Headless Chrome does not recognise Certificate Authority
Reported by
richlewi...@gmail.com,
Jan 12 2018
|
||||||||||
Issue descriptionChrome Version (63.0.3239.132): Is this the most recent version: As far as i am aware OS + version: Debian 9 (Running in Docker Container) CPU architecture (32-bit / 64-bit):64 bit Window manager: N/A URLs (if relevant): N/A Behavior in Linux Firefox: N/A Behavior in Windows Chrome (if you have access to it): N/A What steps will reproduce the problem? Firstly apologies if this is not a bug, not sure what else to do at the moment apart from raise something here. I am running headless chrome on Debian 9 in a docker container and i cannot seem to get the browser to trust my own Certificate Authority (As an internal application i cannot provide any urls sorry, the application runs on localhost). When accessing a particular page, i.e https://myapp.localhost.test.co.uk i cannot see the page (it's just blank on the screenshot). I tested this on phantomJS and i could see the page, so i can be accessed. I have added the CA to /usr/local/share/ca-certificates and used certutil to add it to the nssdb Does chrome have the ability to be able to recognise the CS cert ? Any help here appreciated Thank You What is the expected result? I would expect the CA to be recognised and the page viewable using headless chrome What happens instead? Blank page and error [0110/161130.895276:ERROR:cert_verify_proc_nss.cc(922)] CERT_PKIXVerifyCert for myapp.localhost.test.co.uk failed err=-8181 Please provide any additional information below. Attach a screenshot and backtrace if possible. For graphics-related bugs, please copy/paste the contents of the about:gpu page at the end of this report.
,
Jan 12 2018
I'm not sure the initialization path that the headless mode code takes, and how/if it loads databases. I also don't know which database you modified with certutil. Can you please provide more details about the set of certutil commands you ran, the location of your certutil database, and the contents of it? You can obtain the contents (and the trust flags), via certutil -L -d certdir where certdir should be "sql:$HOME/.pki/nssdb" (as that is the only path Chrome/Chromium supports).
,
Jan 12 2018
Hi,
Apologies, should have included that in the original description and thank you for your prompt response.
My certificate was added to $HOME/.pki/nssdb via the following command
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n HendricksJS -i /usr/local/share/ca-certificates/ca.crt
I then checked it was there with "certutil -d sql:$HOME/.pki/nssdb -L"
the output was
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
HendricksJS C,,
So as far as i can tell the certificate is in the correct place?
Thanks
,
Jan 12 2018
Thank you for providing more feedback. Adding requester "rsleevi@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 12 2018
Did this CA issue certificates, or are you using it as the server certificate? Attaching a chrome://net-export (or --log-net-log, if it's wired up in Headless, or a NetLog if you can) is probably a good next step. Alternatively/additionally, attaching the full certificate chain would be useful, and would be included in the NetLog.
,
Jan 12 2018
This CA is self signed and issues certificates in our case. does that make a difference? I have attached the output from using --log-net-log Just to advise I am treading in unfamiliar territories here with certificates so appreciate any patience :-) Thanks
,
Jan 12 2018
Thank you for providing more feedback. Adding requester "rsleevi@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 12 2018
My understanding is that headless is a completely separate content-embedded than Chrome, so it has its own network stack setup code.
,
Jan 12 2018
Would you happen to know how I can get headless to trust the CA cert at all ?
,
Jan 13 2018
Can you clarify how you're invoking headless? I have seen some headless scripts that 'redirect' $HOME/.pki/nssdb so that they can be hermetic from the logged-in user. The NetLog is truncated, so it looks like headless isn't flushing the file. I think without a functioning netlog and the certificate chain, we may not be able to debug further. I'm hoping someone from the Headless side can triage and help us get more info :)
,
Jan 15 2018
Hi I am running google-chrome --headless --no-sandbox --dump-dom --screenshot https://my-endpoint.localhost.co.uk Is anyone from the Headless side able to look at this aswell or do do i need to raise this elsewhere? I have tried again over the weekend but still having no luck with this.... If it cannot be done then it would be good to know also, it just means i can focus on another way to get my tests running....again any help appreciated Thanks
,
Jan 15 2018
Thank you for providing more feedback. Adding requester "rsleevi@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 15 2018
Setting Needs-Feedback for the full certificate change in Comment #5
,
Jan 16 2018
Strange, the netlog is flushed here[1] as with other embedders. Could you make sure you are shutting down the browser with something like Browser.close[2] to make sure the file is flushed. [1] https://cs.chromium.org/chromium/src/headless/lib/browser/headless_net_log.cc?rcl=1dc1755b340ccf96a532a6f50e4414f59ddb9424&l=53 [2] https://chromedevtools.github.io/devtools-protocol/tot/Browser#method-close
,
Feb 3 2018
richlewis14@, are you able to provide the full certificate chain as requested in comment #5?
,
Feb 21 2018
Closing because of inactivity. Please reopen if you can provide the requested information. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by dtapu...@chromium.org
, Jan 12 2018