My thoughts on Slackware, life and everything

Adding CACert root certificates to your Slackware

Long before the “letsencrypt” initiative, we already had another free and open Certificate Authority, called CACert.org. CACert is community driven, and uses ‘assurers’ who personally verify users’ identities, thereby building a “web of trust”. Unfortunately, the big players on the Internet (Google, Mozilla, Microsoft) have always refused to accept and incorporate the CACert root certificate into their browsers. Instead, after many years of imploring these companies to add CACert as a trusted Certificate Authority without any success, they spat in the face of the community and launched their own alternative for free SSL certificates: letsencrypt.

And therefore, even today, a site that uses a CACert-issued SSL certificate is flagged by browsers as untrustworthy. In my opinion. this refusal to accept a community-driven security initiative is nothing short of bullying.

My own server, bear.alienbase.nl, uses a CACert-issued certificate. Folks, it is secure to use https on it! Even when Chrome or Firefox says it is not. So, how to fix that bogus warning message?
For Firefox, Chrome and for the OS in general: import the CACert certificates as follows:

First add the CACert root and class3 certificates to your Linux system.
As the root user you download the two .crt files, copy them to /etc/ssl/certs and generate openssl hashes (I used backslashes to indicate that some lines are wrapping because the text would otherwise not be visible on this page):

# cd /tmp
# mkdir CACert
# cd CACert/
# wget -O cacert-root.crt http://www.cacert.org/certs/root.crt
# wget -O cacert-class3.crt http://www.cacert.org/certs/class3.crt
# cp -ia cacert-*.crt /etc/ssl/certs/
# cd /etc/ssl/certs/
# ln -s cacert-root.crt \
   `openssl x509 -noout -hash -in cacert-root.crt`.0
# ln -s cacert-class3.crt \
   `openssl x509 -noout -hash -in cacert-class3.crt`.0

To make your browsers support CaCert they need to import their root and class3 certficates first. I will focus on Firefox and Chromium (instructions will work for Pale Moon and Chrome as well).

First the Firefox or Pale Moon browser. Open the page http://www.cacert.org/index.php?id=3

  1. Click on the link for “Class 1 PKI Key” called “Root Certificate (DER Format)“. You will see the text “You have been asked to trust a new Certificate Authority (CA). Do you want to trust ‘CA Cert Signing Authority’ for the following purposes?“. At a minimum you must check the box to the left of “Trust this CA to identify web sites” before importing the certificate.
  2. Then do the same for the “Class 3 PKI Key” called “Intermediate Certificate (DER Format)” a bit lower on the page.

Next, Chrome/Chromium. To add the CACert root and class3 certificates to your Chromium browser do the following as your regular user account (see also http://wiki.cacert.org/FAQ/BrowserClients#Linux)

$ cd /tmp/CACert/
$ certutil -d sql:$HOME/.pki/nssdb \
   -A -t TC -n "CAcert.org" -i cacert-root.crt
$ certutil -d sql:$HOME/.pki/nssdb \
   -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt

And you’ll end up with a trusted site next time you visit my ‘bear’ server:

26 Comments

  1. Niki Kovacs

    I remember you didn’t want to build LetsEncrypt’s Certbot client because there are so many dependencies. Last week I stumbled over an alternative client (nothing to do with “alternative facts”, eh). I didn’t try it, since I already have Certbot on my servers, but here you go. https://github.com/Neilpang/acme.sh

  2. Alexander

    And this letsencrypt client:
    https://slackbuilds.org/repository/14.2/system/dehydrated/
    is a bash script, I use it and have nothing to complain.

  3. Geremia

    I get:

    certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

    when trying to run your certutil commands.

  4. Roy Lanek

    Done. Nice. THX.

  5. Mike Langdon

    I had nearly the same result as Geremia, except it ended with invalid arguments.

  6. Willy Sudiarto Raharjo

    All the above commands works fine here

    make sure to copy-paste from the website instead of trying to write it manually

  7. LoneStar

    yep, the thing with CA certs and Mozilla/Google is extremely annoying.

