Certificate Override for corporate network

+ MacOs High Sierra
+ Zotero 5.0.89

When operating the zotero web-app (zotero.org), all is well with the certificates and the functionality.

When I try to execute "Set up Syncing" in the App, I get the error message:
"api.zotero.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
Error code: SEC_ERROR_UNKNOWN_ISSUER"

I have done the over-ride steps detailed in:
https://www.zotero.org/support/kb/cert_override

However, the secmod.db file is not present in my Firefox profile folder.

All works well on a personal Mac, so its something about the corporate security system.

Any advice?
  • When operating the zotero web-app (zotero.org), all is well with the certificates and the functionality.
    To be clear, this isn't relevant. Most likely your company is intercepting your secure traffic and has configured your web browser to accept their custom root certificate authority, which is why you don't receive an error in the browser. Since Zotero isn't similarly configured, it is properly warning you that your connection is not secure. You can verify this by checking the Site Certificate Info.
    However, the secmod.db file is not present in my Firefox profile folder.
    That may no longer be used. If you have a pkcs11.txt file, you can try copying that in addition to cert9.db and key4.db.
  • Thanks for the pointers. A quick follow-up if you don't mind...

    1. I checked out https://www.zotero.org/support/kb/site_certificate_info
    and all is well -- it shows my company certifies zotero.org, and as previously mentioned, all is well with my use of zotero.org

    2. I do have a pkcs11.txt file in my Firefox profile and I copied that into the ZoteroApp profile, and restarted the Mac, but same error message as above.

    3. Perhaps another clue is that I'm also getting JavaScript Errors and Warnings in the Error Console, for example: [JavaScript Error: "The connection was refused when attempting to contact wss://stream.zotero.org/." {file: "chrome://zotero/content/xpcom/streamer.js" line: 155}]

    I'm relatively knew to Zotero so apologize if I'm not going about asking for assistance in the right way.
  • and all is well -- it shows my company certifies zotero.org
    That doesn't really mean "all is well" — it means what I say above, that your company is intercepting your secure traffic, which is why Zotero is rejecting the connection.

    Can you say the exact steps you followed to try to get this to work?
  • Thanks for continued assistance. Yes, I understand my problem with the Zotero App on my mac is due to my company's security policies. Those same policies don't seem to interfere with zotero.org

    To fix the problem with the Zotero App, I've followed the advice on this page:
    https://www.zotero.org/support/kb/cert_override
    Namely, I copied the key4.db, cert9.db and pkcs11.txt files from my Firefox profile folder into the Zotero profile folder.

    I must be missing something.
  • I'd like to add that my work colleagues working from the PC platform do NOT have this security certificate problem. So I know that our company's security policies do not have an explicit block of the Zotero App. Which motivates me the more to figure out the solution to this problem on the Mac platform.
  • On Windows, Zotero will use the system's root certificate store, but that wasn't supported for Macs in the version of Firefox that Zotero is currently based on. (A future version of Zotero will support it.)

    What I'm guessing is happening is that, since you're using a newer version of Firefox that is able to use the system root certificates, those files in the Firefox profile aren't actually set up to trust the custom certificate authority, such that copying them to Zotero doesn't help. You can confirm this by disabling security.enterprise_roots.enabled in about:config in Firefox and restarting Firefox, which will cause it to use the files from the profile and quite possibly fail at that point. Your IT department should be able to help you import the custom certificate into Firefox so that it works with that setting disabled, and you could then copy the files to Zotero and revert that setting.

    (It looks like the linked instructions were wrong — it is indeed pkcs11.txt and not secmod.db that goes with key4.db and cert9.db — but I'm not sure it actually makes a difference for this.)
  • Is it possible to obtain guided assistance (e.g., via Zoom, Skype, Teams..) with this certificate update process? I have obtained from my company's IT Department the intermediate certificate our company uses. But we aren't sure how to follow the directions for installing it in the Zotero profile.
    --John
  • No, sorry. This is just the Firefox certificate system, and we document the options on the linked page. Your IT department needs to help you with this.
  • Thanks for all your help -- got it working today!! I think the key was your tip to set to FALSE enterprise.security_roots.enabled in about:config in Firefox in the special profile being used to pass the certificate files to Zotero. I was able to get the needed certificates from Firefox directly by exporting them from the default Firefox profile which works on the corporate network. After importing those certificates into the special new 'zotero' profile in FireFox, that profile would still not connect to the internet with enterprise.security_roots.enabled set to FALSE, which made me think I hadn't done the certificates properly. Yet copy/paste of the 3 files from the Firefox 'zotero' profile into the Zotero profile enabled syncing. Case closed (with fingers crossed!).
  • How do I fix the same problem on Chrome on a mac? Any help is greatly appreciated.
  • edited January 29, 2022
    @criosph: This doesn't have anything to do with Chrome, so not sure what your question is. If you're getting an error in the Zotero app, see the above links, and show them to your IT department if you're confused.
  • Hey! I am trying the same steps - 1) cp key4.db, cert9.db and pkcs11.txt files from firefox profile into zotero profile and 2) disable 'security.enterprise_roots.enabled' in about:config in firefox. Unfortunately it didn't work :-(

    Any ideas?
  • ming wu: To be clear, you have to disable that in Firefox first, then get the connection working again with the custom CA, and then copy those files to Zotero once the contain the necessary info.
Sign In or Register to comment.