-
-
Notifications
You must be signed in to change notification settings - Fork 331
how to add a certificate to firefox or chrome #344
Comments
The only way for now is actually update the image. I did that, that's my Dockerfile: For chrome it's working.. for Firefox I'm copying a profile already created with the certificate inside because there's no way to initialize the firefox profile from command line. Hope it helps
|
@gknepper I need to do exactly this for Firefox, and you seem to have found the only way. When starting the first time, Firefox will create a file 'profiles.ini' http://kb.mozillazine.org/Profiles.ini_file that points to a default profile directory. That profile needs to have added a 'cert9.db' file containing the certificate in question and also have the preference for 'security.default_personal_cert" changed to "Select Automatically". I can see that you seem to be updating the dockerfile at https://github.com/elgalu/docker-selenium/blob/1468f6d9aa980afabbe98a000d8ef5598b58224a/Dockerfile but can you explain what the file firefoxprofile.tar.gz in "ADD firefoxprofile.tar.gz /home/seluser/" contains? I can see how that might contain the necessary cert9.db file and prefs.js file, but I don't see how that changes the profile that Firefox created in the necessary ways. Does it also replace profiles.ini somehow? Thanks, I really hope to hear from you. |
That's the exactly main problem on firefox. When creating the profile on command line, firefox don't create the wallet (cert9.db) so as a workaround I was trying to start firefox as headless and kill after some seconds just to create the entire structure (profile) locally. I what I did instead was create a profile in my local machine where I added every setting that I need ( certificates and proxy settings) then I saved this content (entire /home/user/.mozilla) in this firefoxprofile.tar.gz file. It's "hardcoded" but works. |
Hahaha, I understand! Do you think it would be possible to do for example ADD /home/seluser/.mozilla/profiles.ini (POINTS TO CUSTOM PROFILE 'myprofile.default-release) and would it require adding the other approximately 50 files to myprofile.default-release also? Or do you think Firefox would create those in place upon not finding them in the place that profiles.ini would tell it to look? Again, thank you very much for the answers and for helping, I've been reading about this problem for some time now. |
Well, I think this is doable but I don't compress the profile all this 50 files and all this structure in a tar.gz or a zip file ? The other think that I can do is just add a profile without any configuration/certificate inside your container (ADD) and use the same command that I used on chrome app to update the the firefox cert9.db. It's 100% compatible, I've tested already. |
I am still learning about docker-selenium, but it seems to me that doing ADD profile.ini /home/seluser/.mozilla/profiles.ini might work. I'll try that soon. |
@gknepper I have done exactly what you have done and created a .tar.gz file for an entire .mozilla directory in Ubuntu. Is is true that the way you use this is to
When you edit the Dockerfile do you put "ADD firefoxprofile.tar.gz /home/seluser/" as the last line of the file? |
Hello @chrismcmahon, No I'm not cloning the project. I don't need to. I'm reusing the previous working image as you may check in the first line: (FROM elgalu/selenium). So I'm just adding more layers on top of the previous image. It's faster then rebuild everything from scratch. So I created Dockerfile and ran a docker build only. |
@gknepper thanks again, you are saving me a lot of time! So I think that if I had a Dockerfile that looks like
then do |
@chrismcmahon Yes! |
Something is going wrong with this process, I think I have a misunderstanding... On a Ubuntu system I installed Firefox, installed a certificate and changed Preferences. I did 'tar -czvf' to create 'ffprofile.tar.gz' that contains the whole '.mozilla' directory. I transferred this file back to my system running docker. Just to be sure, I unzipped the file with 'tar -xvf ffprofile.tar.gz' and I can see I do I do I have no Profile directory in the docker image dockerfilesystem]# ls -al home/seluser/.mozilla/firefox/ My selenium test that uses the certificate fails in the way I would expect if there is no certificate in the profile. Am I leaving out a step somewhere? Would that source .tar.gz file have to be untarred/unzipped first somehow or something? |
I would say, first start expanding your 'ffprofile.tar.gz' should have way more then just the cert9.db... Second.. in your ubuntu machine, delete the .mozilla in your home directory and expand the ffprofile.tar.gz there and test your firefox. If your firefox doesn't work as expected, it's definitely your 'ffprofile.tar.gz' with the wrong content inside. |