    Just past week I’ve switched to using letsencrypt (with dehydrated script) because of the recent events with StartCom. I had paid a 2-years willdcard cert with StartCom, valid until 2018, and now it’s considered unthrustworty by the browsers because of the well known accusations.

  8. Ricardo J. Barberis

    Working fine also with Opera (the new one, based on Chrome), I just had to restart the browser.

    Thanks for the instructions!

  9. Robert Allen

    Thanks for the overview of CACert – I had seen them in previous searches but had no clear idea of their place in the cosmos.

    I too, have balked at putting certbot on my own machines – not going to happen! I have found letsencrypt-nosudo to meet my own needs perfectly: https://github.com/diafygi/letsencrypt-nosudo

    It allows me to manage and renew all my certs from my local machine. Nothing runs on the production platforms – ever, I authenticate with temporary well-known/… files via HTTP and upload the renewed certs over ssh/sftp.

    On the local machine it never runs with elevated privs and writes only to STDOUT, making no assumptions about how I want to organize everything.

    Perhaps a Slackdocs article in the works…

  10. bam

    If I add an exception for the SSL certificate for Firefox, it still shows me that “Connection is not secure”. Any chance to solve it?

  11. alienbob

    bam, did you also execute the two “certutil” commands as your normal user account?

  12. bam

    Eric, yes, I did all the commands and Chromium works now, but not Firefox

  13. alienbob

    OK, I think you also need to do the following. If so, then I will update the main article.

    Using your Firefox browser, open the page http://www.cacert.org/index.php?id=3

    Click on the link for “Class 1 PKI Key” called “Root Certificate (DER Format)“. You will see the text “You have been asked to trust a new Certificate Authority (CA). Do you want to trust ‘CA Cert Signing Authority’ for the following purposes?“.
    At a minimum you must check the box to the left of “Trust this CA to identify web sites” before importing the certificate.

    Then do the same for the “Class 3 PKI Key” called “Intermediate Certificate (DER Format)” a bit lower on the page.

  14. bam

    Thanks Eric, it works

  15. alienbob

    OK bam, I have updated the main article with the Firefox steps.

  16. Geremia

    bear.alienbase.nl’s CACert expired on March 23, 2018

  17. alienbob

    Hi Geremia.

    I had renewed the cert last month but it seemd that Akamai (content caching) was masking its update, not accepting that I replaced it (https://bear would stop working).
    Now that it finally is expired and Akamai rejects it, I have switched to the new cert and it works fine now.

    Thanks for the reminder!

  18. jhsdcsjdcvbdj

    Instructions perfect, no problems copying & pasting all commands into slackware 14.2 x64

    Thankyou Again Eric. 😀

  19. Antoine

    I don’t know if it’s related, the instructions above work fine for bear.alienbase.nl but in firefox, this page ( https://alien.slackbook.org/blog/adding-cacert-root-certificates-to-your-slackware/ ) first shows green as “Verified by let’s encrypt” while it is loading but then turns to orange “Connection not secure”, “Parts of this page are not secure (such as images).” once it has finished loading.

  20. Antoine

    Weird, it stopped complaining right after I submitted my comment above.

  21. Henry Pfeil

    “wget –no-check-certificate” works for me.

  22. hacknorris

    show me then, how can i add an existing cert FILE with name file.crt to a place so it will work? i know how to reload probably…

    • alienbob

      I don’t understand your question, did you not read this article?
      I thought that this was exactly the topic of my blog post, showing you, with commands and all, how to add a .crt file to your system so that it gets picked up by applications.

      • hacknorris

        yep i did although i was doing it for a dumb webapp (sort of homeserver still broken..), went out that official instructions FOR DEBIAN were correct. lol

        • alienbob

          This is a Slackware oriented blog, you can be certain that the commands I show are working there. But other distros? I can’t guarantee that you can use these instructions verbatim, but you will hopefully extract the relevant knowledge out of the rest of the text.
          Why don’t you try Slackware? Perhaps it fits your purposes. In any case, it’s a lot of fun to run.

          • hacknorris

            but i AM on slackware, i just said that debian commands worked on slacky at me…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2024 Alien Pastures

Theme by Anders NorenUp ↑