Certificate Override for corporate network
+ MacOs High Sierra
+ Zotero 5.0.89
When operating the zotero web-app (zotero.org), all is well with the certificates and the functionality.
When I try to execute "Set up Syncing" in the App, I get the error message:
"api.zotero.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
Error code: SEC_ERROR_UNKNOWN_ISSUER"
I have done the over-ride steps detailed in:
https://www.zotero.org/support/kb/cert_override
However, the secmod.db file is not present in my Firefox profile folder.
All works well on a personal Mac, so its something about the corporate security system.
Any advice?
+ Zotero 5.0.89
When operating the zotero web-app (zotero.org), all is well with the certificates and the functionality.
When I try to execute "Set up Syncing" in the App, I get the error message:
"api.zotero.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
Error code: SEC_ERROR_UNKNOWN_ISSUER"
I have done the over-ride steps detailed in:
https://www.zotero.org/support/kb/cert_override
However, the secmod.db file is not present in my Firefox profile folder.
All works well on a personal Mac, so its something about the corporate security system.
Any advice?
1. I checked out https://www.zotero.org/support/kb/site_certificate_info
and all is well -- it shows my company certifies zotero.org, and as previously mentioned, all is well with my use of zotero.org
2. I do have a pkcs11.txt file in my Firefox profile and I copied that into the ZoteroApp profile, and restarted the Mac, but same error message as above.
3. Perhaps another clue is that I'm also getting JavaScript Errors and Warnings in the Error Console, for example: [JavaScript Error: "The connection was refused when attempting to contact wss://stream.zotero.org/." {file: "chrome://zotero/content/xpcom/streamer.js" line: 155}]
I'm relatively knew to Zotero so apologize if I'm not going about asking for assistance in the right way.
Can you say the exact steps you followed to try to get this to work?
To fix the problem with the Zotero App, I've followed the advice on this page:
https://www.zotero.org/support/kb/cert_override
Namely, I copied the key4.db, cert9.db and pkcs11.txt files from my Firefox profile folder into the Zotero profile folder.
I must be missing something.
What I'm guessing is happening is that, since you're using a newer version of Firefox that is able to use the system root certificates, those files in the Firefox profile aren't actually set up to trust the custom certificate authority, such that copying them to Zotero doesn't help. You can confirm this by disabling security.enterprise_roots.enabled in about:config in Firefox and restarting Firefox, which will cause it to use the files from the profile and quite possibly fail at that point. Your IT department should be able to help you import the custom certificate into Firefox so that it works with that setting disabled, and you could then copy the files to Zotero and revert that setting.
(It looks like the linked instructions were wrong — it is indeed pkcs11.txt and not secmod.db that goes with key4.db and cert9.db — but I'm not sure it actually makes a difference for this.)
--John
Any ideas?