Add CAcert root certificate to Firefox OS

While being quite happy with my new Firefox OS phone so far, the biggest stopper for me was that, like all Mozilla products, the root certificate of CAcert was not included and so I could not access sites using certificates assured by CAcert.

Recent versions of Gaia allow to accept untrusted site certificates in the browser but in case you want to use an IMAP server or Caldav server which is using a CAcert assured certificate, you are still stuck.

Based on a post by Carmen Jiménez Cabezas, I wrote a script to read the certificate database from the phone (via adb), add some certificates and then write the database back to the phone. After this procedure, the CAcert root certificate (or any other) are known by the phone and can be used. This enabled me to access my own IMAP server via SSL from the Email app and also use a self-hosted groupware as Caldav server for the Calendar app via HTTPS.

Save the following script somewhere on your system (Download the script):

#!/bin/bash

CERT_DIR=certs
ROOT_DIR_DB=/data/b2g/mozilla
CERT=cert9.db
KEY=key4.db
PKCS11=pkcs11.txt
DB_DIR=`adb shell "ls -d ${ROOT_DIR_DB}/*.default 2>/dev/null" | sed "s/default.*$/default/g"`

if [ "${DB_DIR}" = "" ]; then
  echo "Profile directory does not exists. Please start the b2g process at
least once before running this script."
  exit 1
fi

function log
{
    GREEN="\E[32m"
    RESET="\033[00;00m"
    echo -e "${GREEN}$1${RESET}"
}

# cleanup
rm -f ./$CERT
rm -f ./$KEY
rm -f ./$PKCS11

# pull files from phone
log "getting ${CERT}"
adb pull ${DB_DIR}/${CERT} .
log "getting ${KEY}"
adb pull ${DB_DIR}/${KEY} .
log "getting ${PKCS11}"
adb pull ${DB_DIR}/${PKCS11} .

# clear password and add certificates
log "set password (hit enter twice to set an empty password)"
certutil -d 'sql:.' -N

log "adding certificats"
for i in ${CERT_DIR}/*
do
  log "Adding certificate $i"
  certutil -d 'sql:.' -A -n "`basename $i`" -t "C,C,TC" -i $i
done

# push files to phone
log "stopping b2g"
adb shell stop b2g

log "copying ${CERT}"
adb push ./${CERT} ${DB_DIR}/${CERT}
log "copying ${KEY}"
adb push ./${KEY} ${DB_DIR}/${KEY}
log "copying ${PKCS11}"
adb push ./${PKCS11} ${DB_DIR}/${PKCS11}

log "starting b2g"
adb shell start b2g

log "Finished."

Once done, add a new directory in the directory where you stored the script and place the certificates in this directory which you want to add to the phone's database. For CAcert, this would be the class 3 root certificate in PEM format as found on the CAcert website.

Then simply run the script.

Note: before running the script you need to enable 'Remote debugging' in the Developer settings menu and connect your phone with your PC using a USB cable (or more general: get adb working).

Comments

  • Gravatar for drEagledrEagle 1 year, 4 months ago

    Thanks for this quick tutorial and script.
    I have already proof concepted this, but your method is really easy to apply and use !
    Great...

    Link / Reply
  • Gravatar for JuanJuan 1 year, 3 months ago

    I'm using a self-signed cert for my mail server and not being able to read my mail with the ZTE Open is disappointing.

    I've tried to follow your steps but I can't access anything in /data; my user in adb shell is shell (uid 2000) and the directory is under system permissions. Oh, well... was worth a try!

    Link / Reply
    • Gravatar for jahmanjahman 1 year, 1 month ago

      hi,

      i used the following tutorial to root my zte open:
      http://pof.eslack.org/2013/07/05/zte-open-firefoxos-phone-root-and-first-impressions/

      after you can use the su command to have root permissions.

