Make firefox (flatpak) trust a certificate that fedora trusts

I have created a self-signed certificate for the Luci web page of my openwrt router. I then copied the pem file on fedora and made it a trusted certificate for my machine acoording to the instructions listed in the documentation.

I have also verified that the certificate is trusted by seeing it in the output of the trust list command.

The problem is that whenever I visit my router’s address I get a “scary” safety warning. I know I can just accept risk and continue but I want to see if I can do it more properly as a learning exercise and because I like to indulge in my perfectionism :wink:

My system is running Fedora Silverblue 33, with the default firefox package removed and flatpak version from flathub installed in it’s place. Everything is fully updated.

Firefox says that it doesn’t trust the certificate because it is self signed.

I also have installed Chromium flathub from flatpak and I get a red warning there as well. What’s interesting here is that chromium warning reads:

This server could not prove that it is $router_name ; its security certificate is not trusted by your computer’s operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

Is there any way to “propagate” the trust of the OS to that certificate?

I understand that there is probably an interaction between the browsers, flatpak and the OS going on here but hopefully someone can shed some light in why this is happening.

I don’t know about propagating OS’s trust to the Firefox flatpak but you can manually add it from the settings menu: Preferences -> Privacy & Security, scroll down to Certificates, click View Certificates, in the Authorities tab click Import and select your certificate file. I have done this with RPM package but not flatpak, so I am not sure if it will work with flatpak.

1 Like

I tried that but I must be doing something wrong.

I can view the certificate in firefox and it gives me the option to download the pem file. However when I try to add in the way you describe I am getting the following error:

This is not a certificate authority certificate, so it can’t be imported into the certificate authority list.

I also tried to add it as a certificate but got that error:

This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.

I then found this security stackexchange post that told me I needed key and cert together in a PKCS#12 file. I created the file as instructed and added it as both a certificate and a certificate authority. For some reason however the warning didn’t go away :thinking:

Thank you for the suggestion though.

1 Like