Certificate validation broken in all electron/chromium apps and browsers

fneddy · November 8, 2021, 12:14pm

Hi,

i run in an ERR_CERT_AUTHORITY_INVALID with all electron based applications.
i tried slack element-desktop vscode.

environment: I use nix on Fedora 35
steps: nix-shell -p slack element-desktop vscode opsenssl cacert nss
error: all applications deny network access due to ERR_CERT_AUTHORITY_INVALID

EDIT:

i tried nix-shell -p chromium and with this chromium browser i also get NET::ERR_CERT_AUTHORITY_INVALID for every website.

hmenke · November 8, 2021, 2:48pm

At least Chromium uses its own certificate database which is stored in ~/.pki. Maybe try deleting this folder.

fneddy · November 8, 2021, 2:59pm

ok, tried to remove ~/.pki and rerun chromium results in the same. also tried google-chrome which gives the same error. certutil shows that nssdb is empty after delete and rerun chrome/chromium/firefox

eddy:~$ nix-shell -p nssTools

[nix-shell:~]$ certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI


[nix-shell:~]$

every browser installed with nix-shell also doesn’t work.

EDIT1: added certutil output
EDIT2: added firefox

rnhmjoj · November 9, 2021, 9:42am

Which channel? Are you running NixOS or Nix on another distribution?

fneddy · November 9, 2021, 3:21pm

nix on Fedora 35. I did not change any of the default settings except to add
{ allowUnfree = true; } to ~/.config/nixpkgs/config.nix

rnhmjoj · November 9, 2021, 3:31pm

What’s the output of nix-channel --list?

rnhmjoj · November 9, 2021, 9:12pm

I have an idea about what your issue could be: since NixOS 21.05 (IIRC) nss has been patched to use the system trust store instead of a hardcoded set of CA roots (the cacert package). On NixOS (and Debian, Arch, Gentoo, etc.) the trust store is /etc/ssl/certs/ca-certificates.crt, but Fedora uses /etc/pki/tls/certs/ca-bundle.crt and nss has only been configured for the former location.

If I’m correct, making a symlink like

ln -s /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt

should fix the errors.

fneddy · November 10, 2021, 8:07am

ohh yes this fixed it. thank you very much!

rnhmjoj · November 10, 2021, 9:38am

Great! I’ll open a pull request to add the Fedora location as well.

fneddy · November 10, 2021, 11:31am

i don’t know exactly but RHEL might have the same issue?

rnhmjoj · November 10, 2021, 5:06pm

Do you know if the path is the same as on Fedora or a different one?

fneddy · November 11, 2021, 10:31am

i just checked RHEL 8.4 and it is the same as Fedora 35.

rnhmjoj · November 19, 2021, 9:44am

I finally have a fix for this ready.

There’s one last thing I need to ask you: does the validation work in curl?
I think it should be affected by this too, but maybe (hopefully) I’m missing something.