| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| kb:cert_override [2019/01/22 14:30] – dstillman | kb:cert_override [2024/04/09 02:18] (current) – [Zotero 7 (beta)] dstillman |
|---|
| ====== Security certificate errors in Zotero ====== | ====== Overriding Security Certificate Errors in Zotero ====== |
| |
| **Note:** These instructions are only for use with security software that intercepts/scans HTTPS connections, a WebDAV server with a self-signed certificate, or an institutional network that monitors encrypted traffic using a custom root certificate authority (CA). You should never override certificate errors unless you [[kb:ssl_certificate_error|understand the consequences]]. When in doubt please contact your network administrator or ISP. | **Note:** These instructions are only for use with security software that intercepts/scans HTTPS connections, a WebDAV server with a self-signed certificate, or an institutional network that monitors encrypted traffic using a custom root certificate authority (CA). You should never override certificate errors unless you [[kb:ssl_certificate_error|understand the consequences]]. When in doubt, please contact your network administrator or ISP. |
| | ===== Self-Signed Certificate ===== |
| |
| Zotero does not currently provide a graphical way to whitelist self-signed certificates or custom root certificates, so you will need to copy files from a working Firefox installation: | Zotero does not currently provide a graphical way to whitelist self-signed certificates, so you will need to copy files from a working Firefox installation. |
| | |
| | If you are using a WebDAV server with a self-signed certificate, you can open the WebDAV URL in Firefox, accept the certificate, and then copy the cert_override.txt file from the [[http://support.mozilla.com/kb/Profiles|Firefox profile directory]] to the [[profile directory|Zotero profile directory]]. |
| | |
| | ==== Zotero 6 ==== |
| | |
| | Zotero 6 expects a cert_override.txt file created by Firefox 60 ESR, with a line in this form: |
| | |
| | <code>192.168.xxx.xxx:1234 OID.2.16… 1D:E4:07:… U AAAA…</code> |
| | |
| | If you create an override file with a newer version of Firefox, your cert_override.txt file may contain a line with a trailing colon after the port number ("1234" in this example) and may be missing one or more letters before "AAAA" ("U" in the above example): |
| | |
| | <code>192.168.xxx.xxx:1234: OID.2.16… 1D:E4:07:… AAAA…</code> |
| | |
| | To use such a file in Zotero 6, strip the colon from after the port number and add a "U" (untrusted cert) before "AAAA". To allow for a hostname mismatch, add "M". |
| | ==== Zotero 7 (beta) ==== |
| | |
| | Zotero 7 can currently read a cert_override.txt file from Firefox 115 ESR. A file from a later version of Firefox may or may not work. |
| | ===== Custom Certificate Authority ===== |
| | If you or your organization is using a custom certificate authority, which can be the case when using security software or connecting via a proxy server, Zotero may need to be configured to accept the custom CA: |
| | |
| | * **Windows:** Zotero for Windows will automatically use the system root certificate store, which in most cases should allow it to work automatically like other browsers on the system. |
| | * **Mac/Linux**: |
| | * **Zotero 6**: Zotero is based on Firefox and uses the same certificate mechanism, so you or your IT department will need to configure Firefox for the custom CA in a new Firefox profile and then copy the cert9.db, key4.db, and pkcs11.txt files from the [[http://support.mozilla.com/kb/Profiles|Firefox profile directory]] to the [[profile directory|Zotero profile directory]]. |
| | * Firefox 63 and later will automatically use the system root certificate store on macOS. If Firefox is using the system root store, your IT department may not have added its custom certificate to the certificate database in the Firefox profile directory, and copying the above-mentioned files to the Zotero profile directory may not work. Your IT department will need to [[https://support.mozilla.org/kb/setting-certificate-authorities-firefox|disable security.enterprise_roots.enabled]] in about:config and add the custom root certificate to Firefox so that it can properly connect via the institution's intercepted connection. You can then copy the above files to the Zotero profile directory and reset the ''security.enterprise_roots.enabled'' setting in Firefox. |
| | * To add the CA certificate to the certificate database yourself, you can try to use the [[https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil|nss certutil]]: <code bash>certutil -A -d $ZOTERO_PROFILE_PATH -n $CA_NICKNAME -t C -i $CA_CERT_FILE</code> |
| | * **Zotero 7**: Zotero 7 will support automatically using system root certificates. Zotero 7 is currently in [[https://forums.zotero.org/discussion/105094/announcing-the-zotero-7-beta|beta]], so you may wish to use that instead of trying to add the certificate to Zotero 6. |
| |
| * If you are using a WebDAV server with a self-signed certificate, you can open the WebDAV URL in Firefox, accept the certificate, and then copy the cert_override.txt file from the [[http://support.mozilla.com/kb/Profiles|Firefox profile directory]] to the [[profile directory|Zotero profile directory]]. | |
| * If you or your organization is using a custom certificate authority, which can be the case when using security software or connecting via a proxy server, you or your IT department will need to configure [[https://ftp.mozilla.org/pub/firefox/releases/52.9.0esr/|Firefox 52 ESR]] for the custom CA and then copy the cert8.db file from the [[http://support.mozilla.com/kb/Profiles|Firefox profile directory]] to the [[profile directory|Zotero profile directory]]. (Later versions of Firefox will produce a cert9.db file that won't work in the current version of Zotero. An upcoming Zotero release will support the newer format.) | |
| |
| {{tag>kb }} | {{tag>kb }} |
Upgrade Storage