[Freeipa-users] Re: Debian client browsers don't trust root cert after ipa-client-install

You can get browsers (and other programs that use libnss3) to use the system-wide trust store (i.e., /etc/ssl/certs/ca-certificates.crt) if you install p11-kit and run: # dpkg-divert --add --local --rename /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so # ln -srf /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so You can undo it by removing the symlink and then running 'dpkg-divert --remove --rename /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so'. There was a discussion on the Debian BTS about doing this by default at < https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180> but it never actually happened. I think this is already done by default in the Red Hat world. -- Sam Morris <sam(a)robots.org.uk&gt; https://robots.org.uk/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...