2

I am trying to write an script (postinst for a .deb package) that will install a secure websockets (wss:) application and a certificate that allows access from the Chrome browser. The developer has this working by adding a certificate to the user's nssdb using certutil -A -d sql:$HOME/.pki/nssdb

How do I do this from an installer script? I've tried sudo -u $SUDO_USER, which works if the user uses the commandline sudo dpkg but doesn't work from something like Ubuntu Software Centre which runs as root. Is there a better way of doing it such as a system-wide database. I tried /etc/pki/nssdb which I'd seen somewhere but that wasn't being picked up by Chrome.

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Paul
  • 156
  • 3
  • You can't change users' configuration from a package management script. You can *try*, but that will only mess things up, it will overwrite user preferences, it won't affect users created in the future, etc. Just don't do that. A system-wide database, if there is one, is the only real solution. Doesn't `/etc/ssl/certs` serve your purpose? – Gilles 'SO- stop being evil' Jun 12 '15 at 22:17
  • I use `update-ca-certificates` to install our certificate from `/usr/local/share/ca-certificates/` but that doesn't seem to be enough; Chrome gives an error NET::ERR_CERT_AUTHORITY_INVALID when it tries to connect to the libwebsockets based server. – Paul Jun 15 '15 at 10:27
  • Best web info I've seen regarding this topic: http://blog.xelnor.net/firefox-systemcerts/ The above entry also references: https://wiki.mozilla.org/NSS_Shared_DB_Howto – Troy Folger Nov 03 '15 at 22:40

0 Answers0