SSL certificate overide Zotero 7

Hi, i need to overide the certificate for my WebDav server.
According to the instructions [1], I need to read the file " cert_override.txt" from Zotero7.
How can i do this?
I have the "cert_override.txt", but not sure how to read it.

Please help, thanx

Ref.
[1] https://www.zotero.org/support/kb/cert_override
  • The page you linked to explains how to do this. I'm not sure what you're asking beyond that.
  • To be clear, it says Zotero 7 can read a cert_override.txt file from Firefox. The page has all the context for this if you read it carefully.
  • @dstillman, thank you for your reply, yet i do not understand what should i do from the information provided in [1] in reference to Zotero 7, the information is very limited.

    The Actions i did:
    A1. Using Firefox 123.0 i generated the "cert_override.txt", but i do not know what to do with it?
    A2. i tried just pasting it to the "Zotero profile directory", but that does not work for my zotero 7 is giving me the following error:

    [JavaScript Error: "str is undefined" {file: "chrome://zotero/content/xpcom/utilities/utilities.js" line: 669}

    Questions:
    Q1. Should i paste the "cert_override.txt" somewhere else?
    Q2. So you think the google chrome browser is making it not work?

    Thank you for the help you can provide, thanx
  • It showing "str is undefined" is a bug, but it still means that you're getting a certificate error.

    It looks like a cert_override.txt file from a current version of Firefox won't work. You'd have to use Firefox 102 ESR to generate it. This will likely change by the time Zotero 7 is released, but I've updated the documentation for now.

    (You can also just get a free certificate via Let's Encrypt.)
  • I downloaded Firefox 102 ESR from [2].
    I generated the "cert_override.txt" with [2], and paste it in the Zotero profile directory according to [1].

    Zotero now recognizes my WebDAV server and synchronizes.

    Thank you for the support @dstillman

    Ref.
    [2] https://ftp.mozilla.org/pub/firefox/releases/102.0esr/mac/en-US/
  • edited March 28, 2024
    Yes. That is right. Firefox ESR has to be used, not normal Firefox. My old cert_override.txt contained the letters MU in the 4th column and did not work. My new cert_override.txt contains the letters MUT in the 4th column and works. Don’t know what it means, but this is written : « add a “U” (untrusted cert) before “AAAA”. To allow for a hostname mismatch, add “M”. » here : https://www.zotero.org/support/kb/cert_override

    It looks like “T” is needed also.
  • « T : allow errors in the validity time, like expired or not yet valid certs » https://boblord.livejournal.com/18402.html
  • edited 25 days ago
    I apologize in advance for the long message...

    I was struggling with setting up webDAV sync for my desktop and my iPad. I have a Synology NAS on which my library is stored, and I access it with webDAV.
    I used to have a self-signed certificate that worked with both my desktop (accessing it using a local address 192.168.0.42:5XXX), and my ipad (accessing it using an external DDNS (example.synology.me:5XXX)
    Since Zotero 7 I think, it doesn't sync on my iPad using the external address. I searched around, and it seems that it's because iOS doesn't accept self-signed certificates (anymore?). So I made a new certificate by Let's Encrypt, for my external IP address, and set webDAV to use that certificate. Now it works on my iPad using example.synology.me:5XXX, but it doesn't work anymore on my desktop, which accesses it using 192.168.0.42:5XXX (I can't use example.synology.me on my desktop because my router doesn't redirect self addresses (no "hairpinning")).

    I thought that since I changed the certificate, I just needed to do the override procedure where I access https://192.168.0.42:5XXX with Firefox, and I copy the line in cert_override.txt over to the Zotero profile, as I had done in the past. Except that the format seems to have changed.
    In my Firefox cert_override.txt, I have lines like:
    192.168.0.42:5YYY: OID.A.B.C.D.E... CF:68:2E:...:04:D5
    But in my Zotero cert_override.txt, lines are the way I had set them up before:
    192.168.0.42:5YYY: OID.A.B.C.D.E... CF:68:2E:...:04:D5 MU AAAAA....
    where the AAAAA... serial must correspond to the self-signed certificate I had before.

    And when I copied the new line I get in Firefox (so without the MU and AAAA... strings), it still didn't work.
    I then saw that there is a different procedure for Zotero 7: https://www.zotero.org/support/kb/cert_override
    So I downloaded Firefox 115 ESR, went to https://192.168.0.42:5XXX and accepted the risk, and then copied the cert9.db, key4.db, and pkcs11.txt files from the Firefox profile directory to the Zotero profile directory, as explicited. (I was also surprised to see that in cert_override.txt in the FF 115 ESR profile directory, there is no AAAA... serial number).
    Anyway, it still doesn't work, I get the SSL_ERROR_BAD_CERT_DOMAIN error.

    I tried connecting to webdav using cadaver, and I get this error: WARNING: Untrusted server certificate presented for `example.synology.me':
    Certificate was issued to hostname `examplesynology.me' rather than `192.168.0.42'. So I thought that could be a reason why it doesn't work...

    And then I tried putting back the full line in Zotero cert_override.txt, the way it was before:
    192.168.0.42:5YYY: OID.A.B.C.D.E... CF:68:2E:...:04:D5 MU AAAAA....
    and it finally worked...

    So in the end, the only thing I changed to make it work with the new certificate is the 3 files from FF115ESR.

    So I'm happy it works, but very confused as to how things work:
    - Isn't the serial string AAAAA.... supposed to be specific to each certificate? If yes, why does the connection only work with the serial of the old certificate? Note that in Synology, I still have the previous self-signed certificate, but it's not the one that is "selected" for webDAV. Maybe when I access webdav from the external internet, it uses the new non self-signed certificate, but when I access it through the local network, it uses the old self-signed certificate?
    - Why doesn't the new version of Firefox display the serial string as in the previous versions? Is it now all hidden in the cert9.db, key4.db, and pkcs11.txt?
    - Since it seems to require the proper line in cert_override.txt, and it was there because I had put it there in the past, how would it work with a fresh version of Zotero? Would the 3 files be enough?
    - Why do I need to override the certificate if it's not self-signed, is it because of what cadaver told me, that there is a name mismatch, and so I need to override it?

    Thank you for your eternal patience, I really appreciate all the efforts you put in to make Zotero the great software that it is!
Sign In or Register to comment.