Certificate errors on restricted network: What to take from a working Firefox?

geolrud
edited November 2, 2017
Hi,
I'm behind a controlled network, Zotero v5 standalone does give the SSL certificate error for api.zotero.org.
My IT folks would not help me much, since Zotero not being a supported application.

Now, I have a working Firefox (on Linux) where https://api.zotero.org works with no certificate error, connection is trusted. The cert is issued by some proxy.

What do I need to take from the Firefox setup to get Zotero v5 to work for me?
about:config I guess?

Tried to set the same network.proxy.autoconfig_url and network.proxy.type but no luck.

Many thanks
Rudy
  • dstillman
    It's not clear if you've followed the Cert Override instructions yet, but do that first if so. If you're still having trouble, you'll need to apply the same network.proxy settings (though by default Zotero will just use the system proxy settings, which might be sufficient).
  • geolrud
    I had looked at this, might have mixed up the locations:
    Due to restrictions my standalone Z5 install is at
    c:\folder\Zotero_standalone
    I set a custom Data directory
    c:\folder\Zotero_data
    My old setup Z4 was a portable firefox, there https://api.zotero.org is not trusted: SEC_ERROR_UNKNOWN_ISSUER Don't know how to accept this then... Same root cause probably, company intercepting SSL and use of proxy.

    As I can't get the accept from Firefox portable, little use to do this but I still tried and fetched cert8.db and copied to:
    C:\folder\Zotero_data\cert8.db
    and
    C:\folder\Zotero_standalone\cert8.db

    The network.proxy settings are exactly as the working Linux Firefox (but I guess there are also system settings involved, not only Firefox).

    Still no luck.

    Thanks for caring :-)
  • dstillman
    edited November 2, 2017
    You need to copy the files from the Firefox profile directory of the Firefox that's working (not one that's not) to the Zotero profile directory (not the application directory, not the data directory).

    Delete the files you've already copied, since those aren't the right locations. There will be an existing cert8.db (and prefs.js, key3.db, extensions.ini, xulstore.jsonā€¦) in the profile directory.
  • geolrud
    Hi and thank you,
    I just learned there was made a Zotero profile directory (C:\User\Appdata...).
    There I have put the cert8.db and cert_override.txt from the working Linux Firefox (.mozilla/firefox/).
    Still looks like this is not the solution :-(
    Does cert8.db tell Linux-Firefox to trust the api.zotero.org certificate that comes from the proxy? No clue about these things...obviously.
  • dstillman
    edited November 2, 2017
    To make sure you're using the right target directory, if you sort the directory by modification time you should notice the timestamps of files changing when you close Zotero.
  • dstillman
    edited November 2, 2017
    If you're being served the same fake certificate on both machines, this should definitely work (it's been the solution for years, and as far as we know hasn't changed), as long as you copy the right files from the right Firefox profile directory to the right Zotero profile directory.

    You probably need to restart Zotero afterward.
  • dstillman
    You should also be able to test this by copying those same files to the Firefox profile directory on this machine with Firefox closed. When you start up Firefox, you should be able to connect to https://api.zotero.org. If you can't, there's something wrong with the files you're copying or you're being served a different certificate.
  • geolrud
    Sorry this is such a problem...
    I have tried with a new plain Firefox-portable.
    Some https-sites work (banks, newspapers) while others (tv-network, newspaper) while others says "not secure". As with https://api.zotero.org
    The error is:
    " uses an invalid security certificate", SEC_ERROR_UNKNOWN_ISSUER
    For the news-site nrk.no I have a button for 'add exception'.
    But not for api.zotero.org

    So it seems my problem is: Not being able to tell Firefox to accept the api.zotero connection.

  • dstillman
    Yeah, you can't add exceptions for sites (like zotero.org) that use proper security measures. If your organization needs to intercept your secure traffic, the proxy server should be serving certificates that trust a custom root certificate authority, and that custom CA's certificate needs to be imported into the browser certificate store.
  • geolrud
    Thank you again, so unneccesary...
    So I will then go back to my IT-folks and make them help me to get portable-Firefox to trust this internal stuff. Then api.zotero should be working and I can copy the files to the Z5 directory, right?
  • dstillman
    Yes.
  • geolrud
    edited November 6, 2017
    Thanks to your patience, I seem to be one step further:
    My dedicated portable-Firefox is now accepting https://api.zotero.org/ with no errors and a trusted connection through proxy. I did export a number of certificates from system browser and imported into FF.

    Then I have copied the cert8.db from portable-Firefox (56.0.2 64-bit, Win7 Enterprise) to the Zotero-v5-standalone profile, like so:
    C:\Users\_user_\AppData\Local\Zotero\Zotero\Profiles\_randomstring_.default\cert8.db

    That would mean Zotero v5 should now use the same approach as portable-Firefox. As described in Cert Override instructions.

    Rebooted, still same error from Z5 :-(
    I guess I'm still missing something...
    cert_override.txt should not be relevant, since I did not need an exception (the file is not there anyways).

    Also upgraded from 5.0.23 to 5.0.24 just now, still same...

    With a humble thank you
    Rudolf
  • dstillman
    That's not the Zotero profile directory, which is in AppData\Roaming.
  • geolrud
    Ouch, that's an embarrassing error I made... Thank you, I'm very grateful for bearing with me and pointing this out.
    Syncing now :-)

    Forgot to mention: I was testing setting 'security.enterprise_roots.enabled' to true in portable Firefox, with no success.

    In summary, here's what I did for my managed corporate network:

    Have a browser that establishes an encrypted connection to https://api.zotero.org giving 'Nothing to see here' and no errors/warnings. From this browser export the certificates specific for the network (I used 'root' and 'intermediate' for the proxies).

    A portable Firefox was installed, initially this did not trust the https://api.zotero.org connection. Import the certificates, upon success: Copy the cert8.db file from Firefox into the correct Zotero profile directory https://www.zotero.org/support/kb/profile_directory
  • alexandre.kazantsev
    Hi, thank you for useful hints. I had exactly the same issue. For me, it worked just by copying and overwriting all the files (not folders) from Firefox profile folder :
    C:\Users\_user_\AppData\Roaming\Mozilla\Firefox\Profiles\_randomstring_.default\
    towards Zotero profile folder :
    C:\Users\_user_\AppData\Roaming\Zotero\Zotero\Profiles\_randomstring_.default\
  • dstillman
    @alexandre.kazantsev: That's definitely not the thing to do. There are only a couple files that matter, explained in Certificate Override. You don't want to copy other files from Firefox.

This is an old discussion that has not been active in a long time. Before commenting here, you should strongly consider starting a new discussion instead. If you think the content of this discussion is still relevant, you can link to it from your new discussion.

Sign In or Register to comment.