That works a treat. Thanks, Sam.
On Tue, Mar 3, 2020 at 3:32 AM Sam Morris via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
You can get browsers (and other programs that use libnss3) to use
the
system-wide trust store (i.e., /etc/ssl/certs/ca-certificates.crt) if you
install p11-kit and run:
# dpkg-divert --add --local --rename
/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
# ln -srf /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
You can undo it by removing the symlink and then running 'dpkg-divert
--remove --rename /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so'.
There was a discussion on the Debian BTS about doing this by default at <
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180> but it never
actually happened.
I think this is already done by default in the Red Hat world.
--
Sam Morris <sam(a)robots.org.uk>
https://robots.org.uk/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...