Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 325723 - www-client/mozilla-firefox-3.6.3 doesn't use ca-certificates installed files to check CAs
Summary: www-client/mozilla-firefox-3.6.3 doesn't use ca-certificates installed files ...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: High normal (vote)
Assignee: Gentoo Linux bug wranglers
Depends on:
Reported: 2010-06-26 16:45 UTC by Nuno Silva
Modified: 2010-08-06 22:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Nuno Silva 2010-06-26 16:45:45 UTC
When browsing HTTPS websites which have certificates trusted by the root certificates included in app-misc/ca-certificates, Firefox does not trust sites which are not trusted by a certificate on its own certificate store.

Reproducible: Always

Steps to Reproduce:
1. Make sure the existing Firefox store was not changed to trust (i.e. use the one provided by default)
2. Browse

Actual Results:  
Although has a certificate certified by CAcert, which certificate is included in ca-certificates, Firefox does not recognize the certificate as valid.

Expected Results:  
Firefox should have checked the system certificate store for the root certificate.

The same kind of issue was reported about konqueror (see bug 297165).
Comment 1 Jory A. Pratt gentoo-dev 2010-06-28 13:23:54 UTC
This comes down to nss, we would need to create a seperate db from all the ca-certs to use with nss in order to have this working. At the moment this requires more time then most of us can spare.
Comment 2 rhywek 2010-08-06 10:02:13 UTC
I have the same issue. Since it looks like gentoo devs won't fix it, I suggest the following workaround:

Navigate to:

Firefox will install the certificate. Note that this workaround is far from ideal. It only satisfies Firefox for your user. If you have more users and browsers, you will have to do a lot of certificate installation. Not to mention some other tools and packages that use SSL.
Comment 3 Nuno Silva 2010-08-06 22:06:15 UTC
There's no need to browse the web to get the certificate. It should be already on your system at 


If it isn't, you just need to emerge ca-certificates to get it. (It's not wrong to download it again, I just mean it's already there if you need it.)

I don't know which other browsers are affected, it depends on how browsers store and use certificates (lynx, e.g., does the right thing and is able to trust over https; konqueror had this issue but it is fixed now (see bug  297165)). 

If you find this issue in other browsers, IMHO the best is to file a bug against those browsers (unless it's a Gecko-based browser (like browsers from Mozilla) -- for those opening a bug against nss or changing this bug to blame nss instad of Firefox would do it).

Please note this does not affect every tool that uses SSL, it just affects tools which use SSL but which don't use the system store.

With Firefox, as Jory said, this is a nss issue (that's the library which handles SSL certificates in Firefox). We need to make, as he said, a custom db with the extra certificates on it. We could also change nss so that it also allows to read certificates from folders (with no need to keep two independent dbs).