Skip to content

Install browser certificate databases#837

Open
mendral-app[bot] wants to merge 4 commits intomainfrom
mendral/install-browser-cert-databases
Open

Install browser certificate databases#837
mendral-app[bot] wants to merge 4 commits intomainfrom
mendral/install-browser-cert-databases

Conversation

@mendral-app
Copy link
Contributor

@mendral-app mendral-app bot commented Mar 13, 2026
edited by cubic-dev-ai bot
Loading

Summary

  • Install libnss3-tools and create Chrome/Chromium NSS certificate database (~/.pki/nssdb) before running mkcert -install, properly eliminating the ERROR: no Firefox and/or Chrome/Chromium security databases found warning from E2E test logs
  • Replace the grep -v workaround with a proper fix that ensures mkcert can install certificates into the browser trust store

Changes

In .github/workflows/make.yaml (test-e2e job):

  1. Added libnss3-tools to the apt-get install alongside mkcert
  2. Added a step to create the Chrome/Chromium NSS database directory and initialize it with certutil
  3. Replaced sudo mkcert -install 2>&1 | grep -v '...' || true with a clean sudo mkcert -install

Context

The mkcert certificate installation step was showing a warning in all E2E test runs:

ERROR: no Firefox and/or Chrome/Chromium security databases found

While the warning was suppressed with grep -v, this approach:

  • Hid the warning rather than fixing the root cause
  • Left the browser trust store without the mkcert CA certificate
  • Could mask other errors from mkcert output

The fix creates the NSS database that mkcert expects, so certificates are properly installed in both the system trust store and the browser trust store.

Summary by cubic

Install libnss3-tools and initialize Chrome/Chromium and Firefox NSS DBs in CI so mkcert -install can add the CA to browser trust stores. Run mkcert as the runner user to avoid CA mismatch and remove the warning from E2E logs.

  • Bug Fixes

    • Initialize NSS DBs in $HOME for Chrome/Chromium (~/.pki/nssdb) and Firefox (~/.mozilla/firefox/default) with certutil, then run mkcert -install as the runner user to keep a single CA.
    • Copy the runner CA to the system trust store (/usr/local/share/ca-certificates) and replace the grep -v workaround with a clean install.

  • Dependencies

    • Add libnss3-tools to apt-get install.

Written for commit f602214. Summary will update on new commits.

mendral-app bot added 3 commits March 13, 2026 09:15
@mendral-app
Install browser certificate databases for mkcert
5450b64 
Install libnss3-tools and create Chrome/Chromium NSS database before
running mkcert -install, eliminating the 'no Firefox and/or
Chrome/Chromium security databases found' warning from E2E test logs.

This replaces the grep -v workaround with a proper fix that ensures
mkcert can install certificates into the browser trust store.
@mendral-app
Also create Firefox NSS database for mkcert
7b7553c 
mkcert checks both Chrome (~/.pki/nssdb) and Firefox
(~/.mozilla/firefox/*) certificate databases. Add Firefox
profile database creation to eliminate the warning completely.
@mendral-app
Create NSS databases under /root for sudo mkcert
4051c09 
Since mkcert -install runs with sudo, it looks for browser
certificate databases under /root (root's HOME), not the
runner user's home directory. Create the NSS databases in
/root/.pki/nssdb and /root/.mozilla/firefox/default.
@mendral-app mendral-app bot marked this pull request as ready for review March 13, 2026 16:39
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 13, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Prompt for AI agents (unresolved issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/make.yaml">

<violation number="1" location=".github/workflows/make.yaml:224">
P1: Installing mkcert as root creates a different CA than the one later used to generate the test certificates. The warning disappears, but the Pebble certs from `make stack-up` are still signed by the runner user's CA, not the root CA you installed here.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@mendral-app
Fix CA mismatch: run mkcert as runner user, not root
f602214 
sudo mkcert -install created a CA under /root, but make stack-up
generates certificates as the runner user using a different CA.
This caused a CA mismatch where the installed root CA didn't match
the one signing the Pebble certificates.

Fix by creating NSS databases for the runner user and running
mkcert -install without sudo. The runner user's CA is then
explicitly copied into the system trust store with sudo.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants