First Last Prev Next    This bug is not in your last search results.
Bug 45864 - Import ucsCA certificate into Firefox profile
Import ucsCA certificate into Firefox profile
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: General
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.3
Assigned To: Jürn Brodersen
Philipp Hahn
https://wiki.mozilla.org/CA:AddRootTo...
: interim-3
Depends on: 28586 45863
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-12 18:37 CET by Philipp Hahn
Modified: 2018-03-14 14:37 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2017-12-12 18:37:35 CET 
This is a paint for each technical training, as SSO does not work out-of-the-box.

(In reply to Felix Botner from comment #6)
> Man kann zwar mit 
> 
> certutil -A -n "Univention Corporate Server Root CA (ID=UE3v6YLl)" \
>  -t "CT,C,C" -i /etc/univention/ssl/ucsCA/CAcert.pem \
>  -d /root/.mozilla/firefox/gqxg88b8.default/
> 
> ein Zertifikat importieren, jedoch nur in ein bestehendes Profil. Es ist
> nicht klar, wie man dem Firefox hier Vorgaben für Benutzerdefaults machen
> kann, und nur wenn das für das Zertifikat irgendwie ginge, macht das Ganze
> Sinn.

See <https://wiki.mozilla.org/CA:AddRootToFirefox#AutoConfig_via_JavaScript>

This works:

cat >/etc/firefox-esr/mozilla.cfg <<__CFG__
// required comment in first line
var Cc = Components.classes;
var Ci = Components.interfaces;
var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
var certdb2 = certdb;
try {
   certdb2 = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB2);
} catch (e) {}
cert = "$(grep -v -e ^- /etc/univention/ssl/ucsCA/CAcert.pem | tr -d '\n')";
certdb.addCertFromBase64(cert, "C,C,C", "");
__CFG__

cat >/etc/firefox-esr/0univention.js <<__CFG__
// required comment in first line
pref("general.config.obscure_value", 0);
pref("general.config.filename", "mozilla.cfg"); # Required until Bug #45863 gets fixed
__CFG__

ln -s /etc/firefox-esr/mozilla.cfg /usr/lib/firefox-esr/mozilla.cfg
# If Bug #45863 is fixed:
ucr set firefox/prefs/conffile=mozilla.cfg
ln -snf pref/firefox-esr.js /etc/firefox-esr/univention.js


Task #9484: UCS Technical Training 2017-12-1[23]
Comment 1 Jürn Brodersen univentionstaff 2018-03-02 15:07:19 CET 
[4.3-0 463d387074] Bug #45864: import ucsCA and configure firefox for saml kerberos
[4.3-0 fbd642267e] Bug #45864: Merge branch 'juern/45864_import_ucsCA' into 4.3-0
Comment 2 Philipp Hahn univentionstaff 2018-03-05 15:38:08 CET 
OK: 463d387074

OK: apt install univention-mozilla-firefox
OK: univention-upgrade
OK: kinit Administrator && firefox https://$(hostname -f)/
OK: about:preferences#advanced

OK: changelog-4.3-0

Excellent ;-)
Comment 3 Stefan Gohmann univentionstaff 2018-03-14 14:37:50 CET 
UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.