[🐛 Bug]: Custom CA Certificate installation incorrectly/poorly documented and difficult

[andrewnicols]

What happened?

The instructions on install custom certs for Chrome are poor and confusing.

They:

• are missing the full instructions to run apt-get update && apt-get install -qyy libnss3-tools as root
• have missing steps to create the directory with the relevant permissions

i'd really suggest that libnss3-tools should be installed as standard for Chromium images.

There are also no notes for other browsers so it's unclear if any steps need to be taken.

Command used to start Selenium Grid with Docker

docker run selenium/standalone-chrome:latest

Relevant log output

N/A

Operating System

MacOS

Docker Selenium version (tag)

4.17.0 (99724)

[github-actions]

@andrewnicols, thank you for creating this issue. We will troubleshoot it as soon as we can.

---

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

[diemol]

They have been added as contributions because some users want to know how to install certificates. Could you please help us to improve them?

[github-actions]

This issue is looking for contributors.

Please comment below or reach out to us through our IRC/Slack/Matrix channels if you are interested.

[diemol]

@andrewnicols do you have time to help us?

[roderickgreen]

it would also be helpful to me if libnss3-tools was included in chromium images by default. our use case is probably the same. we have an enterprise ca, but are a relatively small org so it's somewhat of a burden to maintain our own images just to add a root cert. with certutil baked in we can script at startup the addition of the required cert. i'd be happy to send up a patch to the dockerfiles if you are open to it.

[krishtoautomate]

.sh

echo "$USER running cert script"
certfile="/usr/local/share/ca-certificates/RootCA1.crt"
certname="RootCA1"
echo "running certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:$HOME/.pki/nssdb"
certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:$HOME/.pki/nssdb

Dockerfile
FROM selenium/node-chrome:120.0

COPY ./BellCerts/. /usr/local/share/ca-certificates/
RUN sudo chmod -R 577 /usr/local/share/ca-certificates/
RUN sudo apt update
RUN sudo update-ca-certificates
RUN sudo apt-get install libnss3-tools
COPY ./cert-script.sh /usr/local/share/cert-script.sh

RUN sudo -u seluser mkdir -p $HOME/.pki/nssdb &&
sudo -u seluser sh /usr/local/share/cert-script.sh

[VietND96]

Thank you @krishtoautomate for your suggestion script. For now, by default, the based image is installed libnss3-tools and initializes /home/seluser/.pki/nssdb, so you can add your certs with rootless.
I added it to README in part of #2136 the script is locally testable.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.