Bug 2118991

Summary: Deleting certificate from UI does not remove it completely from cert db
Product: Red Hat Enterprise Linux 9 Reporter: Marko Myllynen <myllynen>
Component: firefoxAssignee: Anton Bobrov <abobrov>
Status: CLOSED NEXTRELEASE QA Contact: Jiri Prajzner <jprajzne>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: abobrov, jhorak, jpazdziora, jprajzne, tpelka, tpopela
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firefox-102.12 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-05 08:46:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2022-08-17 09:35:33 UTC 
Description of problem:
When visiting a site with self-signed certificate and accepting/adding that certificate and later deleting it leaves something in the cert db visible only with certutil. This in turn causes issues if visiting the site (e.g., an often recycled test server) after its certificate has been re-created which complains about the certificate.

Version-Release number of selected component (if applicable):
firefox-91.12.0-2.el9_0.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Create a test service with self-signed certificate
2. Create a new Firefox profile, start Firefox, visit the test site, and accept the certificate
3. Restart Firefox, observe the accepted certificate being listed in Edit -> Settings -> Privacy & Security -> Certificates -> View Certificates -> Servers.
4. Delete the certificate, close Firefox
5. Use certutil on command line to list certificates in cert db, notice how the recently accepted and deleted certificate is lister (certutil -d sql:/tmp/ff-test-profile -L)
6. Create a new self-signed certificate using the same serial for the test service and visit it again
7. Unable to enter the site in any way:

"An error occurred during a connection to test.example.com. You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert."

While the serial should be changed that's not always happening (e.g., with FreeIPA / Red Hat IdM for the time being) so this makes it impossible for the user to visit the site/service again without resorting to command line operations.

Actual results:
Deleting certificate from UI leaves traces of it in the cert db.

Expected results:
Deleting certificate from UI removes all traces of the certificate in the cert db.
Comment 1 Tomas Popela 2022-08-17 13:24:12 UTC 
Would it be possible to try the Firefox 102 binary from Mozilla (you can get it from https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr) and see whether it's fixed there or not (we are currently working on bringing the Firefox 102 to RHEL so would be good if 102 fixes your problem).
Comment 2 Marko Myllynen 2022-08-18 07:16:05 UTC 
Thanks for looking into this.

This happens also with 102.1.0esr.

The minimal steps to observe the issue are:

1) rm -rf /tmp/test ; mkdir /tmp/test ; firefox --profile /tmp/test --new-instance ;
2) Visit a site using self-signed certificate, accept the certificate
3) Close the tab, delete the just accepted certificate Certificates -> View Certificates -> Servers
4) Close Firefox, notice how the certificate name is still seen with "certutil -d sql:/tmp/tmp -L"

Thanks.
Comment 3 Marko Myllynen 2022-08-18 07:17:07 UTC 
The certutil command should obviously read "certutil -d sql:/tmp/test -L" in the above step 4).
Comment 4 Anton Bobrov 2023-05-11 15:58:43 UTC 
this is reproducible with the latest nightly (739265:51f435ff98d3). the root cause here is that self-signed cert has

X509v3 Basic Constraints: critical
                CA:TRUE

so it gets added as "server" certificate as well as "CA" certificate which makes sense bc it is self-signed. so in order to get rid of it one has to remove it from "Servers" AND "Authorities" in FF then the new self-signed cert with the same serial can be used.

my take on it is that technically it is not a bug (bc self-signed) but usability wise i can see how it can be confusing and thus needs addressing somehow tho it is hard to imagine regular users experiencing this (self-signed certs with same serial numbers).

i will have a look at the code and if it can be addressed in a straightforward kinda way i might try to fix it there.
Comment 5 Anton Bobrov 2023-05-22 07:48:13 UTC 
this has been fixed upstream. the way it works now, when creating an override exception, is that certificates are not added to certdb at all, see https://hg.mozilla.org/mozilla-central/rev/0795946482ee

Status: ASSIGNED → RESOLVED
Closed: 2 days ago
status-firefox115: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch