show all of the articles they had a while back -- they're all marked as read, so it'll be a slog, but at least I might get lucky to find some of the articles that originally caught my eye.

It's possible that the feeds are from before the firewall was updated and have been sitting there a month. They include cs.AI, cs.LG, stat.ML, and stat.ME. (I never manually refresh, it just updates somehow.

dstillman

You can always upload a screenshot somewhere (e.g., Dropbox or Google Drive) and provide a link here, but that won't be necessary — the above message is enough. We'll try to clarify that message and include a link to the SSL Certificate Error page. That's currently included for most certificate problems but not the one you're hitting.

In any case, I would generally recommend not ignoring prominent red exclamation marks… Again, all sorts of Zotero functionality would be broken in that state.

None of my feeds (currently) have a date.

I'm asking for a specific feed URL so that we can try to reproduce this. Again, we're seeing Date values — both in the middle column and the right-hand pane — for arXiv feeds.

wfolta

I added to the exception list and can get to the archive. This RSS feed has no dates, after a manual refresh: http://arxiv.org/rss/stat.ML

dstillman

OK, yeah, that feed doesn't have dates.

Feeds in this form do:

http://export.arxiv.org/api/query?search_query=cat:stat.ML&start=0&max_results=99&sortBy=lastUpdatedDate&sortOrder=descending

That's a feed I have saved, with "stat.ML" substituted in. I'm not sure if it's possible to generate feeds like that from the current arXiv UI.