• Community
    • Community
    • Vivaldi Social
    • Blogs
  • Forum
    • Vivaldi Forum
    • Categories
    • Recent
    • Popular
  • Themes
    • Vivaldi Themes
    • My Themes
    • FAQ
  • Contribute
    • Contribute
    • Volunteer
    • Donate
  • Browser
    • Vivaldi Browser
    • Latest News
    • Snapshots
    • Help
Register Login

Vivaldi

  • Community
  • Themes
  • Contribute
  • Browser

Navigation

    • Home
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. Desktop
    3. Archive
    4. Unable to import CA

    Unable to import CA

    Scheduled Pinned Locked Moved Archive
    resolvedcertificates
    7 Posts 2 Posters 1.8k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adam2222
      last edited by A Former User

      Hello,

      I generated a CA certificate, then keys and so on. Made it work without any issues on one PC with Linux Mint 19.1.
      Works on all browsers - Vivaldi, Firefox, Chrome, Chromium. Chrome is version 77.0.3865.78

      On the other laptop, it only works in Firefox. I can't import the CA to any chrome-based browser. The GUI itself only says "Unknown error", there is however, a little error in the log:

      [11312:11312:1014/134704.139969:ERROR:nsNSSCertificateDB.cpp(89)] PK11_ImportCert failed with error -8168
      

      Taken from vivaldi-snapshot

      Vivaldi	2.9.1675.11 (Official Build) snapshot (64-bit)
      Revision	802bcf2c17d188383d36e2aa44b3ed61c82ec66c
      OS	Linux
      JavaScript	V8 7.7.299.11
      Flash	32.0.0.270 /home/xx/.config/google-chrome/PepperFlash/32.0.0.270/libpepflashplayer.so
      User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.93 Safari/537.36 Vivaldi/2.9.1675.11
      Command Line	/usr/bin/vivaldi-snapshot --flag-switches-begin --flag-switches-end --save-page-as-mhtml
      Executable Path	/opt/vivaldi-snapshot/vivaldi-snapshot
      Profile Path	/home/xx/.config/vivaldi-snapshot/Default
      

      The error is the same throughout the browsers I tried - vivaldi, chrome, vivaldi-snapshot.
      Chrome is Version 71.0.3578.98 (Official Build) (64-bit)
      Linux Mint 19.

      Any idea what could be wrong? How can I troubleshoot further/workaround?

      Thanks,
      Adam

      1 Reply Last reply Reply Quote 0
    • A
      adam2222
      last edited by adam2222

      Hi,
      I used the same steps for importing the CA. I did exactly how you are describing it.
      I tried also using the 'wrong' way of importing. I tried to import CA as a certificate and a server cert. In both of those, there was an error message saying that it is not possible to import CA as a certificate- so that's correct and the error message is correct and very precise.

      If the format was incorrect- would it import on the other computer? It's the same file and the same browser. Just maybe not the very same build.

      I created CA by following this guide: https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/

      openssl req -new -x509 -subj "/CN=myca" -extensions v3_ca -days 3650 -key ca.key.pem -sha256 -out ca.pem -config $prefix.cnf
      

      Resulting in a file named 'ca.pem'

      Just for the sake of it, I just checked md5sum of the file on both computers- it is the same.

      1 Reply Last reply Reply Quote 0
    • A
      adam2222
      last edited by

      Hi,

      Can you advise what software I am looking for? What libs etc.?

      1 Reply Last reply Reply Quote 0
    • A
      adam2222
      last edited by adam2222

      Hi,

      validation is done without errors

      openssl x509 -in ca.pem -text -noout
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number:
                  b4:8e:f9:8f:9d:4f:0d:46
              Signature Algorithm: sha256WithRSAEncryption
              Issuer: CN = REDACTED.com.pl
              Validity
                  Not Before: Oct 11 18:24:15 2019 GMT
                  Not After : Oct  8 18:24:15 2029 GMT
              Subject: CN = REDACTED.com.pl
              Subject Public Key Info:
                  Public Key Algorithm: rsaEncryption
                      RSA Public-Key: (2048 bit)
                      Modulus:
      (...)
      

      I tried using the command line utility
      That's before

      certutil -d sql:$HOME/.pki/nssdb -L
      
      Certificate Nickname                                         Trust Attributes
                                                                   SSL,S/MIME,JAR/XPI
      
      

      That's after

      certutil -d sql:$HOME/.pki/nssdb -L
      
      Certificate Nickname                                         Trust Attributes
                                                                   SSL,S/MIME,JAR/XPI
      
      REDACTED.com.pl                                                 P,,  
      
      

      I checked on the other machine and the attributes were different so I changed that also to look like:

      certutil -d sql:$HOME/.pki/nssdb -L
      
      Certificate Nickname                                         Trust Attributes
                                                                   SSL,S/MIME,JAR/XPI
      
      REDACTED.com.pl                                                 CT,C,C
      
      

      In both scenarios, no errors from certutil but neither browser has the CA on the list, and CA is still not recognized.

