Getting Firefox to work with p11-kit to use system-wide installed certificates

Hi there,

i have installed custom PEM certificates on nearly all my systems (system-wide) and i configure my user accounts with home-manager. Previously i have been using chrome/chromium and that just picked up my globally installed certs, so i could browse e.g. my company intranet.
Now i would like to switch to Firefox because Chrome is going to disallow adblockers, but it’s really hard to make Firefox accept globally installed certificates.

I found out that one can make Firefox use p11-kit as a drop-in replacement, and that can consume globally installed certs. I got Firefox to work with p11-kit in general, but i am not happy with the solution.

The thread in the home-manager repo that i started here: is now closed because i think this is generally a nixos question rather than a home-manager problem.

Let me first explain what i did to get it to work in general:

My systems all have this in their /etc/nixos/configuration.nix:

  security.pki.certificates = [ " ...certificates... " ];

So the certs are all in /etc/ssl/certs/ca-bundle.crt.

I found out that pkgs.p11-kit does not consume system certs because the nix expression configures it this way, but this can easily be fixed:

diff --git a/pkgs/development/libraries/p11-kit/default.nix b/pkgs/development/libraries/p11-kit/default.nix
index 0e1be863346..596d157ce89 100644
--- a/pkgs/development/libraries/p11-kit/default.nix
+++ b/pkgs/development/libraries/p11-kit/default.nix 
@@ -39,8 +39,8 @@ stdenv.mkDerivation rec {
   configureFlags = [
-    "--without-trust-paths"
-  ]; # TODO: store trust anchors in a directory common to Nix and NixOS
+    "--with-system-config"
+  ];
   enableParallelBuilding = true;

Ok, so with p11-kit using my certs (which can easily be checked with the command trust -list), i was now able to manually load into the “Security Devices” list of Firefox using the GUI or by adding a custom profile and loading that via command line:

modutil -dbdir /tmp/testprofile -create
modutil -dbdir /tmp/testprofile -add "p11-kit" -libfile "/nix/store/b1q7zq05b81vpb9ys89lmhlshd5z2faz-p11-kit-0.23.15/lib/pkcs11/"
firefox --profile /tmp/testprofile

This works. But if i want to have a nix expression that installs me firefox that does this, then i would need a wrapper script that makes sure that this profile is created if not existing already, and then starts firefox with that.

This thread here shows how to substitute the library system-wide to make Firefox use p11-kit: Add certificate authorities system-wide on Firefox - Ask Ubuntu

Unfortunately this is of course not the way how it works in in NixOS, because the library paths are hardcoded. I thought about using patchelf on the firefox binary, but using ldd i don’t even see a reference to, so it’s most probably loaded by another library (i think it is nspr).

This makes the situation a bit complicated now. I tried using LD_PRELOAD=/nix/store/.../, but that doesn’t work, Firefox still gets to load from the nss package.

Any idea how to fix that? My hope is to have a firefox package overload/wrapper that simply makes firefox use p11-kit transparently to accept my custom global system certs like all the other browsers automatically do, but without tampering with firefox user profiles.


For posterity - this has been fixed in nss: add option to use p11-kit · NixOS/nixpkgs@b9bb98c · GitHub.

Hosted by Flying Circus.