[BUG] Playwright browser don't use system store with additional certificate authorities

[aeris]

Currently it seems Playwright don't consider additional system certificate authorities when starting a new browser and have no way to add manually one.

Normal browser, for example Firefox, notice any system store change even without a restart
Installing ca-cert authority with system package manager just show the certificate at the end on a running browser

Playwright browser don't notice the additional authority even at start, and seem to use a static predefined list.

It leads to no way to test for website using authority outside the static list without skipping totally the TLS verification for all and any website and so remove every piece of security, as asked for such case here.

System info

• Playwright Version: v1.38.0
• Operating System: Arch Linux
• Browser: at least Chromium and Firefox

Source code

$ cat test_ca.py
from playwright.sync_api import Page

def test_https_error_but_ca_is_system(page: Page):
    page.goto("https://cacert.org")

Steps

$ trust list | rg "CA Cert Signing Authority"
$ wget -4 https://cacert.org
--2024-01-12 15:39:30--  https://cacert.org/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
ERROR: The certificate of 'cacert.org' is not trusted.

$ yay -S ca-certificates-cacert # Installing CACert certificate to system store

$ trust list | rg -C2 "CA Cert Signing Authority"
pkcs11:id=%16%B5%32%1B%D4%C7%F3%E0%E6%8E%F3%BD%D2%B0%3A%EE%B2%39%18%D1;type=cert
    type: certificate
    label: CA Cert Signing Authority
    trust: anchor
    category: authority
$ wget -4 https://cacert.org
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
HTTP request sent, awaiting response... 200 OK

$ pytest test_ca.py

[Describe expected behavior]

Test OK, using system certificate to access the site

[Describe actual behavior]

Test KO

E       playwright._impl._api_types.Error: SEC_ERROR_UNKNOWN_ISSUER
E       =========================== logs ===========================
E       navigating to "https://cacert.org/", waiting until "load"
E       ============================================================

[mxschmitt]

We are unfortunately not familiar with Arch Linux, its also not a Linux distribution we support - have you tried it on a supported Linux distribution?

I found this which looks related, have you tried that? https://superuser.com/questions/1717914/make-chrome-trust-the-linux-system-certificate-store-or-select-certificates-via

(Playwright's Chromium is the same as a normal Chromium, we don't do any certificate related changes. Actually no changes at all on the Chromium side as of today.)

[aeris]

Hello
I got the same trouble on Node LTS + Debian 12
Minimal reproducible docker image available here
https://github.com/aeris/playwrigth-system-ca

[aeris]

For the "solution" on the superuser forum, it's not possible for playwright, certificate store only exists in browser profile, and so is just clean each time you restart playwright (no persistence)

$find ~/.mozilla -name cert9.db
/home/aeris/.mozilla/firefox/qw3pv9fs/cert9.db
/home/aeris/.mozilla/firefox/aeris/cert9.db

And I can't find a reliable and portable way to get the running profile directory from inside playwright execution to be able to inject a new ca certificate.

I don't also know the difference between playwright browsers and standard user browsers, but there is a different behavior.
Everyday browsers seem using system certificates, even noticing change without a restart, but the ones playwright start seem to be totally isolated and don't notice system store change.

[mxschmitt]

For Chromium it seems doable via:

# For Chromium
# https://chromium.googlesource.com/chromium/src/+/master/docs/linux/cert_management.md
RUN apt install libnss3-tools
RUN mkdir -p $HOME/.pki/nssdb
RUN certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n badssl-com -i badssl-com.pem

For Firefox it wasn't working for me, since as you said we are using in-memory browser profiles which end up creating temp browser profiles. My attempt on following this didn't work.

[Dzeneralen]

Would be nice to have a way to either supply policies.json to be able to add certificates to Firefox or some other workaround. For now disabling SSL errors seems like the only solution. Similar discussion in #18115