No edit summary |
|||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 11: | Line 11: | ||
=32-bit systems: Firefox crashes= | =32-bit systems: Firefox crashes= | ||
Firefox 32bit on Fedora seems unstable, and crashes frequently when visiting web pages that make use of JavaScript. | Firefox 32bit on Fedora seems unstable, and [https://bugzilla.redhat.com/show_bug.cgi?id=928353 crashes frequently] when visiting web pages that make use of JavaScript. On these systems please use a different browser (epiphany) to work with the test day wiki page. | ||
Alternatively, you can download Firefox from Mozilla, which seems to work correctly: | |||
# erase system firefox | |||
sudo yum erase firefox xulrunner | |||
#change to your home directory | |||
cd | |||
wget http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/19.0.2/linux-i686/en-US/firefox-19.0.2.tar.bz2 | |||
tar xjf firefox-19.0.2.tar.bz2 | |||
cd firefox | |||
# hide classic module under a new name | |||
mv -i libnssckbi.so ckbi.nss | |||
# link to the module currently set as the system default | |||
ln -s /etc/alternatives/libnssckbi.so | |||
./firefox | |||
=p11-kit reporting duplicate certificate= | =p11-kit reporting duplicate certificate= | ||
Latest revision as of 11:02, 28 March 2013
This page is related to the Shared System Certificates (SSC) feature.
Known issues and workarounds are posted here.
32-bit systems: Firefox prints warnings
On a 32 bit / i686 system, Firefox might print the following messages on the console:
p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t p11-kit: 'timet >= 0' not true at calc_date
These messages are safe to ignore. The issues is tracked in https://bugs.freedesktop.org/show_bug.cgi?id=62825 and will be fixed.
32-bit systems: Firefox crashes
Firefox 32bit on Fedora seems unstable, and crashes frequently when visiting web pages that make use of JavaScript. On these systems please use a different browser (epiphany) to work with the test day wiki page.
Alternatively, you can download Firefox from Mozilla, which seems to work correctly:
# erase system firefox sudo yum erase firefox xulrunner #change to your home directory cd wget http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/19.0.2/linux-i686/en-US/firefox-19.0.2.tar.bz2 tar xjf firefox-19.0.2.tar.bz2 cd firefox # hide classic module under a new name mv -i libnssckbi.so ckbi.nss # link to the module currently set as the system default ln -s /etc/alternatives/libnssckbi.so ./firefox
p11-kit reporting duplicate certificate
You might see the following warning messages:
p11-kit: duplicate 'StartCom Certification Authority' certificate found in: ca-bundle.trust.crt p11-kit: duplicate 'Class 3 Public Primary Certification Authority' certificate found in: ca-bundle.trust.crt
These are safe to ignore. The issue has been fixed in package ca-certificates-2012.87-10.0
HOWTO: Confirm that SSC is being used
This command tells you which module is in use:
ls -l /etc/alternatives/libnssckbi.so*
It will either report /usr/lib(64)/nss/libnssckbi.so (NSS), or it will report /usr/lib(64)/pkcs11/p11-kit-trust.so (p11-kit).
On a standard F19 system, it should report: p11-kit
HOWO: Test Firefox _without_ the new SSC feature
If you are triaging an issue, and you would like to test the behaviour of an NSS application (e.g. Firefox) using the classic module provided by NSS, use the following command to switch to the NSS module:
# on a 32 bit / i386 / i686 system: /usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so
# on a 64 bit system: /usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so
After above command, use
ls -l /etc/alternatives/libnssckbi.so*
and the link should point to the NSS module.
Once you're ready to again activate the new p11-kit module, use:
# on a 32 bit / i386 / i686 system: /usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
# on a 64 bit system: /usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so 30
then use
ls -l /etc/alternatives/libnssckbi.so
and the link should point to the p11-kit module.
HOWTO: Reset the standard F19 SSC setup
If for some reason, you want to completely reset the alternative modules to the original state, use the following series of commands:
# on a 32 bit / i386 / i686 system: /usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so /usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/nss/libnssckbi.so /usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/nss/libnssckbi.so 10 /usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
# on a 64 bit system: /usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so /usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/nss/libnssckbi.so /usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/nss/libnssckbi.so 10 /usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so 30
# on all systems: ls -l /etc/alternatives/libnssckbi.so*
and the link should point to the p11-kit module.