Also adding SSSD here, would be easy enough to make its default PAM CA
ring to point to /etc/ssl/certs/ca-certificates.crt by default (and
change-able in settings) but not sure if we want to go this route as it
may make SSSD documentation confusing (as it everywhere mentions
/etc/sssd/pki/sssd_auth_ca_db.pem or /etc/sssd/pki/sssd_auth_ca_db.pem).
Maybe a nice way would be to provide a default sssd.conf file that
explicitly set that instead of hard-coding it, so we won't break current
installations.
** Also affects: sssd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Status in ca-certificates package in Ubuntu:
Confirmed
Status in firefox package in Ubuntu:
Confirmed
Status in nss package in Ubuntu:
Confirmed
Status in p11-kit package in Ubuntu:
Fix Released
Status in sssd package in Ubuntu:
New
Status in thunderbird package in Ubuntu:
Confirmed
Bug description:
When I install a corporate CA trust root with update-ca-certificates,
it doesn't seem to work everywhere. Various things like Firefox,
Evolution, Chrome, etc. all fail to trust the newly-installed trusted
CA.
This ought to work, and does on other distributions. In p11-kit there
is a module p11-kit-trust.so which can be used as a drop-in
replacement for NSS's own libnssckbi.so trust root module, but which
reads from the system's configured trust setup instead of the hard-
coded version.
This allows us to install the corporate CAs just once, and then file a
bug against any package that *doesn't* then trust them.
See https://fedoraproject.org/wiki/Features/SharedSystemCertificates
for some of the historical details from when this feature was first
implemented, but this is all now supported upstream and not at all
distribution-specific. There shouldn't be any significant work
required; it's mostly just a case of configuring and building it to
make use of this functionality. (With 'alternatives' to let you
substitute p11-kit-trust.so for the original NSS libnssckbi.so, etc.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
