how to add a certificate to firefox or chrome

[iblfw]

Now there is a website which must be visited by a certificate. What i should do? Add the certificate into
your image or set the the certificate in selenium webdriver.Remote? I have no idea, thank for any advise

[gknepper]

The only way for now is actually update the image. I did that, that's my Dockerfile:

For chrome it's working.. for Firefox I'm copying a profile already created with the certificate inside because there's no way to initialize the firefox profile from command line.

Hope it helps

FROM elgalu/selenium

USER root
RUN sudo rm -rf /etc/apt/sources.list.d/google-chrome.list

ENV CHROME_ARGS='--no-sandbox --disable-setuid-sandbox --disable-cpu --disable-infobars --ignore-certificate-errors'

ADD certificate.crt /usr/local/share/ca-certificates/certificate.crt
RUN sudo update-ca-certificates

RUN apt -qqy update \
    && apt -qqy --no-install-recommends install \
    libnss3-tools \
    libnss3-1d 
   
USER seluser

# CHROME
RUN mkdir -p /home/seluser/.pki/nssdb \
    && certutil -d /home/seluser/.pki/nssdb -N \
    && certutil -d sql:/home/seluser/.pki/nssdb -L \
    && certutil -d sql:/home/seluser/.pki/nssdb -A -t "CT,C,C" -n CertCA -i /usr/local/share/ca-certificates/certificate.crt \
    && certutil -d sql:/home/seluser/.pki/nssdb -L

# FIREFOX
ADD firefoxprofile.tar.gz /home/seluser/

[chrismcmahon]

@gknepper I need to do exactly this for Firefox, and you seem to have found the only way.

When starting the first time, Firefox will create a file 'profiles.ini' http://kb.mozillazine.org/Profiles.ini_file that points to a default profile directory.

That profile needs to have added a 'cert9.db' file containing the certificate in question and also have the preference for 'security.default_personal_cert" changed to "Select Automatically".

I can see that you seem to be updating the dockerfile at https://github.com/elgalu/docker-selenium/blob/1468f6d9aa980afabbe98a000d8ef5598b58224a/Dockerfile but can you explain what the file firefoxprofile.tar.gz in "ADD firefoxprofile.tar.gz /home/seluser/" contains?

I can see how that might contain the necessary cert9.db file and prefs.js file, but I don't see how that changes the profile that Firefox created in the necessary ways. Does it also replace profiles.ini somehow?

Thanks, I really hope to hear from you.

[gknepper]

That's the exactly main problem on firefox. When creating the profile on command line, firefox don't create the wallet (cert9.db) so as a workaround I was trying to start firefox as headless and kill after some seconds just to create the entire structure (profile) locally. I what I did instead was create a profile in my local machine where I added every setting that I need ( certificates and proxy settings) then I saved this content (entire /home/user/.mozilla) in this firefoxprofile.tar.gz file. It's "hardcoded" but works.

[chrismcmahon]

Hahaha, I understand!

Do you think it would be possible to do for example

ADD /home/seluser/.mozilla/profiles.ini (POINTS TO CUSTOM PROFILE 'myprofile.default-release)
ADD /home/seluser/.mozilla/profiles/myprofile.default-release/cert9.db
ADD /home/seluser/.mozilla/profiles/myprofile.default-release/prefs.js

and would it require adding the other approximately 50 files to myprofile.default-release also? Or do you think Firefox would create those in place upon not finding them in the place that profiles.ini would tell it to look?

Again, thank you very much for the answers and for helping, I've been reading about this problem for some time now.

[gknepper]

Well, I think this is doable but I don't compress the profile all this 50 files and all this structure in a tar.gz or a zip file ?

The other think that I can do is just add a profile without any configuration/certificate inside your container (ADD) and use the same command that I used on chrome app to update the the firefox cert9.db. It's 100% compatible, I've tested already.

[chrismcmahon]

I am still learning about docker-selenium, but it seems to me that doing

ADD profile.ini /home/seluser/.mozilla/profiles.ini
ADD cert9.db /home/seluser/.mozilla/profiles/myprofile.default-release/cert9.db
ADD prefs.js /home/seluser/.mozilla/profiles/myprofile.default-release/prefs.js

might work. I'll try that soon.

[chrismcmahon]

@gknepper I have done exactly what you have done and created a .tar.gz file for an entire .mozilla directory in Ubuntu. Is is true that the way you use this is to

• git clone the project and cd to the Dockerfile directory
• edit the Dockerfile with your additions
• "docker build -t selenium ."

When you edit the Dockerfile do you put "ADD firefoxprofile.tar.gz /home/seluser/" as the last line of the file?
Thanks!

[gknepper]

Hello @chrismcmahon, No I'm not cloning the project. I don't need to. I'm reusing the previous working image as you may check in the first line: (FROM elgalu/selenium). So I'm just adding more layers on top of the previous image. It's faster then rebuild everything from scratch.

So I created Dockerfile and ran a docker build only.

[chrismcmahon]

@gknepper thanks again, you are saving me a lot of time! So I think that if I had a Dockerfile that looks like

FROM elgalu/selenium

USER seluser

ADD ffprofile.tar.gz /home/seluser/

then do docker build -f /path/to/a/Dockerfile . I should get the expected result?

[gknepper]

@chrismcmahon Yes!

[chrismcmahon]

Something is going wrong with this process, I think I have a misunderstanding...

On a Ubuntu system I installed Firefox, installed a certificate and changed Preferences. I did 'tar -czvf' to create 'ffprofile.tar.gz' that contains the whole '.mozilla' directory. I transferred this file back to my system running docker.

Just to be sure, I unzipped the file with 'tar -xvf ffprofile.tar.gz' and I can see
ls .mozilla/firefox/0pe1dj08.default-release/cert9.db
.mozilla/firefox/0pe1dj08.default-release/cert9.db
(and the preferences are correct also)

I do
docker build -f Dockerfile .
Sending build context to Docker daemon 24.03 MB
Step 1/3 : FROM elgalu/selenium
---> cf706845a6b0
Step 2/3 : USER seluser
---> Using cache
---> ee3c3afef1c9
Step 3/3 : ADD ffprofile.tar.gz /home/seluser/
---> Using cache
---> 39a865d6854c
Successfully built 39a865d6854c

I do
docker container export grid_firefox_1 > foo.tar
and untar the file with 'tar xopf foo.tar'

I have no Profile directory in the docker image

dockerfilesystem]# ls -al home/seluser/.mozilla/firefox/
total 0
drwxrwxrwx. 4 root root 46 Oct 11 10:08 .
drwxrwxrwx. 3 root root 20 Oct 11 10:08 ..
drwxrwxrwx. 3 root root 51 Oct 11 10:08 Crash Reports
drwxrwxrwx. 2 root root 6 Oct 11 10:08 Pending Pings

My selenium test that uses the certificate fails in the way I would expect if there is no certificate in the profile.

Am I leaving out a step somewhere? Would that source .tar.gz file have to be untarred/unzipped first somehow or something?

[gknepper]

I would say, first start expanding your 'ffprofile.tar.gz' should have way more then just the cert9.db...

Second.. in your ubuntu machine, delete the .mozilla in your home directory and expand the ffprofile.tar.gz there and test your firefox. If your firefox doesn't work as expected, it's definitely your 'ffprofile.tar.gz' with the wrong content inside.

[chrismcmahon]

Yes, my .ffprofile.tar.gz has all the regular .mozilla files and directories plus the changes that I made. The fs in firefox_grid_1 has nothing from there after running 'docker build'. I wonder, I have a grid node and a firefox node, could 'docker build' be updating the wrong docker container?

[gknepper]

Did you define a name for your image when you ran the build "docker build -t new_image ." ?

Check with the command "docker image" all images that you may have in your system. I think you're creating a image but starting the container using the old one.

[chrismcmahon]

I looked for the string "docker image" and I don't seem to be using it anywhere.

grep -r 'docker image' *
Binary file dockerfilesystem/foo.tar matches
dockerfilesystem/test/bef:docker images selenium
dockerfilesystem/test/before_install_build:docker images selenium
dockerfilesystem/test/before_install_pull:docker images selenium
dockerfilesystem/test/before_install_pull:docker images elgalu/selenium

I'm using a docker-compose.yml file. The firefox image is

firefox:
image: elgalu/selenium
depends_on:
- hub

volumes:

- /dev/shm:/dev/shm

shm_size: 12g
privileged: true
environment:
  - DEBUG=false
  - PICK_ALL_RANDOM_PORTS=true
  - SELENIUM_HUB_HOST=hub
  - SELENIUM_HUB_PORT=4444
  - SELENIUM_NODE_HOST={{CONTAINER_IP}}
  - VNC_FROM_PORT=${VNC_FROM_PORT-40650}
  - VNC_TO_PORT=${VNC_TO_PORT-40700}
  - SCREEN_WIDTH=1300
  - SCREEN_HEIGHT=999
  - VIDEO=${VIDEO-false}
  - GRID=false
  - CHROME=false
  - FIREFOX=true

and ends up being called 'grid_firefox_1'

[gknepper]

Check the steps 3 and 4 on this tutorial.

https://www.howtoforge.com/tutorial/how-to-create-docker-images-with-dockerfile/

[chrismcmahon]

Thank you! I think I must have missed that Step 3.

docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
39a865d6854c About an hour ago 1.47 GB
docker.io/elgalu/selenium latest cf706845a6b0 5 weeks ago 1.46 GB
docker.io/elgalu/selenium 651da26fe56c 8 months ago 1.47 GB
docker.io/elgalu/selenium 7caa36136e19 10 months ago 1.42 GB
docker.io/elgalu/selenium 53b755899a26 11 months ago 1.41 GB
docker.io/elgalu/selenium da3e011f73cd 12 months ago 1.41 GB
docker.io/elgalu/selenium 3.14.0-p11 38fadc47c25c 13 months ago 1.4 GB

[chrismcmahon]

docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d6c034f6560c elgalu/selenium "entry.sh" About an hour ago Up About an hour grid_firefox_1
bf00c79969b5 elgalu/selenium "entry.sh" About an hour ago Up About an hour 0.0.0.0:4444->4444/tcp, 0.0.0.0:40650-40700->40650-40700/tcp grid_hub_1

[chrismcmahon]

I definitely never run any "docker build -t" steps, hmm.

[chrismcmahon]

I think I am almost there.

I do 'docker-compose -p grid down'
I do 'docker images'
I don't see anything useful
I do 'docker-compose -p grid up --force-recreate -d'
With my 3-line Dockerfile above I do 'docker build -f Dockerfile -t has_ff_profile .'
I see

Sending build context to Docker daemon 24.03 MB
Step 1/3 : FROM elgalu/selenium
---> cf706845a6b0
Step 2/3 : USER seluser
---> Using cache
---> ee3c3afef1c9
Step 3/3 : ADD ffprofile.tar.gz /home/seluser/
---> Using cache
---> 39a865d6854c
Successfully built 39a865d6854c

Now I see
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
has_ff_profile latest 39a865d6854c 2 hours ago 1.47 GB

(Why does it say '2 hours ago'? I guess because it cached earlier actions...)

I do 'docker-compose -p grid down' again
I do 'docker-compose -p grid up --force-recreate -d' again

In my docker-compose file I change firefox: 'image: elgalu/selenium' to 'image: has_ff_profile'
I do 'docker-compose -p grid down' again
I do 'docker-compose -p grid up --force-recreate -d' again

I run my test that should use the certificate.
I get "Net::ReadTimeout (Net::ReadTimeout)" It seems like Firefox never starts.

I feel like I am really close here.

[chrismcmahon]

I am so close:

I created a Dockerfile like this

FROM elgalu/selenium

USER seluser

ADD ffprofile.tar.gz /home/seluser/

RUN cd /home/seluser

USER root

RUN ls .mozilla/firefox

and I see

RUN ls .mozilla/firefox
---> Running in 4875e3a115ca

0pe1dj08.default-release
Crash Reports
installs.ini
Pending Pings
profiles.ini

I wonder if something is wrong with permissions because if I leave out that step "USER root" I get an error "ls: cannot open directory '.mozilla': Permission denied"

docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
68307c0e9ace has_ff_profile_3 "entry.sh" 21 seconds ago Up 20 seconds grid_firefox_1

[gknepper]

Create your image again with this Docker file... and yes definitely it's a problem on your ffprofile.tar.gz, mostly permission.

FROM elgalu/selenium
USER root
ADD ffprofile.tar.gz /home/seluser/
RUN chown -R seluser: /home/seluser/.mozilla
RUN ls .mozilla/firefox

[chrismcmahon]

almost: I have to switch USER back at the end

FROM elgalu/selenium
USER seluser
ADD ffprofile.tar.gz /home/seluser/
USER root
RUN chown -R seluser: /home/seluser/.mozilla
USER seluser

I'm still not quite there but I am SO CLOSE. :-) Thanks again!

[chrismcmahon]

This seems like it should work, and yet I still have a problem:

Using my Firefox profile directory I created on a Ubuntu iso system:

I have a Dockerfile like so:

FROM elgalu/selenium
USER seluser
ADD ffprofile.tar.gz /home/seluser/
USER root
RUN chmod -R 777 /home/seluser/.mozilla
USER seluser
RUN ls -al /home/seluser/.mozilla/firefox/0pe1dj08.default-release

(Note: I tried 'chown -R seluser' first, then 'chmod -R 777' to be certain that permissions were not the problem)

I do 'docker build -f Dockerfile -t has_ff_profile .'

The output from that 'ls -al' command in the Dockerfile shows correctly:

RUN ls -al /home/seluser/.mozilla/firefox/0pe1dj08.default-release
 ---> Running in d96a662b447b

total 12156
drwxrwxrwx. 1 999 999    4096 Nov 19 20:51 .
drwxrwxrwx. 1 999 999    4096 Nov 19 20:49 ..
-rwxrwxrwx. 1 999 999   14298 Nov 19 20:49 addons.json
-rwxrwxrwx. 1 999 999    6760 Nov 19 20:51 addonStartup.json.lz4
-rwxrwxrwx. 1 999 999       0 Nov 19 20:51 AlternateServices.txt
drwxrwxrwx. 1 999 999       6 Nov 19 20:40 bookmarkbackups
-rwxrwxrwx. 1 999 999     216 Nov 19 20:45 broadcast-listeners.json
-rwxrwxrwx. 1 999 999  229376 Nov 19 20:50 cert9.db
-rwxrwxrwx. 1 999 999     162 Nov 19 20:40 compatibility.
etc.

(Note the existence of the 'cert9.db' file in /home/seluser/.mozilla/firefox/0pe1dj08.default-release)

I edit my docker-compose file to point to this image and do 'docker-compose -p grid up --force-recreate -d'

I check that my firefox grid instance is using the correct image

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                                                          NAMES
c62eb84c1e91        has_ff_profile      "entry.sh"          38 seconds ago      Up 37 seconds                                                                      grid_firefox_1
eafdfaeec8b2        elgalu/selenium     "entry.sh"          42 seconds ago      Up 38 seconds       0.0.0.0:4444->4444/tcp, 0.0.0.0:40650-40700->40650-40700/tcp   grid_hub_1

I start my browser in the docker container

@browser = Watir::Browser.new :firefox, marionette: true, acceptInsecureCerts: true, url: "http://0.0.0.0:4444/wd/hub", profile: "default-release"

(Note: I have also tried starting the browser with no profile argument and I get the same result)

I run my test that navigates to the page expecting the certificate:

And the test fails. I took a snapshot of the browser at the point of failure and the browser in the docker container sees the Firefox error page saying "Secure Connection Failed An error occurred during a connection to myhost:myport. SSL peer cannot verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT"

As if the browser in the docker container does not have a certificate.

Any suggestions as to what might be wrong would be welcome. I think I've tried everything I can think of.

[chrismcmahon]

Update: I took a snapshot of 'about:profiles' page for the Firefox instance in the docker container and it is indeed using 'default-release' and the directory for that is indeed '/home/seluser/.mozilla/firefox/0pe1dj08.default-release'. Why would Firefox not recognize the certificate in that Profile?

[gknepper]

My best guess is: the profile that you created was incompatible somehow with the firefox inside the container. My suggestion is enable the VNC in this container and create the file using the internal firefox. I did mine using this technique.

[chrismcmahon]

I think I have one last mystery. This time I created my Profile with a certificate and preferences on the latest docker-selenium Firefox Standalone Debug image https://github.com/SeleniumHQ/docker-selenium/tree/master/StandaloneFirefoxDebug. I made a .tar.gz of the .mozilla directory and injected it into my own image with the Dockerfile using the latest image from /elgalu/docker-selenium (both Firefox v.70) and checked that everything looks correct. My test still fails.

Here is the mystery: in the container I took a screen shot of the page at "about:profiles" and I have attached it here.

When I look at my regular normal browser 'about:profiles' page in the Standalone Debug image I see a notice saying "Profile: default-release/This is the profile in use and it cannot be deleted." I also see the page say "Default Profile: yes".

The 'about:profiles' page in the docker container has "Default Profile:no" and I don't see the "This profile is in use..." message.

I've tried building my image with both "RUN chmod -R 777 /home/seluser/.mozilla" and "RUN chmod -R 777 /home/seluser/.mozilla" and I get the same result with either one.

Finally, I tried injecting the '.cache' directory along with the .mozilla directory in the Dockerfile but I get the same result

ADD one_ff_profile.tar.gz /home/seluser/
ADD one_cache.tar.gz /home/seluser/
USER root
RUN chown -R seluser: /home/seluser/.mozilla
RUN chown -R seluser: /home/seluser/.cache
USER seluser 

I did not think it was actually possible for Firefox to run with no Profile at all, but that seems to be what is happening in the docker container.

[chrismcmahon]

Another take:

I ran the Firefox standalone image (with VNC on port 5901):

$ docker ps
CONTAINER ID        IMAGE                                              COMMAND                  CREATED             STATUS              PORTS                                            NAMES
44f221535a4e        selenium/standalone-firefox-debug:3.141.59-xenon   "/opt/bin/entry_poin…"   47 hours ago        Up 47 hours         0.0.0.0:4444->4444/tcp, 0.0.0.0:5901->5900/tcp   frosty_franklin 

I created the Profile I need with the certificate and the preference. I navigated to where I need to go to make sure it works correctly on on the standalone image.

I made the .tar.gz files in the simplest possible Dockerfile

FROM elgalu/selenium

USER seluser

ADD one_ff_profile.tar.gz /home/seluser/
ADD one_cache.tar.gz /home/seluser/

I have a shell on the standalone docker-selenium image and I have a shell on the grid_firefox_1 image. Doing ls -al on the .mozilla directory shows that all permissions are the same for user 'seluser' for all files and directories. The profiles.ini files are identical.

And I still get the problem shown in the image above. The Firefox on the grid_firefox_1 image can see the default-release profile but it is not in use and "Default Profile" is set to "no".

[chrismcmahon]

Thanks for all the help! I just now filed an issue against geckodriver with my findings about a copy of a Profile not working mozilla/geckodriver#1662

[chrismcmahon]

One more data point: I created a elgalu/docker-selenium grid on a machine where I do have VNC access, made my changes to about:preferences, made a tar.gz file of the .mozilla directory, moved that file to my target system, did the Dockerfile dance. and ran my test that failed in the same way it always fails. The difference with using a elgalu/docker-selenium node instance instead of a docker-selenium Firefox Standalone Debug instance is that I now have a 'default-release' profile set to 'default'. The browser is not using that profile, but previously the browser was not using it AND it was not set to default. Progress...

[massinger]

thanks for your great work @gknepper ,config with libnss3-tools works fine for me ,thanks.

[XanaDublaKublaConch]

@chrismcmahon Did you ever figure this out? I've got a similar issue. I have my chrome instance up and running perfectly, but firefox is a nightmare with a custom CA. I have a custom docker image that I build, ADD the firefoxprofile.tar.gz that I created in the docker image using VNC, and all of my tests fail with InsecureCertificateException. I'm using the NoVNC option on the selenium firefox node to watch the test and it's obviously not using my profile. If I manually open the ff browser in the VNC session, it defaults to my working profile and I have my custom CA. In python, I can use add_argument with "-profile /home/seluser/.mozilla/profiles/whatever-release' and I see the browser fire up with the correct profile, but the webdriver errors out with a keyerror looking for ['status']. This is maddening!

[chrismcmahon]

@XanaDublaKublaConch I never did. I pursued it a long way with the selenium maintainers, and I eventually ended up filing a bug against geckodriver iirc. That was right around the time Moz laid off the whole QA staff, so I doubt that they're interested in fixing it.

[XanaDublaKublaConch]

That's disheartening, but thanks for the info!

[gknepper]

Hello @chrismcmahon and @XanaDublaKublaConch the solution that I proposed here worked for me =>

#344 (comment)

Please let me know if I can help you somehow.

[XanaDublaKublaConch]

Thanks, @gknepper That is essentially what I used and I should have thanked you profusely for that. The chrome custom image works beautifully, but Firefox does not, despite the fact that the profile is there and working manually. I can't use the elgalu/selenium image as a base because I need to use Selenium Grid 4. I'm working in a secure environment and I have to have TLS support on the external hub port (4444), which requires node registration. I'm also trying to figure out how to inject custom headers into the embedded netty server.

