Using local certificate authority in Zotero standalone: a success story

Hi all, I'm just posting this here to help anyone else that might be in my predicament: I work at a large institution with a local certificate authority and transparent SSL proxy, which was breaking Zotero standalone's ability to sync. Using cert_override.txt from Firefox didn't work, and, in fact, my Zotero standalone was never even touching that file (verified using dtrace to monitor file access on my Mac). What DID work, however, was using Firefox to import and trust my local certificate authority's cert, which was stored in cert8.db. (Fun fact: you can list what's trusted via "certutil -L -d /path/to/profile/dir/"; certutil may also be named nss-certutil.)

Copying my cert8.db into my Zotero standalone profile directory did the trick, and everything is working great now. I hope this helps!
  • Thanks. I guess cert_override.txt may have been superseded by that file. I've created an issue to update the relevant documentation and WebDAV error message.
  • Maybe there's even some kind of order of precedence and cert_override.txt might be used in cert8.db's absence? Firefox seems to update both files when you trust a certificate. I'm sure this is documented somewhere incredibly difficult to find.

    FYI, this also seems to work fine cross-platform: I used Firefox in a Linux VirtualBox instance to create a clean cert8.db and copied it to my Mac's Zotero directory, and it worked great. This way I got a clean file without all the other cruft my everyday Firefox instance had built up through time, for what it's worth. I don't know if this really buys you anything, but maybe it'll be helpful to somebody down the road.
  • edited October 24, 2015
    Copying cert8.db did not work for me with Zotero standalone 4.0.28 and Firefox 41.0.2 on Ubuntu 15.10. I can sign in to the webdav address without issue in Firefox, but Zotero still complains the self-signed SSL cert is being rejected. I made sure to close both Firefox and Zotero before copying the db file.

    Has this method broken in a more recent version of Firefox or Zotero?
  • edited October 24, 2015
    Did you test with certutil to make sure the file in the Standalone profile directory has the certificate?

    Did you try cert_override.txt?
  • BBUCommander,

    I've just made my way through all this stuff as well... Actually, the reason might not be this simple. For example, your certificate might have unsupported signature algorithm or key length. And, as usual, error messages are not very helpful; even misleading sometimes. For example, sha512RSA and sha384RSA seem to not work in my FF 41.0.2 and IIS 7.5 .
    Just in case, personally, I ended up using sha256RSA and 4096 key length (which seem to be pretty standard).

    (1) Just in case, have you doublechecked, that your certificate is listed in Options -> Advanced -> View Certificates -> Authorities ?

    (2) Are you using a self-signed certificate?

    (3) Even if you are able to view your files in FF, Zotero might require some additional stuff. For example, I've found, that "NTLM" authentication provider must be #1. https://forums.zotero.org/discussion/54212/permission-denied-connecting-to-microsoft-iis-webdav

    (4) Can you collect the "Debug output log" for "Verify server"?
  • i3v: Thanks, but most of that's not really relevant here. This whole thread is about self-signed certificates, which BBUCommander also says they're using. Firefox and Zotero should have the same certificate requirements, so as long as the certificate is whitelisted and working in Firefox, as BBUCommander says it is, all that should matter is that the certificate override file is transferred. There's just some ambiguity about which certificate override file is used in different versions of Firefox.

    But yes, a Debug ID may be helpful.
  • i3v
    edited October 27, 2015
    Dan,

    >>This whole thread is about self-signed certificates, which BBUCommander also says they're using

    Oups. Sorry, I've somehow missed that.
    Still, IMHO, "your-own-CA-signed certificate" approach is applicable in most cases, where people initially try to use a simple selfsigned certificate.
    On the other hand, IMHO, firstly, we need to find at least one 100% working combination of all parameters. It looks like I've found one, so that's what I'm trying to share...
    I've also tried a selfsigned certificate first. I don't actually remember, what was wrong, and I'm not saying "it won't work with a selfsigned certificate anyway". But I ended up creating my own CA. I'm not sure, but it feels like using selfsigned certificate _might_ be a bit different from using your own CA.


    >>Firefox and Zotero should have the same certificate requirements

    Initially, I was pretty sure that this is an absolute truth. But then I ran into the situation, where, after all, they behave in a bit different ways (the same "NTLM should be #1" thing). So, probably, if their behavior is different in this aspect, it might also be different in some other aspects.



    >>There's just some ambiguity about which certificate override file is used in different versions of Firefox.

    Hm... Do you mean that older versions of FF use "cert_override.txt" and newer version use "cert8.db" to store information about certificates that are trusted?

