Thanks. I guess cert_override.txt may have been superseded by that file. I've created an issue to update the relevant documentation and WebDAV error message.

Copying cert8.db did not work for me with Zotero standalone 4.0.28 and Firefox 41.0.2 on Ubuntu 15.10. I can sign in to the webdav address without issue in Firefox, but Zotero still complains the self-signed SSL cert is being rejected. I made sure to close both Firefox and Zotero before copying the db file.

Has this method broken in a more recent version of Firefox or Zotero?

BBUCommander,

I've just made my way through all this stuff as well... Actually, the reason might not be this simple. For example, your certificate might have unsupported signature algorithm or key length. And, as usual, error messages are not very helpful; even misleading sometimes. For example, sha512RSA and sha384RSA seem to not work in my FF 41.0.2 and IIS 7.5 .
Just in case, personally, I ended up using sha256RSA and 4096 key length (which seem to be pretty standard).

(1) Just in case, have you doublechecked, that your certificate is listed in Options -> Advanced -> View Certificates -> Authorities ?

(2) Are you using a self-signed certificate?

(3) Even if you are able to view your files in FF, Zotero might require some additional stuff. For example, I've found, that "NTLM" authentication provider must be #1. https://forums.zotero.org/discussion/54212/permission-denied-connecting-to-microsoft-iis-webdav

(4) Can you collect the "Debug output log" for "Verify server"?

Dan,

>>This whole thread is about self-signed certificates, which BBUCommander also says they're using

Oups. Sorry, I've somehow missed that.
Still, IMHO, "your-own-CA-signed certificate" approach is applicable in most cases, where people initially try to use a simple selfsigned certificate.
On the other hand, IMHO, firstly, we need to find at least one 100% working combination of all parameters. It looks like I've found one, so that's what I'm trying to share...
I've also tried a selfsigned certificate first. I don't actually remember, what was wrong, and I'm not saying "it won't work with a selfsigned certificate anyway". But I ended up creating my own CA. I'm not sure, but it feels like using selfsigned certificate _might_ be a bit different from using your own CA.


>>Firefox and Zotero should have the same certificate requirements

Initially, I was pretty sure that this is an absolute truth. But then I ran into the situation, where, after all, they behave in a bit different ways (the same "NTLM should be #1" thing). So, probably, if their behavior is different in this aspect, it might also be different in some other aspects.



>>There's just some ambiguity about which certificate override file is used in different versions of Firefox.

Hm... Do you mean that older versions of FF use "cert_override.txt" and newer version use "cert8.db" to store information about certificates that are trusted?

I’ve just carried out the following experiment:
1) I’ve cleared “cert_override.txt” and removed my CA’s root certificate from “Certificate Manager -> Authorities” list, also, I’ve checked that “Certificate Manager -> Others” and “Certificate Manager -> Servers” lists has nothing related to this WebDav server.
2) Stopped FF
3) Copied both "cert_override.txt" and "cert8.db" to “v1” folder.
4) Started FF. Tried to connect to my WebDav. To connect, I have to click “add exception”.
5) Stopped FF.
6) Compared "cert_override.txt" and "cert8.db" with those in “v1” folder – only "cert_override.txt" was changed.
7) Started FF. Tried to connect to my WebDav. To connect, I do not need to click “add exception”.
8) Stopped FF.
9) Replaced "cert_override.txt" in FF profile folder with those from “v1” folder.
10) Started FF. Tried to connect to my WebDav, again. To connect, I had to click “add exception”, again.

IMHO, this means, that when you click “add exception” this information is stored in "cert_override.txt". This also means, that copying “cert8.db” from FF to Zotero after adding an exception is pointless.

On the other hand, I have to admit, that there _might_ be a difference for selfsigned certificates. I’ve only tested My-own-CA-signed certificate case.


So, from this point of view, I find the older version ( https://www.zotero.org/support/kb/cert_override?rev=1436340164&do=diff ) more correct, if we are talking about adding certificate exception (….you can open the WebDAV URL in Firefox, accept the certificate, and then copy…). As far as I understand, this change was made because of twasson’s report (the first message of this thread).

Note, that I’m not sure, if adding this certificate exception, and copying “cert_override.txt” to Zotero’s profile folder would actually work - cert_override works for firefox, but, as I’ve said, Zotero might behave a bit different.

What actually worked for me:
1) Just like in previous experiment:I’ve cleared “cert_override.txt” and removed my CA’s root certificate from “Certificate Manager -> Authorities” list, also, I’ve checked that “Certificate Manager -> Others” and “Certificate Manager -> Servers” lists has nothing related to this WebDav server.
2) Stopped FF
3) Copied both "cert_override.txt" and "cert8.db" to “v1” folder.
4) Started FF. Tried to connect to my WebDav. Verified that I’m prompted to add the exception. (But do not add it).
5) Go to “Options -> Advanced -> View Certificates -> Authorities” and import your root CA certificate.
6) In the dialog window that would popup check all 3 “Trust this ….” Checkboxes.
7) Note, that now you’re not prompted to add certificate exception, when you try to access your WebDav.
8) Stopped FF
9) Note, that your “cert_override.txt” is still empty.
10) Note, that your “cert8.db” got changed – it’s no longer equal to those in “v1” folder. Now it is OK to copy it to your Zotero/Juris-M profile.

Sidenotes:
• It looks like, the same mechanism worked for the topic-starter – he probably already had appropriate root CA certificate embedded in his FF profile, probably, just because his institution requires that…. So he misinterpreted the procedure a bit – at least, I see no other explanation. ( Twasson, if you're reading this, could you please check your CA list in FF and confirm/reject my assumption? :) )
• Step “5” here won’t work for selfsigned/non-root-CA certificates. You may try to add your selfsigned certificate to “Certificate Manager -> Servers” list. I’ve not tried that. Creating a selfsigned certificate is pretty straightforward. For example, one may try to follow this guide ( https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html ). Though, IMHO, a better approach is to create “your own root certification authority”, as described here ( http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/ ). This would require a bit more effort, but, on the whole, this is, typically, a better way.



>>This whole thread is about self-signed certificates

As far as I understood, the first message of this thread mentions “local” certification authority – which is a bit different from standalone “selfsigned certificate”. Still, I believe that underlying mechanism is the same for all cases described here.

PS
I was talking about "your own WebDav server", but, most probably, everything should work just the same in the situation, described by the topicstarter.

(So, BBUCommander, you should copy cert_override.txt instead. Sorry for the confusion.)

Thanks @twasson

Copying cert8.db from Firefox to my Zotero profile fixed syncing for me in a similar situation (large institution with proxy for https and self-issued certificate already setup in Firefox)

OSX: 10.7.5
Zotero: Standalone 4.0.28.8
Firefox: ESR 38.3.0