Features/SharedSystemCertificates:TipsAndKnownIssues

From FedoraProject

< Features
Revision as of 07:18, 28 March 2013 by Kparal (Talk | contribs)

Jump to: navigation, search

This page is related to the Shared System Certificates (SSC) feature.

Known issues and workarounds are posted here.

Contents

32-bit systems: Firefox prints warnings

On a 32 bit / i686 system, Firefox might print the following messages on the console:

p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
p11-kit: 'timet >= 0' not true at calc_date

These messages are safe to ignore. The issues is tracked in https://bugs.freedesktop.org/show_bug.cgi?id=62825 and will be fixed.

32-bit systems: Firefox crashes

Firefox 32bit on Fedora seems unstable, and crashes frequently when visiting web pages that make use of JavaScript. The crashes are believed to be unrelated to the SSC feature. On these systems please use a different browser (epiphany) to work with the test day wiki page.

p11-kit reporting duplicate certificate

You might see the following warning messages:

p11-kit: duplicate 'StartCom Certification Authority' certificate found in: ca-bundle.trust.crt
p11-kit: duplicate 'Class 3 Public Primary Certification Authority' certificate found in: ca-bundle.trust.crt

These are safe to ignore. The issue has been fixed in package ca-certificates-2012.87-10.0

HOWTO: Confirm that SSC is being used

This command tells you which module is in use:

ls -l /etc/alternatives/libnssckbi.so*

It will either report /usr/lib(64)/nss/libnssckbi.so (NSS), or it will report /usr/lib(64)/pkcs11/p11-kit-trust.so (p11-kit).

On a standard F19 system, it should report: p11-kit

HOWO: Test Firefox _without_ the new SSC feature

If you are triaging an issue, and you would like to test the behaviour of an NSS application (e.g. Firefox) using the classic module provided by NSS, use the following command to switch to the NSS module:

# on a 32 bit / i386 / i686 system:
/usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so
# on a 64 bit system:
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so

After above command, use

ls -l /etc/alternatives/libnssckbi.so*

and the link should point to the NSS module.

Once you're ready to again activate the new p11-kit module, use:

# on a 32 bit / i386 / i686 system:
/usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
# on a 64 bit system:
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so 30

then use

ls -l /etc/alternatives/libnssckbi.so

and the link should point to the p11-kit module.

HOWTO: Reset the standard F19 SSC setup

If for some reason, you want to completely reset the alternative modules to the original state, use the following series of commands:

# on a 32 bit / i386 / i686 system:
/usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so
/usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/nss/libnssckbi.so
/usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/nss/libnssckbi.so 10
/usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
# on a 64 bit system:
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/nss/libnssckbi.so
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/nss/libnssckbi.so 10
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so 30
# on all systems:
ls -l /etc/alternatives/libnssckbi.so*

and the link should point to the p11-kit module.