not bringing certs into Firefox Ubuntu 22.04

[hearts1137]

script runs fine on a new install of Ubuntu 22.04-server. I added the desktop-minimal. Chrome sees my CAC certs and the script says it loads all the cer files from the zip archive. However, the script seems to do nothing with Firefox. It does not have any DoD authorities nor does it see my CAC certificates.

[jdjaxon]

Since this was a new install, had you started Firefox before running the script? Unlike Chrome, Firefox needs to be started at least once to create its certificate database. At least, this was the case the last time I checked. Chrome hooks into the preexisting NSSDB. Additionally, if the script didn't successfully move you from the Snap version of Firefox to the apt-installed version, the script would not be able to add the certificates to the database. Snap's database for Firefox has some interesting quirks that I've not had time to work through.

Let me know if I'm way off here. I'm happy to help you troubleshoot.

[hearts1137]

I def launched Firefox first. I've found the script does not remove the snap install so looking at the script I did most of the steps manually.

I'm using the latest ubuntu-22.04.3-desktop-amd64.iso image on a Dell Precision 5560 and a Identiv SCR3310 card reader. Website using to test is https://webmail.apps.mil and also the Platform1 CNAP via AppGate profile link which is login.dso.mil

Currently I have Chrome doing everything right. Firefox can't seem to properly load the pkcs driver and see my smart card. I'm going to wipe and reload in hopes to track this down. I'll probably post more requests here.

One thing I noticed in the beginning, and not sure how it got resolved, is that each time I was trying to auth into dso.mil every browser except Firefox gave an error page ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS". Chrome, Brave, Opera. Firefox had no issues but it did/does not see my smart card.

[hearts1137]

default install uname -r = 6.2.0-34-generic cat /etc/os-release Ubuntu 22.04.03 LTS plug in CAC reader launch Firefox goto militarycac.com to get GitHub link download ZIP for for linux_cac download Chrome, right click software installer to install launch chrome. no password for keyring. uncheck default and send usage extract linux_cac open terminal cd Downloads/linux_cac-main sudo bash cac_setup.sh (see attached output1.txt) launch Firefox and notice no security module loaded browse to OWA get error for no cert presented launch chrome and browse to OWA asked for password (PIN) and certificate and load into OWA successfully download AppGate SDP client full for Linux v6.2.3 launch AppGate and input profile link launches Firefox bc default browser. P1 asks for user/pass copy URL to Chrome and get asked for CAC PIN and certificate choice then error page This site can't be reached ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHIMS run snap list, see firefox 116.0.2-1 installed (see attached output2.txt) run snap remove firefox sudo -i to root cd to the script and ./cac_setup.sh did not install Firefox open script and run lines 169, 172, 175, 179, 182 (see attached output3.txt) on step apt install firefox -y got error E: Packages were downgraded and -y was used without --allow-downgrades took off -y and rerun without errors launch newly installed Firefox rerun cac_setup.sh again as root launch Firefox and see new security module CAC Module with driver of /usr/lib64/libcackey.so as the path browse to OWA and still no prompt for PIN+cert exit root and rerun script with sudo no change reboot no change sudo apt update suao apt list --upgradeable can see new cackey 0.7.11 sudo apt upgrade following packages held back cackey gjs libjs0g libsgutils2-2 Chrome works OWA but not Firefox. Firefox works for CNAP but not Chrome output1.txt output2.txt output3.txt pssc_scan.txt

[jdjaxon]

default install uname -r = 6.2.0-34-generic cat /etc/os-release Ubuntu 22.04.03 LTS plug in CAC reader launch Firefox goto militarycac.com to get GitHub link download ZIP for for linux_cac download Chrome, right click software installer to install launch chrome. no password for keyring. uncheck default and send usage extract linux_cac open terminal cd Downloads/linux_cac-main sudo bash cac_setup.sh (see attached output1.txt) launch Firefox and notice no security module loaded browse to OWA get error for no cert presented launch chrome and browse to OWA asked for password (PIN) and certificate and load into OWA successfully download AppGate SDP client full for Linux v6.2.3 launch AppGate and input profile link launches Firefox bc default browser. P1 asks for user/pass copy URL to Chrome and get asked for CAC PIN and certificate choice then error page This site can't be reached ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHIMS run snap list, see firefox 116.0.2-1 installed (see attached output2.txt) run snap remove firefox sudo -i to root cd to the script and ./cac_setup.sh did not install Firefox open script and run lines 169, 172, 175, 179, 182 (see attached output3.txt) on step apt install firefox -y got error E: Packages were downgraded and -y was used without --allow-downgrades took off -y and rerun without errors launch newly installed Firefox rerun cac_setup.sh again as root launch Firefox and see new security module CAC Module with driver of /usr/lib64/libcackey.so as the path browse to OWA and still no prompt for PIN+cert exit root and rerun script with sudo no change reboot no change sudo apt update suao apt list --upgradeable can see new cackey 0.7.11 sudo apt upgrade following packages held back cackey gjs libjs0g libsgutils2-2 Chrome works OWA but not Firefox. Firefox works for CNAP but not Chrome output1.txt output2.txt output3.txt pssc_scan.txt

My apologies for the huge delay. One issue I see here is that you ran snap remove firefox. If the script doesn't find a current snap installation of Firefox, it won't attempt to remove it and install the apt version. That logic is intentional. I don't want to install some arbitrary browser like Firefox for a user if they don't already have it.

Additionally, this script has moved away from using CACKey due to its performance and instability. To resolve this issue without rerunning the script, execute the following commands to transition to using OpenSC:

sudo apt purge cackey
sudo apt install opensc
pkcs11-register

Finally, instead of downloading a zip of the entire project, you can run the script without downloading it locally using one of the following methods:

• wget

sudo bash -c "$(wget https://raw.githubusercontent.com/jdjaxon/linux_cac/main/cac_setup.sh -O -)"

• curl

sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/jdjaxon/linux_cac/main/cac_setup.sh)"

• fetch

sudo bash -c "$(fetch -o https://raw.githubusercontent.com/jdjaxon/linux_cac/main/cac_setup.sh)"

If this doesn't work, follow up here. If you don't get a response within a week, post a reminder.