Yes, my .ffprofile.tar.gz has all the regular .mozilla files and directories plus the changes that I made. The fs in firefox_grid_1 has nothing from there after running 'docker build'. I wonder, I have a grid node and a firefox node, could 'docker build' be updating the wrong docker container? |
Did you define a name for your image when you ran the build "docker build -t new_image ." ? Check with the command "docker image" all images that you may have in your system. I think you're creating a image but starting the container using the old one. |
I looked for the string "docker image" and I don't seem to be using it anywhere. grep -r 'docker image' * I'm using a docker-compose.yml file. The firefox image is
and ends up being called 'grid_firefox_1' |
Check the steps 3 and 4 on this tutorial. https://www.howtoforge.com/tutorial/how-to-create-docker-images-with-dockerfile/ |
Thank you! I think I must have missed that Step 3. docker images |
docker ps |
I definitely never run any "docker build -t" steps, hmm. |
I think I am almost there. I do 'docker-compose -p grid down'
Now I see (Why does it say '2 hours ago'? I guess because it cached earlier actions...) I do 'docker-compose -p grid down' again In my docker-compose file I change firefox: 'image: elgalu/selenium' to 'image: has_ff_profile' I run my test that should use the certificate. I feel like I am really close here. |
I am so close: I created a Dockerfile like this
and I see
I wonder if something is wrong with permissions because if I leave out that step "USER root" I get an error "ls: cannot open directory '.mozilla': Permission denied" docker ps |
Create your image again with this Docker file... and yes definitely it's a problem on your ffprofile.tar.gz, mostly permission. FROM elgalu/selenium |
almost: I have to switch USER back at the end FROM elgalu/selenium I'm still not quite there but I am SO CLOSE. :-) Thanks again! |
This seems like it should work, and yet I still have a problem: Using my Firefox profile directory I created on a Ubuntu iso system: I have a Dockerfile like so:
(Note: I tried 'chown -R seluser' first, then 'chmod -R 777' to be certain that permissions were not the problem) I do 'docker build -f Dockerfile -t has_ff_profile .' The output from that 'ls -al' command in the Dockerfile shows correctly:
(Note the existence of the 'cert9.db' file in /home/seluser/.mozilla/firefox/0pe1dj08.default-release) I edit my docker-compose file to point to this image and do 'docker-compose -p grid up --force-recreate -d' I check that my firefox grid instance is using the correct image
I start my browser in the docker container
(Note: I have also tried starting the browser with no profile argument and I get the same result) I run my test that navigates to the page expecting the certificate: And the test fails. I took a snapshot of the browser at the point of failure and the browser in the docker container sees the Firefox error page saying "Secure Connection Failed An error occurred during a connection to myhost:myport. SSL peer cannot verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT" As if the browser in the docker container does not have a certificate. Any suggestions as to what might be wrong would be welcome. I think I've tried everything I can think of. |
Update: I took a snapshot of 'about:profiles' page for the Firefox instance in the docker container and it is indeed using 'default-release' and the directory for that is indeed '/home/seluser/.mozilla/firefox/0pe1dj08.default-release'. Why would Firefox not recognize the certificate in that Profile? |
My best guess is: the profile that you created was incompatible somehow with the firefox inside the container. My suggestion is enable the VNC in this container and create the file using the internal firefox. I did mine using this technique. |
I think I have one last mystery. This time I created my Profile with a certificate and preferences on the latest docker-selenium Firefox Standalone Debug image https://github.com/SeleniumHQ/docker-selenium/tree/master/StandaloneFirefoxDebug. I made a .tar.gz of the .mozilla directory and injected it into my own image with the Dockerfile using the latest image from /elgalu/docker-selenium (both Firefox v.70) and checked that everything looks correct. My test still fails. Here is the mystery: in the container I took a screen shot of the page at "about:profiles" and I have attached it here. When I look at my regular normal browser 'about:profiles' page in the Standalone Debug image I see a notice saying "Profile: default-release/This is the profile in use and it cannot be deleted." I also see the page say "Default Profile: yes". The 'about:profiles' page in the docker container has "Default Profile:no" and I don't see the "This profile is in use..." message. I've tried building my image with both "RUN chmod -R 777 /home/seluser/.mozilla" and "RUN chmod -R 777 /home/seluser/.mozilla" and I get the same result with either one. Finally, I tried injecting the '.cache' directory along with the .mozilla directory in the Dockerfile but I get the same result