    I’ve just carried out the following experiment:
    1) I’ve cleared “cert_override.txt” and removed my CA’s root certificate from “Certificate Manager -> Authorities” list, also, I’ve checked that “Certificate Manager -> Others” and “Certificate Manager -> Servers” lists has nothing related to this WebDav server.
    2) Stopped FF
    3) Copied both "cert_override.txt" and "cert8.db" to “v1” folder.
    4) Started FF. Tried to connect to my WebDav. To connect, I have to click “add exception”.
    5) Stopped FF.
    6) Compared "cert_override.txt" and "cert8.db" with those in “v1” folder – only "cert_override.txt" was changed.
    7) Started FF. Tried to connect to my WebDav. To connect, I do not need to click “add exception”.
    8) Stopped FF.
    9) Replaced "cert_override.txt" in FF profile folder with those from “v1” folder.
    10) Started FF. Tried to connect to my WebDav, again. To connect, I had to click “add exception”, again.

    IMHO, this means, that when you click “add exception” this information is stored in "cert_override.txt". This also means, that copying “cert8.db” from FF to Zotero after adding an exception is pointless.

    On the other hand, I have to admit, that there _might_ be a difference for selfsigned certificates. I’ve only tested My-own-CA-signed certificate case.


    So, from this point of view, I find the older version ( https://www.zotero.org/support/kb/cert_override?rev=1436340164&do=diff ) more correct, if we are talking about adding certificate exception (….you can open the WebDAV URL in Firefox, accept the certificate, and then copy…). As far as I understand, this change was made because of twasson’s report (the first message of this thread).

    Note, that I’m not sure, if adding this certificate exception, and copying “cert_override.txt” to Zotero’s profile folder would actually work - cert_override works for firefox, but, as I’ve said, Zotero might behave a bit different.

    What actually worked for me:
    1) Just like in previous experiment:I’ve cleared “cert_override.txt” and removed my CA’s root certificate from “Certificate Manager -> Authorities” list, also, I’ve checked that “Certificate Manager -> Others” and “Certificate Manager -> Servers” lists has nothing related to this WebDav server.
    2) Stopped FF
    3) Copied both "cert_override.txt" and "cert8.db" to “v1” folder.
    4) Started FF. Tried to connect to my WebDav. Verified that I’m prompted to add the exception. (But do not add it).
    5) Go to “Options -> Advanced -> View Certificates -> Authorities” and import your root CA certificate.
    6) In the dialog window that would popup check all 3 “Trust this ….” Checkboxes.
    7) Note, that now you’re not prompted to add certificate exception, when you try to access your WebDav.
    8) Stopped FF
    9) Note, that your “cert_override.txt” is still empty.
    10) Note, that your “cert8.db” got changed – it’s no longer equal to those in “v1” folder. Now it is OK to copy it to your Zotero/Juris-M profile.

    Sidenotes:
    • It looks like, the same mechanism worked for the topic-starter – he probably already had appropriate root CA certificate embedded in his FF profile, probably, just because his institution requires that…. So he misinterpreted the procedure a bit – at least, I see no other explanation. ( Twasson, if you're reading this, could you please check your CA list in FF and confirm/reject my assumption? :) )
    • Step “5” here won’t work for selfsigned/non-root-CA certificates. You may try to add your selfsigned certificate to “Certificate Manager -> Servers” list. I’ve not tried that. Creating a selfsigned certificate is pretty straightforward. For example, one may try to follow this guide ( https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html ). Though, IMHO, a better approach is to create “your own root certification authority”, as described here ( http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/ ). This would require a bit more effort, but, on the whole, this is, typically, a better way.



    >>This whole thread is about self-signed certificates

    As far as I understood, the first message of this thread mentions “local” certification authority – which is a bit different from standalone “selfsigned certificate”. Still, I believe that underlying mechanism is the same for all cases described here.

    PS
    I was talking about "your own WebDav server", but, most probably, everything should work just the same in the situation, described by the topicstarter.
  • Note, that I’m not sure, if adding this certificate exception, and copying “cert_override.txt” to Zotero’s profile folder would actually work - cert_override works for firefox, but, as I’ve said, Zotero might behave a bit different.
    No, this has always worked. I just misread the original post, and didn't test it. For certificate whitelisting, it's still cert_override.txt, as it's always been. I've reverted the documentation page. Thanks for catching this.

    self-signed certs are what Zotero users are generally dealing with — unless you're dealing with a transparent proxy, a custom CA is overkill.
  • (So, BBUCommander, you should copy cert_override.txt instead. Sorry for the confusion.)
  • i3v
    edited October 27, 2015
    >> self-signed certs are what Zotero users are generally dealing with
    +
    >> a custom CA is overkill.

    Yep, I do agree.. Self-signed certificates are more widespread "for personal use"



    >> unless you're dealing with a transparent proxy

    Yep.. but, still, the first message in this thread is exactly about some kind of transparent proxy...



    >> I've reverted the documentation page.

    Cool :) Many thanks for keeping this whole huge thing running :)
  • Thanks @twasson

    Copying cert8.db from Firefox to my Zotero profile fixed syncing for me in a similar situation (large institution with proxy for https and self-issued certificate already setup in Firefox)

    OSX: 10.7.5
    Zotero: Standalone 4.0.28.8
    Firefox: ESR 38.3.0
  • Thanks Dan! Copying cert_override.txt from my Firefox profile dir to my Zotero profile dir did the trick.
Sign In or Register to comment.