When browsing HTTPS websites which have certificates trusted by the root certificates included in app-misc/ca-certificates, Firefox does not trust sites which are not trusted by a certificate on its own certificate store. Reproducible: Always Steps to Reproduce: 1. Make sure the existing Firefox store was not changed to trust bugs.gentoo.org (i.e. use the one provided by default) 2. Browse https://bugs.gentoo.org/ Actual Results: Although bugs.gentoo.org has a certificate certified by CAcert, which certificate is included in ca-certificates, Firefox does not recognize the certificate as valid. Expected Results: Firefox should have checked the system certificate store for the root certificate. The same kind of issue was reported about konqueror (see bug 297165).
This comes down to nss, we would need to create a seperate db from all the ca-certs to use with nss in order to have this working. At the moment this requires more time then most of us can spare.
I have the same issue. Since it looks like gentoo devs won't fix it, I suggest the following workaround: Navigate to: http://www.cacert.org/ca.crt Firefox will install the certificate. Note that this workaround is far from ideal. It only satisfies Firefox for your user. If you have more users and browsers, you will have to do a lot of certificate installation. Not to mention some other tools and packages that use SSL.
There's no need to browse the web to get the certificate. It should be already on your system at /usr/share/ca-certificates/cacert.org/cacert.org.crt If it isn't, you just need to emerge ca-certificates to get it. (It's not wrong to download it again, I just mean it's already there if you need it.) I don't know which other browsers are affected, it depends on how browsers store and use certificates (lynx, e.g., does the right thing and is able to trust bugs.gentoo.org over https; konqueror had this issue but it is fixed now (see bug 297165)). If you find this issue in other browsers, IMHO the best is to file a bug against those browsers (unless it's a Gecko-based browser (like browsers from Mozilla) -- for those opening a bug against nss or changing this bug to blame nss instad of Firefox would do it). Please note this does not affect every tool that uses SSL, it just affects tools which use SSL but which don't use the system store. With Firefox, as Jory said, this is a nss issue (that's the library which handles SSL certificates in Firefox). We need to make, as he said, a custom db with the extra certificates on it. We could also change nss so that it also allows to read certificates from folders (with no need to keep two independent dbs).
