Features/SharedSystemCertificates:TipsAndKnownIssues

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(32-bit systems: Firefox crashes)
(32-bit systems: Firefox crashes)
 
Line 11: Line 11:
  
 
=32-bit systems: Firefox crashes=
 
=32-bit systems: Firefox crashes=
Firefox 32bit on Fedora seems unstable, and [https://bugzilla.redhat.com/show_bug.cgi?id=928353 crashes frequently] when visiting web pages that make use of JavaScript. The crashes are believed to be unrelated to the SSC feature. This could be caused by a compiler bug.
+
Firefox 32bit on Fedora seems unstable, and [https://bugzilla.redhat.com/show_bug.cgi?id=928353 crashes frequently] when visiting web pages that make use of JavaScript. On these systems please use a different browser (epiphany) to work with the test day wiki page.
  
A workaround is to download a firefox from Mozilla, which seems to work correctly:
+
Alternatively, you can download Firefox from Mozilla, which seems to work correctly:
 
  # erase system firefox
 
  # erase system firefox
 
  sudo yum erase firefox xulrunner
 
  sudo yum erase firefox xulrunner

Latest revision as of 11:02, 28 March 2013

This page is related to the Shared System Certificates (SSC) feature.

Known issues and workarounds are posted here.

Contents

[edit] 32-bit systems: Firefox prints warnings

On a 32 bit / i686 system, Firefox might print the following messages on the console:

p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
p11-kit: 'timet >= 0' not true at calc_date

These messages are safe to ignore. The issues is tracked in https://bugs.freedesktop.org/show_bug.cgi?id=62825 and will be fixed.

[edit] 32-bit systems: Firefox crashes

Firefox 32bit on Fedora seems unstable, and crashes frequently when visiting web pages that make use of JavaScript. On these systems please use a different browser (epiphany) to work with the test day wiki page.

Alternatively, you can download Firefox from Mozilla, which seems to work correctly:

# erase system firefox
sudo yum erase firefox xulrunner
#change to your home directory
cd
wget http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/19.0.2/linux-i686/en-US/firefox-19.0.2.tar.bz2
tar xjf firefox-19.0.2.tar.bz2
cd firefox
# hide classic module under a new name
mv -i libnssckbi.so ckbi.nss
# link to the module currently set as the system default
ln -s /etc/alternatives/libnssckbi.so
./firefox

[edit] p11-kit reporting duplicate certificate

You might see the following warning messages:

p11-kit: duplicate 'StartCom Certification Authority' certificate found in: ca-bundle.trust.crt
p11-kit: duplicate 'Class 3 Public Primary Certification Authority' certificate found in: ca-bundle.trust.crt

These are safe to ignore. The issue has been fixed in package ca-certificates-2012.87-10.0

[edit] HOWTO: Confirm that SSC is being used

This command tells you which module is in use:

ls -l /etc/alternatives/libnssckbi.so*

It will either report /usr/lib(64)/nss/libnssckbi.so (NSS), or it will report /usr/lib(64)/pkcs11/p11-kit-trust.so (p11-kit).

On a standard F19 system, it should report: p11-kit

[edit] HOWO: Test Firefox _without_ the new SSC feature

If you are triaging an issue, and you would like to test the behaviour of an NSS application (e.g. Firefox) using the classic module provided by NSS, use the following command to switch to the NSS module:

# on a 32 bit / i386 / i686 system:
/usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so
# on a 64 bit system:
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so

After above command, use

ls -l /etc/alternatives/libnssckbi.so*

and the link should point to the NSS module.

Once you're ready to again activate the new p11-kit module, use:

# on a 32 bit / i386 / i686 system:
/usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
# on a 64 bit system:
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so 30

then use

ls -l /etc/alternatives/libnssckbi.so

and the link should point to the p11-kit module.

[edit] HOWTO: Reset the standard F19 SSC setup

If for some reason, you want to completely reset the alternative modules to the original state, use the following series of commands:

# on a 32 bit / i386 / i686 system:
/usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so
/usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/nss/libnssckbi.so
/usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/nss/libnssckbi.so 10
/usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
# on a 64 bit system:
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/nss/libnssckbi.so
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/nss/libnssckbi.so 10
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so 30
# on all systems:
ls -l /etc/alternatives/libnssckbi.so*

and the link should point to the p11-kit module.