Getting Firefox to work with p11-kit to use system-wide installed certificates

Hi there,

i have installed custom PEM certificates on nearly all my systems (system-wide) and i configure my user accounts with home-manager. Previously i have been using chrome/chromium and that just picked up my globally installed certs, so i could browse e.g. my company intranet.
Now i would like to switch to Firefox because Chrome is going to disallow adblockers, but it’s really hard to make Firefox accept globally installed certificates.

I found out that one can make Firefox use p11-kit as a drop-in replacement, and that can consume globally installed certs. I got Firefox to work with p11-kit in general, but i am not happy with the solution.

The thread in the home-manager repo that i started here: firefox, preinstalled certificates · Issue #728 · nix-community/home-manager · GitHub is now closed because i think this is generally a nixos question rather than a home-manager problem.

Let me first explain what i did to get it to work in general:

My systems all have this in their /etc/nixos/configuration.nix:

  security.pki.certificates = [ " ...certificates... " ];

So the certs are all in /etc/ssl/certs/ca-bundle.crt.

I found out that pkgs.p11-kit does not consume system certs because the nix expression configures it this way, but this can easily be fixed:

diff --git a/pkgs/development/libraries/p11-kit/default.nix b/pkgs/development/libraries/p11-kit/default.nix
index 0e1be863346..596d157ce89 100644
--- a/pkgs/development/libraries/p11-kit/default.nix
+++ b/pkgs/development/libraries/p11-kit/default.nix 
@@ -39,8 +39,8 @@ stdenv.mkDerivation rec {
   configureFlags = [
     "--sysconfdir=/etc"
     "--localstatedir=/var"
-    "--without-trust-paths"
-  ]; # TODO: store trust anchors in a directory common to Nix and NixOS
+    "--with-system-config"
+  ];
 
   enableParallelBuilding = true;

Ok, so with p11-kit using my certs (which can easily be checked with the command trust -list), i was now able to manually load p11-kit-trust.so into the “Security Devices” list of Firefox using the GUI or by adding a custom profile and loading that via command line:

modutil -dbdir /tmp/testprofile -create
modutil -dbdir /tmp/testprofile -add "p11-kit" -libfile "/nix/store/b1q7zq05b81vpb9ys89lmhlshd5z2faz-p11-kit-0.23.15/lib/pkcs11/p11-kit-trust.so"
firefox --profile /tmp/testprofile

This works. But if i want to have a nix expression that installs me firefox that does this, then i would need a wrapper script that makes sure that this profile is created if not existing already, and then starts firefox with that.

This thread here shows how to substitute the library libnssckbi.so system-wide to make Firefox use p11-kit: Add certificate authorities system-wide on Firefox - Ask Ubuntu

Unfortunately this is of course not the way how it works in in NixOS, because the library paths are hardcoded. I thought about using patchelf on the firefox binary, but using ldd i don’t even see a reference to libnssckbi.so, so it’s most probably loaded by another library (i think it is nspr).

This makes the situation a bit complicated now. I tried using LD_PRELOAD=/nix/store/.../p11-kit-trust.so, but that doesn’t work, Firefox still gets to load libnssckbi.so from the nss package.

Any idea how to fix that? My hope is to have a firefox package overload/wrapper that simply makes firefox use p11-kit transparently to accept my custom global system certs like all the other browsers automatically do, but without tampering with firefox user profiles.

5 Likes

For posterity - this has been fixed in nss: add option to use p11-kit · NixOS/nixpkgs@b9bb98c · GitHub.

1 Like