New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Playwright browser don't use system store with additional certificate authorities #28967
Comments
We are unfortunately not familiar with Arch Linux, its also not a Linux distribution we support - have you tried it on a supported Linux distribution? I found this which looks related, have you tried that? https://superuser.com/questions/1717914/make-chrome-trust-the-linux-system-certificate-store-or-select-certificates-via (Playwright's Chromium is the same as a normal Chromium, we don't do any certificate related changes. Actually no changes at all on the Chromium side as of today.) |
Hello |
For the "solution" on the superuser forum, it's not possible for playwright, certificate store only exists in browser profile, and so is just clean each time you restart playwright (no persistence)
And I can't find a reliable and portable way to get the running profile directory from inside playwright execution to be able to inject a new ca certificate. I don't also know the difference between playwright browsers and standard user browsers, but there is a different behavior. |
For Chromium it seems doable via: # For Chromium
# https://chromium.googlesource.com/chromium/src/+/master/docs/linux/cert_management.md
RUN apt install libnss3-tools
RUN mkdir -p $HOME/.pki/nssdb
RUN certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n badssl-com -i badssl-com.pem For Firefox it wasn't working for me, since as you said we are using in-memory browser profiles which end up creating temp browser profiles. My attempt on following this didn't work. |
Would be nice to have a way to either supply |
Currently it seems Playwright don't consider additional system certificate authorities when starting a new browser and have no way to add manually one.
Normal browser, for example Firefox, notice any system store change even without a restart
Installing ca-cert authority with system package manager just show the certificate at the end on a running browser
Playwright browser don't notice the additional authority even at start, and seem to use a static predefined list.
It leads to no way to test for website using authority outside the static list without skipping totally the TLS verification for all and any website and so remove every piece of security, as asked for such case here.
System info
Source code
Steps
[Describe expected behavior]
Test OK, using system certificate to access the site
[Describe actual behavior]
Test KO
The text was updated successfully, but these errors were encountered: