Import self signed in Linux for Chrome / Chromium headless testing

Chrome / Chromium browser offers headless mode, which is quite useful to run tests via Selenium WebDriver in CI servers. However under some circumstance your test will hit a server with self signed certificate or invalid certificate or expired certificate.

This may happen for developers trying to write tests against a server started on localhost with self signed certificates or testers trying to write tests against non-production servers with expired certificates (invalid certificates).

Chrome / Chromium browser ignores the SSL errors when running in non-headless mode. However in CI servers, then it should be running in headless mode and currently we cannot ignore the SSL errors for tests accessing non-localhost websites.

This blogs explains the steps for import a certificate into Linux's trust store, which will make the Chrome / Chromium browser to trust the self signed certificate.  Please do not apply these steps in production servers as it will make server vulnerable to man-in-the-middle attacks.

Steps to import a certificate directly from a running server

Install dependencies

apt-get install -y openssl libnss3-tools

Command to export PEM file from server

echo QUIT | openssl s_client -connect evil.example.com:443 | sed -ne '/BEGIN CERT/,/END CERT/p' > /tmp/evil.example.com.pem

Check whether NSS database is initialized

certutil -d sql:$HOME/.pki/nssdb -L

If the output is

certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

Then initialize the NSS database

mkdir -p $HOME/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -N --empty-password

Import the self signed certificate into Linux

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n evil.example.com -i /tmp/evil.example.com.pem

Verify certificate is imported

certutil -d sql:$HOME/.pki/nssdb -L
   

After running the test suite, delete the imported certificate (clean up)

certutil -d sql:$HOME/.pki/nssdb -D -n evil.example.com

Steps to import a certificate from a local PKCS12 file

Install dependencies

apt-get install -y openssl libnss3-tools

Command to generate a new self signed certificate in PKCS12 format

keytool -genkey -noprompt -alias localhost -dname "CN=localhost, OU=Team Name, O=Organisation Name, L=London, S=Greater London, C=UK" -ext "san=dns:localhost,ip:127.0.0.1,dns:local.example.com,dns:local.example.org" -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore /tmp/keystore.p12 -validity 36500 -storepass my_keystore_password -keypass my_keystore_password

Print the generated self signed certificate

keytool -list -keystore /tmp/keystore.p12 -storepass my_keystore_password -storetype PKCS12 -v
   

Command to export PEM file from PKCS12 file

openssl pkcs12 -in /tmp/keystore.p12 -passin pass:my_keystore_password -out /tmp/localhost.pem -passout pass:my_pem_password
   
echo "my_pem_password" > /tmp/pwdfile.txt   

Check whether NSS database is initialized

certutil -d sql:$HOME/.pki/nssdb -L

If the output is

certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

Then initialize the NSS database

mkdir -p $HOME/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -N --empty-password

Import the self signed certificate into Linux

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n localhost -i /tmp/localhost.pem -f /tmp/pwdfile.txt
   

Verify certificate is imported

certutil -d sql:$HOME/.pki/nssdb -L
   

After running the test suite, delete the imported certificate (clean up)

certutil -d sql:$HOME/.pki/nssdb -D -n localhost

Example script to initialise NSS db and import certificate

#!/usr/bin/env bash

echo "Downloading certificate from server"
echo QUIT | openssl s_client -connect evil.example.com:443 | sed -ne '/BEGIN CERT/,/END CERT/p' > /tmp/evil.example.com.pem

if [ ! -d $HOME/.pki/nssdb ]; then
    echo "Initializing NSS database"
    mkdir -p $HOME/.pki/nssdb
    certutil -d sql:$HOME/.pki/nssdb -N --empty-password
else
    echo "NSS database already initialized"
fi

echo "Importing SSL Certificate into NSS database"
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n TEST_CERT -i /tmp/evil.example.com.pem

echo "Printing certificates in NSS database"
certutil -d sql:$HOME/.pki/nssdb -L

Comments

Post a Comment

Popular posts from this blog

JSON with curl and jq

This blog post captures some quick commands to deal with JSON from servers (Http APIs) using curl and jq command line tools About Jq: https://stedolan.github.io/jq/ Install jq: Mac: brew install jq Ubuntu or Debian: sudo apt-get install jq Sample JSON content: Assume the following JSON content will be returned from  URL http://api.example.com/some-json-content {     "user_name": "User 123",     "some_other_field": {         "sub_field": "sub_value"     },     "array_field": [         {             "field1": "value1",             "field2": "value2"         },         {             "field1": "value3",             "field2": "value4"         }     ] } URL http://api.example.com/some-json-array-content [     {         "field1": "array value 1",         "field2&
Read more

Colima - Drop In replacement for Docker Desktop for Mac and Linux

Colima ( Co ntainer on Li nux Ma chines) is an open source alternative and drop in replacement for Docker Desktop on Mac and Linux. https://github.com/abiosoft/colima It is simple to setup and run containers without the need for sudo or root access. Images can be pulled form both Docker hub ( https://hub.docker.com ) or Amazon's public registry ( https://gallery.ecr.aws ) Amazon's registry is more permissive or friendly with pull rates for both clients and non-clients of AWS. This article show the setup and basics of running containers on mac. Installation command for Linux can vary based on the distribution type, hence please refer to official documentation for up-to-date steps at  https://github.com/abiosoft/colima/blob/main/docs/INSTALL.md Installation on mac: brew install docker  brew install docker-buildx brew install docker-compose brew install jq brew install colima Setup docker compose as docker plugin mkdir -p $HOME/.docker/cli-plugins ln -sfn $(which docker-compose) $
Read more