RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2118991 - Deleting certificate from UI does not remove it completely from cert db
Summary: Deleting certificate from UI does not remove it completely from cert db
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: firefox
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Anton Bobrov
QA Contact: Jiri Prajzner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-08-17 09:35 UTC by Marko Myllynen
Modified: 2023-07-13 10:17 UTC (History)
6 users (show)

Fixed In Version: firefox-102.12
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-06-05 08:46:22 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1833330 0 -- ASSIGNED Self-signed cert lingers in certdb after override exception removal 2023-05-16 09:20:22 UTC
Red Hat Issue Tracker RHELPLAN-131305 0 None None None 2022-08-17 09:50:08 UTC

Description Marko Myllynen 2022-08-17 09:35:33 UTC 
Description of problem:
When visiting a site with self-signed certificate and accepting/adding that certificate and later deleting it leaves something in the cert db visible only with certutil. This in turn causes issues if visiting the site (e.g., an often recycled test server) after its certificate has been re-created which complains about the certificate.

Version-Release number of selected component (if applicable):
firefox-91.12.0-2.el9_0.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Create a test service with self-signed certificate
2. Create a new Firefox profile, start Firefox, visit the test site, and accept the certificate
3. Restart Firefox, observe the accepted certificate being listed in Edit -> Settings -> Privacy & Security -> Certificates -> View Certificates -> Servers.
4. Delete the certificate, close Firefox
5. Use certutil on command line to list certificates in cert db, notice how the recently accepted and deleted certificate is lister (certutil -d sql:/tmp/ff-test-profile -L)
6. Create a new self-signed certificate using the same serial for the test service and visit it again
7. Unable to enter the site in any way:

"An error occurred during a connection to test.example.com. You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert."

While the serial should be changed that's not always happening (e.g., with FreeIPA / Red Hat IdM for the time being) so this makes it impossible for the user to visit the site/service again without resorting to command line operations.

Actual results:
Deleting certificate from UI leaves traces of it in the cert db.

Expected results:
Deleting certificate from UI removes all traces of the certificate in the cert db.
Comment 1 Tomas Popela 2022-08-17 13:24:12 UTC 
Would it be possible to try the Firefox 102 binary from Mozilla (you can get it from https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr) and see whether it's fixed there or not (we are currently working on bringing the Firefox 102 to RHEL so would be good if 102 fixes your problem).
Comment 2 Marko Myllynen 2022-08-18 07:16:05 UTC 
Thanks for looking into this.

This happens also with 102.1.0esr.

The minimal steps to observe the issue are:

1) rm -rf /tmp/test ; mkdir /tmp/test ; firefox --profile /tmp/test --new-instance ;
2) Visit a site using self-signed certificate, accept the certificate
3) Close the tab, delete the just accepted certificate Certificates -> View Certificates -> Servers
4) Close Firefox, notice how the certificate name is still seen with "certutil -d sql:/tmp/tmp -L"

Thanks.
Comment 3 Marko Myllynen 2022-08-18 07:17:07 UTC 
The certutil command should obviously read "certutil -d sql:/tmp/test -L" in the above step 4).
Comment 4 Anton Bobrov 2023-05-11 15:58:43 UTC 
this is reproducible with the latest nightly (739265:51f435ff98d3). the root cause here is that self-signed cert has

X509v3 Basic Constraints: critical
                CA:TRUE

so it gets added as "server" certificate as well as "CA" certificate which makes sense bc it is self-signed. so in order to get rid of it one has to remove it from "Servers" AND "Authorities" in FF then the new self-signed cert with the same serial can be used.

my take on it is that technically it is not a bug (bc self-signed) but usability wise i can see how it can be confusing and thus needs addressing somehow tho it is hard to imagine regular users experiencing this (self-signed certs with same serial numbers).

i will have a look at the code and if it can be addressed in a straightforward kinda way i might try to fix it there.
Comment 5 Anton Bobrov 2023-05-22 07:48:13 UTC 
this has been fixed upstream. the way it works now, when creating an override exception, is that certificates are not added to certdb at all, see https://hg.mozilla.org/mozilla-central/rev/0795946482ee

Status: ASSIGNED → RESOLVED
Closed: 2 days ago
status-firefox115: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch
Note You need to log in before you can comment on or make changes to this bug.