I did not think it was actually possible for Firefox to run with no Profile at all, but that seems to be what is happening in the docker container. |
Another take: I ran the Firefox standalone image (with VNC on port 5901):
I created the Profile I need with the certificate and the preference. I navigated to where I need to go to make sure it works correctly on on the standalone image. I made the .tar.gz files in the simplest possible Dockerfile FROM elgalu/selenium
I have a shell on the standalone docker-selenium image and I have a shell on the grid_firefox_1 image. Doing And I still get the problem shown in the image above. The Firefox on the grid_firefox_1 image can see the default-release profile but it is not in use and "Default Profile" is set to "no". |
Thanks for all the help! I just now filed an issue against geckodriver with my findings about a copy of a Profile not working mozilla/geckodriver#1662 |
thanks for your great work @gknepper ,config with libnss3-tools works fine for me ,thanks. |
@chrismcmahon Did you ever figure this out? I've got a similar issue. I have my chrome instance up and running perfectly, but firefox is a nightmare with a custom CA. I have a custom docker image that I build, ADD the firefoxprofile.tar.gz that I created in the docker image using VNC, and all of my tests fail with InsecureCertificateException. I'm using the NoVNC option on the selenium firefox node to watch the test and it's obviously not using my profile. If I manually open the ff browser in the VNC session, it defaults to my working profile and I have my custom CA. In python, I can use add_argument with "-profile /home/seluser/.mozilla/profiles/whatever-release' and I see the browser fire up with the correct profile, but the webdriver errors out with a keyerror looking for ['status']. This is maddening! |
@XanaDublaKublaConch I never did. I pursued it a long way with the selenium maintainers, and I eventually ended up filing a bug against geckodriver iirc. That was right around the time Moz laid off the whole QA staff, so I doubt that they're interested in fixing it. |
That's disheartening, but thanks for the info! |
Hello @chrismcmahon and @XanaDublaKublaConch the solution that I proposed here worked for me => Please let me know if I can help you somehow. |
Thanks, @gknepper That is essentially what I used and I should have thanked you profusely for that. The chrome custom image works beautifully, but Firefox does not, despite the fact that the profile is there and working manually. I can't use the elgalu/selenium image as a base because I need to use Selenium Grid 4. I'm working in a secure environment and I have to have TLS support on the external hub port (4444), which requires node registration. I'm also trying to figure out how to inject custom headers into the embedded netty server. I can enable the NoVNC port on the firefox docker image and watch selenium start firefox. It immediately pops up the insecure cert warning. Since the script errors out, the browser stays open and I can look in the cert store of that browser session. My CA is not in the trusted certs. In the same X desktop session, which is running as seluser, I can close the selenium browser session, start firefox from the terminal prompt and it uses the profile from the custom build. From that browser session, I can see my certs in the cert store and I can open sites using that CA as the issue with no problems. It seems like the geckodriver is either creating a new, temporary blank profile or a temporary copy of the custom profile without the cert store. The weird part is, when the selenium session errors out and I can't see my CA cert, if I go to about:profiles, I still only see the one default profile that should be working. |
Hello @XanaDublaKublaConch First check if issue that you're facing it's actually not a known bug, Check this out: https://bugzilla.mozilla.org/show_bug.cgi?id=1103196 Besides I think this thread can help you out on the certificate on firefox. As you're not using the elgalu/selenium image it's hard do predict what is involved and how help you more. My 2 cent, Have fun! |
Hello @gknepper, @XanaDublaKublaConch and @chrismcmahon, just wanted to let you know that finally I achieved it alltogether, thanks your last hint @gknepper . 🙂 Here's an example
|
Now there is a website which must be visited by a certificate. What i should do? Add the certificate into
your image or set the the certificate in selenium webdriver.Remote? I have no idea, thank for any advise
The text was updated successfully, but these errors were encountered: