How to fix the certificate problem in Windows

[Anonymous]

Copying nssckbi.dll as instructed by the dev doesn't work.

You have to export certificates from Firefox and import them into Light. It's the only fix I have found so far.

MANUAL PROCESS
Options > Advanced > Certificates > View Certificates
You'll see options for Exporting and Importing.
It will take quite a while to do it manually because there are a lot of certificates.
You can speed up the process a bit when exporting by highlighting everything listed in the certificate window (click the top item, then hold shift & click the bottom item) then deselecting each of the higher level items (the items with a [-] sign to the left of them) (hold control then click each of them to deselct them.) Once the higher level items are deselected, the Export button will become active (no longer greyed out).
After you click Export a prompt will appear for each certificate and you'll have to click each prompt. If you're asked if you want to replace and existing file just answer yes.
That will speed up the exporting process but you'll still have to do the importing into Light one certificate at a time (unless you find a trick I didn't.

COMMAND LINE PROCESS
Download certutil here:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/msvc9/WINNT5.1_OPT.OBJ/nss-3.12.4.zip
Then follow these command examples:

Create a list of certificates installed in Firefox
certutil -L -d "C:\Documents and Settings\YOUR_USERNAME\Application Data\Mozilla\Firefox\Profiles\YOUR_FIREFOX_PROFILE_FOLDER" > "c:\certlist.txt"

Export a certificate from Firefox using a name from the list
certutil -L -r -n "Google Internet Authority G3" -d "C:\Documents and Settings\YOUR_USERNAME\Application Data\Mozilla\Firefox\Profiles\YOUR_FIREFOX_PROFILE_FOLDER" > "c:\certs\Google Internet Authority G3.crt"

Import the exported certificate into Light
certutil -A -n "Google Internet Authority G3" -t "C,C,C" -i "c:\certs\Google Internet Authority G3.crt" -d sql:"C:\Program Files\Light\browser\Light\Light\Profiles\YOUR_LIGHT_PROFILE_FOLDER"
Note:
The version of Light that I have installed uses the cert9.db file. If the version you have installed uses cert8.db (unlikely but possible), follow this example instead:
certutil -A -n "Google Internet Authority G3" -t "C,C,C" -i "c:\certs\Google Internet Authority G3.crt" -d "C:\Program Files\Light\browser\Light\Light\Profiles\YOUR_LIGHT_PROFILE_FOLDER"
If you're not sure, just try both. It won't hurt anything.

Additional Notes:
I recommend starting with the Google certificates because you'll be able to easily check if it worked by going to google.com and seeing if the page loads without an error message.
If you know how to make simple scripts, you can make a script (using the above command examples) that will automatically export all certificates from Firefox and import them into Light.
You do not need to copy nssckbi.dll over from Firefox (it does nothing).
You'll notice that in the examples above, the Light profile is located in the Light folder. That's because I use portable mode. To use portable mode, you just rename custom_t.ini to custom.ini
If you have multiple profiles, you'll have to perform the export/import process for each profile and if you ever accidentally delete or damage your profile, you'll have to do it all over again. I recommend creating a backup copy of your Light folder after you perform the export/import process, and store it some place safe.
I performed the import/export process in Windows XP. Maybe it works in Windows 7 as well but I didn't try it.

[Anonymous]

Here is the solution for GNU/Linux,

same problem, "standard Certificates" which may come w/ Mozilla are not included with Light (see bottom for version details).

Here is the best way to Export/Import them using the certutil CLI command with nice (I hope) guidelines :

1 - Install certutil binary with

sudo apt install libnss3-tools

2 - Set env variables for your Mozilla and Light Profiles with something like

MOZILLA_PROFILE="/home/stephane/.mozilla/firefox/8rqsv5xu.default"
LIGHT_PROFILE="/home/stephane/.light/light/4x004xxh.default"
CA_LIST="./ca.list.temporary"

Last variable is for the temporary file we will need.