      Unfortunaly, the script above do not work out of the box for me. I have to:
      - logging in the zte with adb shell then su to have the right permissions.
      - manually copy cert9.db, key4.db and pkcs11.txt to the tmp directory /data/local/tmp/ and retriece them with adb pull
      - use the certutil command as described in the script
      - push files in the /data/local/tmp/ directory
      - logging in the zte with adb shell then su to have the right permissions.
      - go to /data/b2g/mozilla/*.default
      - busybox cp /data/local/tmp/* .
      - busybox chmod a-w cert9.db key4.db pkcs11.txt

      Sadly the cacert is still not recognized by firefox mobile :(

      Here is the md5sum of files:

      before:
      78128084af3c8ba5b9f88b791cc22dee cert9.db
      27befd0e7a14fc492d17d2136aff8ad4 key4.db
      2718e6605c517e9c618596513bdd5e62 pkcs11.txt

      after:
      5928502c0b9ff59af8998d5991d3c82b cert9.db
      005a6e2bea2ece7bb6b8cce159bd8b4c pkcs11.txt
      e21734113ac8c9ba048ac64913e88f9c key4.db

      Link / Reply
  • Gravatar for antivantiv 1 year, 2 months ago

    Hi, simply open your site in browser and select "make permanent exception"

    Link / Reply
  • Gravatar for SidneiSidnei 11 months, 3 weeks ago

    I'm not a developer,

    How do I run this script in the firefox os?

    I have the same problem, the certificate of my mail server is self-signed.

    Thanks

    Link / Reply
    • Gravatar for enricoenrico 11 months, 2 weeks ago

      Hi Sidnei,

      you don't run this script on the device itself, it is meant to be ran on your your computer (ideally under Linux) and the script then transfers the necessary files from and to the phone via the USB connection.

      Link / Reply
      • Gravatar for SidneiSidnei 11 months, 2 weeks ago

        Thanks Enrico,

        I'm a Windows User

        I tried to do in some virtual servers with linux centos and I received several error messages stating that the command is not found in line 8, 11, 13 ... etc.

        I'm wondering if down a ubuntu that can be virtualized.

        My biggest frustration is that I bought the phone yesterday, and I can not configure a simple mail account in ffos

        I'll be back to comment soon, because I'm trying to do this procedure several hours.

        Sidnei

        Link / Reply
  • Gravatar for SidneiSidnei 11 months, 2 weeks ago

    Hi Friends,

    See errors:

    ./firefox_os_add_certificates.sh: line 8: adb: command not found
    ./firefox_os_add_certificates.sh: line 11: $'\302\240': command not found
    ./firefox_os_add_certificates.sh: line 13: $'\302\240': command not found
    getting cert9.db
    ./firefox_os_add_certificates.sh: line 30: adb: command not found
    getting key4.db
    ./firefox_os_add_certificates.sh: line 32: adb: command not found
    getting pkcs11.txt
    ./firefox_os_add_certificates.sh: line 34: adb: command not found
    set password (hit enter twice to set an empty password)
    ./firefox_os_add_certificates.sh: line 38: certutil: command not found
    adding certificats
    Adding certificate certs/*
    ./firefox_os_add_certificates.sh: line 44: certutil: command not found
    stopping b2g
    ./firefox_os_add_certificates.sh: line 49: adb: command not found
    copying cert9.db
    ./firefox_os_add_certificates.sh: line 52: adb: command not found
    copying key4.db
    ./firefox_os_add_certificates.sh: line 54: adb: command not found
    copying pkcs11.txt
    ./firefox_os_add_certificates.sh: line 56: adb: command not found
    starting b2g
    ./firefox_os_add_certificates.sh: line 59: adb: command not found
    Finished.

    Link / Reply
    • Gravatar for SidneiSidnei 11 months, 2 weeks ago

      in ubuntu

      Link / Reply
      • Gravatar for Mr.GoshMr.Gosh 11 months, 2 weeks ago

        what, if I dond't have permissions in these Directorys?

        On my Alcatel One Touch Fire - I can't even read in that Directory:
        cd /data/b2g/mozilla - Permission denied

        Link / Reply
    • Gravatar for Mr.GoshMr.Gosh 11 months, 2 weeks ago

      Well yes - as written there - you have to install the Programms from that script.
      Try:

      sudo apt-get install adb

      for the first one...

      Link / Reply
      • Gravatar for enricoenrico 11 months, 2 weeks ago

        Yes, however the package name is: android-tools-adb, so you want to do:

        sudo apt-get install android-tools-adb libnss3-tools
        (the latter one for certutil).

