Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
As a workaround to bug 1303138, I tried to add p11-kit-trust.so pkcs#11 module to firefox's nssdb. The module worked - till restart when it was not known by FF anymore
Version-Release number of selected component (if applicable):
firefox-45.0-0.3.el7_2.x86_64
How reproducible:
always
Steps to Reproduce:
0.
wget -P /etc/pki/ca-trust/source/anchors \
https://password.corp.redhat.com/cacert.crt \
https://password.corp.redhat.com/RH-IT-Root-CA.crt
update-ca-trust
1. modutil -dbdir $HOME/.mozilla/firefox/<profile> -list
2. start firefox, add /usr/lib64/pkcs11/p11-kit-trust.so to "security devices" in Preferences - Advanced - certificates
3. go to https://errata.devel.redhat.com/
4. modutil -dbdir $HOME/.mozilla/firefox/<profile> -list
5. stop firefox
6. modutil -dbdir $HOME/.mozilla/firefox/<profile> -list
7. start firefox, go to https://errata.devel.redhat.com/ again
8. modutil -dbdir $HOME/.mozilla/firefox/<profile> -list
Actual results:
1. expected: just NSS Internal... module is present
3. page loads OK
4., 6.: you can see p11-kit-trust.so library as a 2nd module
7. page doesn't load with Error code: SEC_ERROR_UNKNOWN_ISSUER
8. p11-kit-trust.so is not among firefox's modules anymore
Expected results:
module will be available indefinitely after configuring
Additional info:
won't be reproducible with p11-kit-trust.so once bug 1303138 is fixed so replace that bug with e.g. coolkey smartcard module (from 'coolkey' package) and skip https:// validity steps
(In reply to Martin Stransky from comment #2)
> The available 45 builds uses Mozilla in-tree NSS which miss Red Hat special
> config.
This is not a RH-specific config, this is bug in basic functionality. Smartcards won't works as a result of this (unless rh-specific change is made to make FF read /etc/pki/nssdb as well of course).
> We need to retest when system nss is enabled.
Sure.