Mozilla Relay is experiencing issues with call and text delivery. We’re working on a fix. Check Mozilla Status for updates.

Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

Cannot update self-hosted add-on due to "Certificate issuer is not built-in" error

  • 7 trả lời
  • 1 gặp vấn đề này
  • 26 lượt xem
  • Trả lời mới nhất được viết bởi bplaxco

more options

I have a custom add-on that I'm working on for my team. It's hosted internally on a server signed by our company's internal CA. The add-on is signed by Mozilla, but not hosted on AMO.

I am on the latest version of Fedora running Firefox 81.0. In the browser console I get this error relating to the URL for the addon when I tell Firefox to check for updates: "Certificate issuer is not built-in".

I have the company CA installed and when I navigate to the site in the browser, Firefox recognizes the cert. I've done some reading on the subject and seen several threads about it. I've tried a few things already, but most of the threads where a couple of years old.

I'm asking the question here hoping to figure out what the current state of the problem is and which settings I should tweak to have it trust the company CA or what my options are.

Thank you in advance for any support on the issue.

I have a custom add-on that I'm working on for my team. It's hosted internally on a server signed by our company's internal CA. The add-on is signed by Mozilla, but not hosted on AMO. I am on the latest version of Fedora running Firefox 81.0. In the browser console I get this error relating to the URL for the addon when I tell Firefox to check for updates: "Certificate issuer is not built-in". I have the company CA installed and when I navigate to the site in the browser, Firefox recognizes the cert. I've done some reading on the subject and seen several threads about it. I've tried a few things already, but most of the threads where a couple of years old. I'm asking the question here hoping to figure out what the current state of the problem is and which settings I should tweak to have it trust the company CA or what my options are. Thank you in advance for any support on the issue.

Giải pháp được chọn

Here is what I found based off of a few tests:

I get the cert error for the manifest file when `extensions.update.requireBuiltInCerts` is not defined or set to true.

Once I set `extensions.update.requireBuiltInCerts` to false, Firefox is able to call out and see that there is an update, but when it tries to download and install the update (regardless if it's naturally or by clicking "check for updates") it now has the same cert error for the actual xpi file but not the manifest.

When I set `extensions.install.requireBuiltInCerts` to false as well then it is able to install the xpi file (that is also being served under a cert signed by the same CA as the manifest file).

So from the test

`extensions.update.requireBuiltInCerts = false` - needed to download the manifest `extensions.install.requireBuiltInCerts = false` - needed to install the actual update file.

Thanks again @cor-el for the link to the source code searcher. I wouldn't have figured it out without that.

Đọc câu trả lời này trong ngữ cảnh 👍 0

Tất cả các câu trả lời (7)

more options

> It's hosted internally on a server signed by our company's internal CA

To be clear the server is serving up a cert signed by our company's CA, the add-on is signed by Mozilla.

more options

There is a hidden Boolean pref that you can try to create on the about:config page.

more options

Hmm didn't seem to work. I set the value in about config, quit Firefox, and restarted it and the issue's still there.

```

  • removed* addons.xpi WARN Download of *removed* failed: [Exception... "Certificate issuer is not built-in." nsresult: "*removed* (NS_ERROR_ABORT)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: checkCert :: line 183" data: no] Stack trace: checkCert()@resource://gre/modules/CertUtils.jsm:183

onStopRequest()@resource://gre/modules/addons/XPIInstall.jsm:2418 ```

more options

Can you install this extension locally if you have saved it ?

Maybe best is to ask advice at the Discourse add-ons forum

more options

Thanks for that search link! Started digging through the code and it looks like the install rather than the update setting does it: extensions.install.requireBuiltInCerts = false.

I'm going to dig through the code a bit more to understand the difference before closing this out and then I should be good to go.

more options

Side note: this was while clicking the "Check for updates" option in about:addons

more options

Giải pháp được chọn

Here is what I found based off of a few tests:

I get the cert error for the manifest file when `extensions.update.requireBuiltInCerts` is not defined or set to true.

Once I set `extensions.update.requireBuiltInCerts` to false, Firefox is able to call out and see that there is an update, but when it tries to download and install the update (regardless if it's naturally or by clicking "check for updates") it now has the same cert error for the actual xpi file but not the manifest.

When I set `extensions.install.requireBuiltInCerts` to false as well then it is able to install the xpi file (that is also being served under a cert signed by the same CA as the manifest file).

So from the test

`extensions.update.requireBuiltInCerts = false` - needed to download the manifest `extensions.install.requireBuiltInCerts = false` - needed to install the actual update file.

Thanks again @cor-el for the link to the source code searcher. I wouldn't have figured it out without that.