        Link / Reply
  • Gravatar for Mr.GoshMr.Gosh 11 months, 2 weeks ago

    Oh Sorry, this shouzld have been a new Comment - not a Reply.
    Once more:

    what, if I dond't have permissions in these Directorys? On my Alcatel One Touch Fire - I can't even read in that Directory: cd /data/b2g/mozilla - Permission denied

    Link / Reply
  • Gravatar for Mr.GoshMr.Gosh 11 months, 1 week ago

    Too sad, it seems that the "certutil" is not part of the stock ROM on the Alcatel "One Touch Fire" as you can see here ("Kommando nicht gefunden" means command not found in german) :

    firefox_os_add_certificates.sh
    certs/ One_Touch_Fire/
    root@goshyoga:/home/bolte/Downloads/FirefoxOS# ./firefox_os_add_certificates.sh
    getting cert9.db
    444 KB/s (22528 bytes in 0.049s)
    getting key4.db
    170 KB/s (14336 bytes in 0.082s)
    getting pkcs11.txt
    10 KB/s (859 bytes in 0.077s)
    set password (hit enter twice to set an empty password)
    ./firefox_os_add_certificates.sh: Zeile 38: certutil: Kommando nicht gefunden.
    adding certificats
    Adding certificate certs/ca.cer
    ./firefox_os_add_certificates.sh: Zeile 44: certutil: Kommando nicht gefunden.
    Adding certificate certs/class3.crt
    ./firefox_os_add_certificates.sh: Zeile 44: certutil: Kommando nicht gefunden.
    stopping b2g
    copying cert9.db
    486 KB/s (22528 bytes in 0.045s)
    copying key4.db
    253 KB/s (14336 bytes in 0.055s)
    copying pkcs11.txt
    17 KB/s (859 bytes in 0.048s)
    starting b2g
    Finished.

    Link / Reply
    • Gravatar for Mr.GoshMr.Gosh 11 months, 1 week ago

      LOOOL

      OK I just installed this util on my machine - realized that it has to be installed on my own machine - not on the Phone... ;)

      On ubuntu you have to type:

      apt-get install libnss3-tools

      Link / Reply
  • Gravatar for Dirk HoeschenDirk Hoeschen 9 months, 2 weeks ago

    First of all thank you for your Script it works like a charm. I updated FFOS with the Root1 and Root3 certificate.
    Unfortunately the mail client won't connect becaus of bad_securety.

    With Thunderbird everything is ok. If i test the chain on my server it seems to be ok also.

    But i get a error 19 self signed certificate in certificate chain!
    What am I doing wrong?

    openssl s_client -connect dirk-hoeschen.de:pop3s
    CONNECTED(00000003)
    depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    ---
    Certificate chain
    0 s:/CN=dirk-hoeschen.de
    i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
    1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
    i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    .... p4oGZnN7bzX
    KRc=
    -----END CERTIFICATE-----
    subject=/CN=dirk-hoeschen.de
    issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
    ---
    Acceptable client certificate CA names
    /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
    /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
    ---
    SSL handshake has read 4082 bytes and written 331 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1
    Cipher : DHE-RSA-AES256-SHA
    Session-ID: 8CD9A3DDFB6E53947F090B0BE749693896E07F1D78F55AEC60D58160FE326BB0
    Session-ID-ctx:
    Master-Key: A1BC58420CA82CF456E9EDC0651A71BA869ECC6917C4903755268A0A92E839F912C2C25A383DBF4793CC51265C3C0024
    Key-Arg : None
    Start Time: 1391777056
    Timeout : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    ---
    +OK Dovecot ready.

    Link / Reply
    • Gravatar for Dirk HoeschenDirk Hoeschen 9 months, 2 weeks ago

      Worked it out. The problem was the SMTP-Server not the IMAP server. They both must have valid certificates.

      19 (self signed certificate in certificate chain) is not relevant. It seems to be a warning only.

      Link / Reply
  • Gravatar for KillerkaninchenKillerkaninchen 7 months ago

    Hi all

    I'm trying to import a dovecot-key (dovecot.pem) and certutil gives me the following message:

    certutil: could not decode certificate: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.

    I think I need a certificate in binary format (*.der (?) ), but I do not know how to create one.

    Openssl tutorials show the way to create pem-keys and the certutil-page is full of parameters I don't understand.

    Can anyone tell me the way to create the certificate?

