[Zotero 7 Beta] WebDAV Won't Recognize Custom Certificate Authority

I recently started using Zotero, specifically the 7 Beta, on my Fedora 40 KDE Plasma computer. I downloaded it from the website, not the flatpak, and it has worked great so far. However, I am trying to sync it to my nextcloud instance using WebDAV, and I keep getting the error "SEC_ERROR_UNKNOWN_ISSUER".

According to https://www.zotero.org/support/kb/cert_override, it should simply recognize any authorities saved on my computer. I followed the information provided here https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/ in order to do this, and have confirmed that my custom CA is in fact trusted by running the command "trust list". After that, I restarted my whole computer as well as Zotero individually. Regardless, the error persists.

I have also tried following the directions for zotero 6 (while still on the zotero beta), by obtaining the cert9.db, key4.db, and pkcs11.txt files from a Firefox ESR profile, firefox version 125.0.3 (again, non-flatpak). When I brought them into the zotero folder, it signed me out, but when I signed back in and tried again the error persisted.

Is there any potential solution I should be trying, or might this be a bug with Zotero 7?
  • Can you load the WebDAV URL from a new (not existing) profile in Firefox?

    Because it could also be this (see "Technical Details"):

    https://www.zotero.org/support/kb/incomplete_cert_chain
  • When I do so, without touching any of the settings of the new firefox profile in any way, it prompts me for the username and password. I logged in with the same credentials I use in the Zotero app, and it then brings me to a pure white page with the text "This is the WebDAV interface. It can only be accessed by WebDAV clients such as the Nextcloud desktop sync client."
  • If you remove the custom CA from the system trust store, restart, and try in a new Firefox profile, do you start getting the error?
  • Just tried that, but still no luck. I removed it from my system, double checked the list of trusted certificates to make sure I did so correctly and it was gone, restarted my computer fully, double checked the trusted certificates list again to make sure restarting didn't somehow magically re-add it, manually added it back in again, checked the list to make sure I added it correctly, then opened zotero and tried syncing, but no luck.

    I also, to make sure nothing was broken about the .crt file, re-obtained the original .pem file I was given, then followed the advice here https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key to once again re-create the .crt file. Then I went through the process to trust it again, restarted zotero, and tried again, but still no luck.
  • My question was about Firefox, not Zotero.
  • My apologies, I missed that.

    I removed the CA, verified it worked, restarted, made yet another fresh Firefox profile, and attempted to visit the WebDAV link. When I do that, it gives me the “Potential Security Risk Ahead” page, then allows me to log in if I click “Accept the Risk and Continue.”

    I then tried closing the Firefox profile, re-adding the CA, verifying it was successful, creating another new Firefox profile, and re-visiting the WebDAV website, and it immediately worked, prompting me for my login. At that stage I closed and re-opened Zotero, tried the sync button, and the error is still there.

  • If you go to the Config Editor in the Advanced section of the settings and search for security.enterprise_roots.enabled, is it set to true?
  • In Zotero, yes, it is set to true. I tried setting it to false, restarting zotero, and trying to sync, and it gave the same error. I then tried setting it back to true, restarting zotero, and trying to sync yet again, and it still gives the same error in that case too. (After restarting each time, I also double-checked the config editor before attempting to sync to ensure my change remained.)

    I also created a new Firefox profile and checked about:config, it is also set to true there.
  • OK, we'll investigate — thanks.
  • edited May 8, 2024
    Actually, our documentation just seems to be wrong here — Mozilla's documentation suggests that security.enterprise_roots.enabled only works on macOS and Windows.