I can enable the NoVNC port on the firefox docker image and watch selenium start firefox. It immediately pops up the insecure cert warning. Since the script errors out, the browser stays open and I can look in the cert store of that browser session. My CA is not in the trusted certs. In the same X desktop session, which is running as seluser, I can close the selenium browser session, start firefox from the terminal prompt and it uses the profile from the custom build. From that browser session, I can see my certs in the cert store and I can open sites using that CA as the issue with no problems.

It seems like the geckodriver is either creating a new, temporary blank profile or a temporary copy of the custom profile without the cert store. The weird part is, when the selenium session errors out and I can't see my CA cert, if I go to about:profiles, I still only see the one default profile that should be working.

[gknepper]

Hello @XanaDublaKublaConch

First check if issue that you're facing it's actually not a known bug, Check this out: https://bugzilla.mozilla.org/show_bug.cgi?id=1103196

Besides I think this thread can help you out on the certificate on firefox.
https://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla

As you're not using the elgalu/selenium image it's hard do predict what is involved and how help you more.

My 2 cent, Have fun!

[ahuemmer]

Hello @gknepper, @XanaDublaKublaConch and @chrismcmahon,

just wanted to let you know that finally I achieved it alltogether, thanks your last hint @gknepper . 🙂

Here's an example Dockerfile (I know, the way I create the policies.json is quite ugly, but ad hoc I didn't find anything better as heredoc doesn't work in Dockerfiles...)

FROM elgalu/selenium

ARG CERTS_DOWNLOAD_URL=https://my.great.com/pany/certs/certs.tar.gz
ARG FIREFOX_POLICIES_FILE=/etc/firefox/policies/policies.json

USER root

# Install company certificates in system
RUN curl -ksL ${CERTS_DOWNLOAD_URL} -o certs.tar.gz && \
    tar -xzf certs.tar.gz && \
    cp certs/cert/* /usr/local/share/ca-certificates/ && \
    mkdir -p /home/seluser/.mozilla/certificates && \
    mkdir -p $(dirname ${FIREFOX_POLICIES_FILE}) && \
    cp certs/cert/* /home/seluser/.mozilla/certificates && \
    rm -rf certs && rm certs.tar.gz && \
    update-ca-certificates

# Disable chrome update repo and then install necessary tools for cert archive creation
RUN rm /etc/apt/sources.list.d/google-chrome.list && \
    apt -qqy update && \
    apt -qqy --no-install-recommends install \
      libnss3-tools \
      libnss3-1d && \
    apt -qyy autoremove && \
    apt -qyy clean

# Install certs in Firefox
RUN echo "{"  >> ${FIREFOX_POLICIES_FILE} && \
    echo "  \"policies\": {" >> ${FIREFOX_POLICIES_FILE} && \
    echo "    \"Certificates\": {" >> ${FIREFOX_POLICIES_FILE} && \
    echo "      \"ImportEnterpriseRoots\": true, " >> ${FIREFOX_POLICIES_FILE} && \
    echo "      \"Install\": [" >> ${FIREFOX_POLICIES_FILE} && \
    for cert in /home/seluser/.mozilla/certificates/*; do echo "        \"${cert}\"," >> ${FIREFOX_POLICIES_FILE}; done && \
    sed -i '$s/,$//' ${FIREFOX_POLICIES_FILE} && \
    echo "      ]" >> ${FIREFOX_POLICIES_FILE} && \
    echo "    }" >> ${FIREFOX_POLICIES_FILE} && \
    echo "  }" >> ${FIREFOX_POLICIES_FILE} && \
    echo "}" >> ${FIREFOX_POLICIES_FILE}

USER seluser

# Create a nssdb cert archive to be used with chrome. It will contain the company certificates imported earlier, therefore making chrome accept them as valid.
RUN mkdir -p /home/seluser/.pki/nssdb \
    && certutil -d /home/seluser/.pki/nssdb -N \
    && for cert in /usr/local/share/ca-certificates/*; do certutil -d sql:/home/seluser/.pki/nssdb -A -t "CT,C,C" -n $(basename ${cert}) -i ${cert}; done
# To verify, you could issue:  certutil -d sql:/home/seluser/.pki/nssdb -L

CMD ["entry.sh"]