    Thanks
    Killerkaninchen

    (original german thread about importing certificates: http://forum.foshub.net/board6-firefox-os/board9-firefox-os-allgemein/61-eigenes-zertifikat-importieren/?s=dc4c3c5889b5105a34a75d639b75124ef6199300)

    Link / Reply
  • Gravatar for benszbensz 3 months, 3 weeks ago

    hello,
    I have the same problem,
    I installed ADB, but when I started the script I have:

    zelec@ma:~$ sudo '/home/zelec/Bureau/os/firefox_os_add_certificates.sh'
    error: device not found
    /home/zelec/Bureau/os/firefox_os_add_certificates.sh: ligne 11:   : commande introuvable
    /home/zelec/Bureau/os/firefox_os_add_certificates.sh: ligne 13:   : commande introuvable
    getting cert9.db
    error: device not found
    getting key4.db
    error: device not found
    getting pkcs11.txt
    error: device not found
    set password (hit enter twice to set an empty password)
    /home/zelec/Bureau/os/firefox_os_add_certificates.sh: ligne 38: certutil : commande introuvable
    adding certificats
    Adding certificate certs/*
    /home/zelec/Bureau/os/firefox_os_add_certificates.sh: ligne 44: certutil : commande introuvable
    stopping b2g
    error: device not found
    copying cert9.db
    error: device not found
    copying key4.db
    error: device not found
    copying pkcs11.txt
    error: device not found
    starting b2g
    error: device not found
    Finished.

    Thaks for ideas
    Benoit

    Link / Reply
    • Gravatar for enricoenrico 3 months ago

      Did you enable "Remote debugging" on the device (in the Developer menu)?

      Link / Reply
  • Gravatar for AleksandarAleksandar 3 months, 2 weeks ago

    Hello, any way to add client certificate to possibly use with active cync and web sites requireing a client certificate?

    Link / Reply
  • Gravatar for André JaenischAndré Jaenisch 1 month, 3 weeks ago

    Hello,

    I've stumbled upon this post through Twitter and will include it in my Monday Sparks weekly digest :)

    However, some suggestions for improvement of the script:
    1) No, you don't want to parse the output of `ls'. Here's why: http://mywiki.wooledge.org/ParsingLs
    2) These days, $() is used instead of `` (backticks). (c.f. http://mywiki.wooledge.org/BashFAQ/082)
    3) Testing is done with [[ ]] in bash except if you're aiming for portability (c.f. http://mywiki.wooledge.org/BashGuide/TestsAndConditionals#Conditional_Blocks_.28if.2C_test_and_.5B.5B.29)
    4) Consider using [[ -z "${DB_DIR}" ]] instead of comparison with an empty string (c.f. http://mywiki.wooledge.org/BashGuide/TestsAndConditionals#Conditional_Blocks_.28if.2C_test_and_.5B.5B.29)
    5) Don't forget to quote properly (c.f. mywiki.wooledge.org/Quotes#When_Should_You_Quote.3F).

    Good reading: http://mywiki.wooledge.org/BashGuide/Practices#Don.27t_Ever_Do_These & http://mywiki.wooledge.org/BashPitfalls (I idled around in #bash on IRC to learn something :))

    Thanks for your post!

    Link / Reply
    • Gravatar for mcnesiummcnesium 5 days, 14 hours ago

      @André It does not seem like this post is still maintained by OP. How about porting it to github and adding your suggestions to it?

      Link / Reply
      • Gravatar for enricoenrico 5 days, 13 hours ago

        It is. Sorry for being so late.

        @André: you are right with all of your comments. I wrote the script just to get my certs working and this is why it is that dirty :).
        I'd like to improve it but cannot say when I will get to it.

        @mcnesium if you want to move the script to Github, I'd be fine and it would be easier to find and maintain.

        For my curiosity: do you guys know if the script/hack is still necessary on recent versions of FirefoxOS?
        I updated my Peak only without erasing my user data in the last months (from 1.3 to currently 2.1) and so I don't know if it is still necessary.
        Though I guess I will reflash my Peak soon and also delete all user data, so I will find out :).

        Link / Reply
        • Gravatar for mcnesiummcnesium 2 days, 9 hours ago

          sorry enrico for being impatient.

          On my Flame running the 2.0.0 FOTA version I haven't found an option to deal with certificates anyhow yet. So I assume this has not been of any higher priority and thus, we still need your script.

          So I opened up a githup repo at https://github.com/mcnesium/b2g-certificates

          Anyone is welcome to send pull requests.

          --

          I just got the Flame new and have not really stepped into heavy developing or anything, so my experiences in doing stuff with it stops at having it up and running. First things would have been adding Mail and Calendar foo to it, but then I got stuck at the certificate, which got me here. Lets see how this goes on…

          Link / Reply
Write a new Comment