Add-on update: Certificate Issuer is not built-in

(Roman Laube) #1

I have created simple add-on for our company. I would like to distribute it from internal server via HTTPS but with certificate signed by our internal CA. This CA is imported to Firefox. But update fails with error: “Certificate Issuer is not built-in”. Is there any option in “about:config” to disable built-in issuer check?
Thank you

(Andrei Petcu) #2

Isn’t disabling the addon certificate verification makes the singing with your own CA useless?

You can disable addon signing but by setting xpinstall.signatures.required to true in about:config but I don’t think this is wise. This only works in DevEdition and Nightly but you should probably use stable or ESR for which this setting does not work.

You can sign it with Mozilla’s CA that is built into Firefox. Just upload the zip file here and then you download it signed.

If you distribute it on your internal network then set an update_url in your manifest.json assuming it is a WebExtension. Also set the http Content-Type: header to application/x-xpinstall like in this example so that one click install would work.

You can add your CA’s signature before it gets signed by Mozilla. Put it in CORPORATE-WEB-INF so that Mozilla’s signature will be in WEB-INF folder.

(Roman Laube) #3

I think there is misunderstanding (maybe i didn’t explain it well)… My add-on is already signed by Mozilla and I have set “update_url” in “manifest.json” pointing to internal server. But internal server doesn’t have certificate signed by Mozilla Firefox build-in certificate issuers (certificate authorities). Certificate on internal server is signed by internal company certificate authority and server isn’t visible from internet. This certificate authority is imported to Firefox and I can connect to this server via HTTPS with no problems (no security warnings). But add-on update fails with message “Certificate Issuer is not built-in” (message in browser console)…

(Andrei Petcu) #4

I see. Have you tried to import the cert like this? You should import it, not just accept certificate exception. Make Firefox trust it.

(Roman Laube) #5

Yes, I have imported internal certificate authority (into “Authorities” section). And I didn’t add certificate exception for server. I didn’t have to. After adding internal CA I can access internal server via HTTPS without any security warnings…

(Andrei Petcu) #6

Yes… because now Firefox trusts anything signed by that CA.

(Roman Laube) #7

Yes :slight_smile: And I expect that it will be valid for add-on update too… Apparently I am wrong.

(Andrei Petcu) #8

Sooo installing from the update.json link works but updating does not. Do I understand correctly?

(Roman Laube) #9

Upss. I have never tried install it from update.json link via HTTPS. I have always tried it via HTTP. And after test I see that installation via HTTPS ends with same error message (“Certificate Issuer is not built-in”).
So answer is: No, it cannot install nor update via HTTPS.

(Andrei Petcu) #10

Damn :frowning: I was able to reproduce the issue. I thought there was something configured on your setup but I’m starting to doubt that. I reported a bug.

@jorgev If you import a root CA and the browser trusts it, then you cannot install a unlisted extension over that TLS connection despite the fact that the browser trusts the CA and all certs signed by that CA. The extension is signed by Mozilla. Any idea why there is this limitation?

(Roman Laube) #11

That is “good” news. Thank you for your time…

(Andrei Petcu) #12

It were good news if it were something misconfigured on your end :smiley:

(Andrei Petcu) #13

I think I found the problem: my proxy changes the file size in transit. Yours might do the same.

How to check: go to your extension link with and without proxy. Before clicking download, open devtools and see the difference. I open this page and click google_translate_this_page-1.2.7-an.fx.xpi

Here is how it looks with proxy:

And here is how it looks without proxy

Both transferred and size are different. Basically the browser does not get an unsigned extension, it gets gibberish bytes.

(Roman Laube) #14

I don’t use proxy. My extension is directly on internal HTTP server (Apache HTTP Server).

(Andrei Petcu) #15

if you download the xpi file from apache with wget or curl will you get the exact same extension? you should get a file that is bit by bit equal.

I’m suspecting your apache is messing up the xpi file. I don’t think it’s a cert issue. You said the CA was imported and tthe https lock icon is green.

I guess you installed the extension from disk, right?

(Roman Laube) #16

I tried download xpi file with wget (via https protocol) and I got same file - same sha1 sum and also ‘cmp’ utility reports same files…

First installation of extension (at the beginnig) was via http link (without problems).

(Andrei Petcu) #17

please report a bug on I don’t know what else can it be. Maybe the devs will help.

I am not a dev.

(Roman Laube) #18

OK. Thank you again for your time…

(Andrei Petcu) #19

Not sure if you noticed but there are some extra discussions on the ticket I reported

(Roman Laube) #20

Thanks for your notification. I am glad this is not over yet…
I have temporary solved this problem by preference “extensions.install.requireBuiltInCerts” (they also mention it in comments).