      The system that it works on has

      root@naven-GV72-8RC:/home/naven# dpkg -l openssl*  |grep ii
      ii  openssl           1.1.1-1ubuntu2.1~18.04.4 amd64        Secure Sockets Layer toolkit - cryptographic utility
      root@naven-GV72-8RC:/home/naven# uname -a
      Linux naven-GV72-8RC 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
      root@naven-GV72-8RC:/home/naven#  cat /etc/os-release
      NAME="Linux Mint"
      VERSION="19.1 (Tessa)"
      ID=linuxmint
      ID_LIKE=ubuntu
      PRETTY_NAME="Linux Mint 19.1"
      VERSION_ID="19.1"
      HOME_URL="https://www.linuxmint.com/"
      SUPPORT_URL="https://forums.ubuntu.com/"
      BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
      PRIVACY_POLICY_URL="https://www.linuxmint.com/"
      VERSION_CODENAME=tessa
      UBUNTU_CODENAME=bionic
      
      

      Problematic system:

      # dpkg -l openssl*  |grep ii
      ii  openssl           1.1.1-1ubuntu2.1~18.04.4 amd64        Secure Sockets Layer toolkit - cryptographic utility
      
      # uname -a
      Linux ul001613 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
      
      # cat /etc/os-release
      NAME="Linux Mint"
      VERSION="19 (Tara)"
      ID=linuxmint
      ID_LIKE=ubuntu
      PRETTY_NAME="Linux Mint 19"
      VERSION_ID="19"
      HOME_URL="https://www.linuxmint.com/"
      SUPPORT_URL="https://forums.ubuntu.com/"
      BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
      PRIVACY_POLICY_URL="https://www.linuxmint.com/"
      VERSION_CODENAME=tara
      UBUNTU_CODENAME=bionic
      

      Perhaps this is some permissions problem? Where are those CAs stored?

      1 Reply Last reply Reply Quote 0
    • A
      adam2222
      last edited by

      The problem is that even though the cert was imported using certutil, it still is not visible in the authorities list in the browser and needless to say the CA is not recognized by Vivaldi.

      1 Reply Last reply Reply Quote 0
    • A
      adam2222
      last edited by adam2222

      I cut the output, used (...)
      I don't fully understand how SSL works so I cut out the 'random' parts for safety.

      Below is full output without any modifications.
      Keep in mind that this website from external POV is using letsencrypt.

      openssl x509 -in ca.pem -text -noout
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number:
                  b4:8e:f9:8f:9d:4f:0d:46
              Signature Algorithm: sha256WithRSAEncryption
              Issuer: CN = naven.com.pl
              Validity
                  Not Before: Oct 11 18:24:15 2019 GMT
                  Not After : Oct  8 18:24:15 2029 GMT
              Subject: CN = naven.com.pl
              Subject Public Key Info:
                  Public Key Algorithm: rsaEncryption
                      RSA Public-Key: (2048 bit)
                      Modulus:
                         x
                      Exponent: 65537 (0x10001)
              X509v3 extensions:
                  X509v3 Subject Key Identifier: 
                     C8:D9:CA:2E:66:8B:21:13:40:15:BB:D2:C8:84:A0:BD:AD:CF:20:CA
                  X509v3 Authority Key Identifier: 
                      keyid:A8:D9:CD:2E:66:1B:87:63:40:15:BB:D2:C8:84:C0:BD:AC:CF:20:CB
      
                  X509v3 Basic Constraints: critical
                      CA:TRUE, pathlen:3
                  X509v3 Key Usage: critical
                      Certificate Sign, CRL Sign
                  Netscape Cert Type: 
                      SSL CA, S/MIME CA
          Signature Algorithm: sha256WithRSAEncryption
      x
      
      
      1 Reply Last reply Reply Quote 0
    • A
      adam2222
      last edited by

      Hi,

      Good news.

      I actually didn't notice you giving me location of the certs earlier. I compared it now and found the fault.

      The issue was in permissions. I had

      ls -lah /home/username/ | grep pki
      drw-r--r--  3 username username 4.0K Apr 27  2017 .pki
      

      I did

      chmod -R 700 /home/username/.pki/
      ls -lah /home/username/ | grep pki
      drwx------  3 username username 4.0K Apr 27  2017 .pki
      
      

      Which fixed the issue.

      Thank you for thorough investigation.

      1 Reply Last reply Reply Quote 0
    • pafflick
      P
      pafflick unlocked this topic on
    • pafflick
      P
      pafflick moved this topic from Vivaldi for Linux on
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    • 1 / 1
    • First post
      Last post

    Copyright © Vivaldi Technologies™ — All rights reserved. Privacy Policy | Code of conduct | Terms of use | Vivaldi Status