3 - Do a sanity backup of your cert9.db files and go in a safe place (empty dir)

for Profile in "$MOZILLA_PROFILE" "$LIGHT_PROFILE"; do cp "${Profile}"/cert9.db "${Profile}"/cert9.db.ori; done
mkdir ~/Temporary
cd !$

You can check Certificates already availaible in each Profile
certutil -L -d sql:"$MOZILLA_PROFILE" |less
certutil -L -d sql:"$LIGHT_PROFILE" |wc
- -L stands for list
- -d stands for the directory where cert9.db reside (normally in the Profile's root)
- sql: in front of the Path is important ! (read man certutil)
- |less does more :)
- |wc will show you number of lines (ie of certificates in the db)

4 - Get the list of all Certificate names (nicknames) in a single file with the exact command bellow :

certutil -L -d sql:"$MOZILLA_PROFILE" |grep -v "Certificate Nickname\|^$\|SSL,S/MIME,JAR/XPI" |sed 's/^\(.*\).*,,/\1/' |sed 's/  \+//' |tee "$CA_LIST"

5 - Export all Certificates from Mozilla's profile to several flat ascii CRT files :

IFS='
'
for nick in $(cat "$CA_LIST"); do certutil -L -d sql:"$MOZILLA_PROFILE" -n "$nick" -a |tee "${nick}".crt; done

Watch out at the begining !, IFS is entered with a newline character between two single quotes.
Everything is in a single line/command which create a .crt file for each Certificate it finds, named after the nickname of the Certificate (generally the CN= part I think).
Watch out it will blow your screen :)

6 - Last command imports all these Certificates into Light's Profile

IFS='
'
for nick in $(cat "$CA_LIST"); do echo -ne "-- Importing $nick...\t"; certutil -A -d sql:"$LIGHT_PROFILE" -n "$nick" -a -t ',,' -i "${nick}".crt; if test $? = 0; then echo "done !"; else echo "ERROR ?"; fi; done

Everything was right ?
The command certutil -A is silent when successful, hence I added some echo to show the progress. Shell variable $? give back the successfulness of the last command : it tells you if Import for the last Certificate succedded.

You can check the new database with
certutil -L -d sql:"$LIGHTPROFILE"
Use either |less or |wc to see certificates or how many they are.

You can reset IFS in case you keep this shell :

export IFS=''

---

Notes 1
I'm using the following soft/version at this time
- Mozilla Firefox 80.0b8
- Light Light 49.0
- libnss3-tools 2:3.35-2ubuntu2.12
- Bodhi Linux Ubuntu 18.04.5 LTS (Bionic Beaver)

Note 2
cert9.db uses sql format, not dbm, the default format, that's why one has to use sql: with the option -d (man certutil for more)

Note 3
You can find more about IFS in man bash (type /IFS to find quickly) which defaults to <space><tab><newline></newline></tab></space>, very usefull when parsing names with space, user entry, ascii databases, "read" commands, et caetera

Troubleshoot
- If you get Database needs user init using certutil : be sure to use sql: and not dbm: (or the contrary ?)
- If you get certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format., be sure to specify the correct Profile Path, it must be a directory, not a file

Let's be humble, call me God
No I am not stephane, I am MegaloMan

Tags
[SOLVED] Your connection is not secure
[SOLVED] SEC_ERROR_UNKNOWN_ISSUER
[SOLVED] SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
certificates missing absent expired
Bodhi Ubuntu Light

[Anonymous]

Okaaaay, I am alone in the world, every Light users has died from Covid huh ?

I have a better solution :
Reading the extraordinary Light'sAuthor comment about certs (another God) :

Authors: cstking
By default, Light only trust a few of Root CAs. It may cause problems.
If you run into cert problems when visiting https sites and it works with firefox, you can dowload or find nssckbi.dll shipped in firefox and put it into light's folder.

from https://sourceforge.net/p/lightfirefox/wiki/certs/
well, I felt stupid at this time..
But, Light is so great than I hold on : and it WORKS.
Here's how
- looking for libnssckbi.so : you can download it from Debian with :
- apt install libnss3 which provides /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
which comes directly from http://www.mozilla.org/projects/security/pki/nss/
The perfect library :)
Then copy it in the correct destination ,:
sudo cp -iv /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so /usr/local/lib/light
(If you mind, make a backup of the original)
And...
And wait : it doesn't work straight, in fact, after my copy, I started again Light and ! the file had changed ! it passed from a 32-bit to a 64-bit version !

libnssckbi.so:     ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=4d94167b30f9624608ba5540a7d1f8e9f0f0df08, stripped
libnssckbi.so:     ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=dbac614e1006626e1cb0ab0c004d8f257ba48da0, stripped

This is a BUG
A BB-UU-GG ~ "I spell Beee, Youu, Geee, Bug"

According a race condition, whatever which part of Light'scode is recreating the libnssckbi.dll file which cancel every effort to solve the problem...
So, to anyone : keep on trying to copy in order to cop with it :)

I gave life to God

• Stéphane

PS : waiting for Light v.50
PPS : light package already exist on Debian, can it be called light-browser.deb ?