    Is this a personal system, or does your Firefox installation have an enterprise policy with the ImportEnterpriseRoots key mentioned on that page?
    I have also tried following the directions for zotero 6 (while still on the zotero beta), by obtaining the cert9.db, key4.db, and pkcs11.txt files from a Firefox ESR profile, firefox version 125.0.3 (again, non-flatpak).
    To be clear, Firefox ESR (currently) means Firefox 115, not 125. But you'd have to 1) remove the CA from the system store, 2) add the CA to a Firefox 115 profile manually so that it can connect without an error, and then 3) copy those three files (which would then contain the CA) to the Zotero profile.
  • edited May 8, 2024
    Mozilla's documentation suggests that security.enterprise_roots.enabled only works on macOS and Windows
    Well, and it's worth testing this. With the CA installed in the system trust store, if you disable that pref (and probably also security.certerrors.mitm.auto_enable_enterprise_roots) in a new Firefox profile and restart Firefox, does it still connect without a warning? If so, then something other than that pref is causing it to use the system store.
  • Also, to be clear, you're testing with the official Firefox tarball? You should do all testing with the Firefox 115 tarball from Mozilla, since that's what Zotero is based on.
  • edited May 8, 2024
    OK, yeah, so to be clear, if you're using a Fedora version of Firefox, that's likely going to be configured to use your system CA store, whereas (at least as of 5 years ago) the official Mozilla tarball isn't:

    https://bugzilla.mozilla.org/show_bug.cgi?id=1600509#c4

    Unless you're using the official tarball, you can ignore my questions above, since it'd be clear why this was working in Firefox with the system store.

    We could look into setting the ImportEnterpriseRoots policy by default on Linux, which should allow Zotero to look in the Mozilla folders specified here:

    https://wiki.mozilla.org/CA/AddRootToFirefox#Import_via_Policy

    That would be separate from the system store, but it would be easier to set up than copying over files from a Firefox profile.
  • My apologies for my delayed response, and thank you so much for all of your help with this.

    All testing I have done up until this point was with the Fedora version of Firefox — my apologies for not having explicitly stated that sooner. In addition, this is on a personal system where I installed Fedora myself, so there should be no enterprise policy on it.

    I have now downloaded Firefox ESR 115.10.0 from the Mozilla website, https://www.mozilla.org/en-US/firefox/115.2.0/releasenotes/ and successfully ran it, confirming in about:support that I was on the correct version. I also checked about:profiles, and while this version of Firefox ESR shared the list of profiles with my normal Fedora Firefox, it did auto-create a new profile, so all my testing I am now doing in this is in fact separated.

    In Firefox ESR, I went to about:config. The setting security.enterprise_roots.enabled was already set to false by default. security.certerrors.mitm.auto_enable_enterprise_roots was set to true by default, so I changed it to false and restarted. I then verified in about:config that both permissions were still false. When I went to the WebDAV link, it showed me the security risk ahead warning, so to my understanding, you were completely correct. Firefox was getting it from my system CA store.

    > We could look into setting the ImportEnterpriseRoots policy by default on Linux, which should allow Zotero to look in the Mozilla folders specified here:

    Just making sure I didn't misunderstand, was this a recommendation for something I could do, or something you were commenting might be good for future versions of Zotero as a whole? I did follow the link and read through it, but my apologies, I didn't fully follow.

    Regardless, I tried importing the certificate into the automatically created profile in Firefox ESR (the Mozilla official tarball) and once again tried copying the cert9.db, key4.db, and pkcs11.txt files from the profile into Zotero and… I am happy to say that after a restart, it finally worked. All of my files have synced into Nextcloud, I have fully restarted my computer to ensure that the connection is stable, and it is. Thank you so much for spending time out of (several) days to help me with this.

    In addition, assuming I am correct about whose account this is based on the name, thank you so much for all of your work on Zotero. Despite the single issue I came into this forum with, it has been an otherwise flawless experience, and it has already saved me so much time. I also deeply appreciate the choice to make it opensource, with an option to self-host through WebDAV.
  • OK, so that all checks out — Fedora Firefox was using the system CA store, and manually importing the certificate into official Firefox and copying the cert/key files to Zotero makes it work. I've updated our documentation to clarify that copying those files is currently necessary for all versions of Zotero on Linux.
    Just making sure I didn't misunderstand, was this a recommendation for something I could do, or something you were commenting might be good for future versions of Zotero as a whole?
    For future versions of Zotero.
Sign In or Register to comment.