[GH-ISSUE #252] Trusting in Firefox and macOS keychain at the same time fails if Firefox is not installed #165

New issue

Closed

opened 2026-02-25 22:32:46 +03:00 by kerem · 4 comments

kerem commented

2026-02-25 22:32:46 +03:00

Owner

Originally created by @lukasbestle on GitHub (Mar 31, 2020).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/252

@mholt, the developer of Caddy Server sent me here.

Caddy tries to make a root CA trusted in all applicable trust stores. On my Mac with macOS Catalina 10.15.4, those are Firefox (NSS) and the macOS keychain.

However in this case, I didn't have Firefox installed, so trusting the CA failed with ERROR pki failed to install root certificate {"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}.

The effect is: The CA is not trusted, neither in Firefox (which is to be expected), but also not in the macOS keychain. It seems like mkcert fails hard once one of the targeted trust stores is unavailable or once there is an error. Instead it should still try the remaining trust stores.

You can find further details (full logs, more information) in the Caddy issue https://github.com/caddyserver/caddy/issues/3205 as well as in my Caddy forum topic at https://caddy.community/t/v2-local-root-cert-is-not-automatically-trusted-by-macos/7368?u=lukas.

If you need further information, please let me know.

Originally created by @lukasbestle on GitHub (Mar 31, 2020). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/252 @mholt, the developer of Caddy Server sent me here. Caddy tries to make a root CA trusted in all applicable trust stores. On my Mac with macOS Catalina 10.15.4, those are Firefox (NSS) and the macOS keychain. However in this case, I didn't have Firefox installed, so trusting the CA failed with `ERROR pki failed to install root certificate {"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}`. The effect is: The CA is not trusted, neither in Firefox (which is to be expected), but also not in the macOS keychain. It seems like `mkcert` fails hard once one of the targeted trust stores is unavailable or once there is an error. Instead it should still try the remaining trust stores. You can find further details (full logs, more information) in the Caddy issue https://github.com/caddyserver/caddy/issues/3205 as well as in my Caddy forum topic at https://caddy.community/t/v2-local-root-cert-is-not-automatically-trusted-by-macos/7368?u=lukas. If you need further information, please let me know.

kerem closed this issue

2026-02-25 22:32:46 +03:00

kerem commented

2026-02-25 22:32:46 +03:00

Author

Owner

@mholt commented on GitHub (Mar 31, 2020):

I believe that a "not found" error in the case of a particular trust store not being installed could return a sentinel value: github.com/FiloSottile/mkcert@d58feefc73/truststore_nss.go (L93)

And then that error could be logged while other trust stores continue to be installed.

@mholt commented on GitHub (Mar 31, 2020): I believe that a "not found" error in the case of a particular trust store not being installed could return a sentinel value: https://github.com/FiloSottile/mkcert/blob/d58feefc73e728e2abcf84656a0a93d41cb9b167/truststore_nss.go#L93 And then that error could be logged while other trust stores continue to be installed.

kerem commented

2026-02-25 22:32:46 +03:00

Author

Owner

@mholt commented on GitHub (Mar 31, 2020):

To be clear, Caddy uses a fork of this repo that makes it usable as a library, but I wanted to make sure any design improvements could make their way back into the original.

@mholt commented on GitHub (Mar 31, 2020): To be clear, Caddy uses a fork of this repo that makes it usable as a library, but I wanted to make sure any design improvements could make their way back into the original.

kerem commented

2026-02-25 22:32:46 +03:00

Author

Owner

@FiloSottile commented on GitHub (Oct 25, 2020):

I think mkcert will only try to install in the NSS database (and hard fail on an error) if it finds one or if Firefox is installed, so this sounds like an issue with the library fork. If I'm wrong and it can be reproduced with mkcert let me know!

I'll definitely keep this in mind when making a proper library.

@FiloSottile commented on GitHub (Oct 25, 2020): I *think* mkcert will only try to install in the NSS database (and hard fail on an error) if it finds one or if Firefox is installed, so this sounds like an issue with the library fork. If I'm wrong and it can be reproduced with mkcert let me know! I'll definitely keep this in mind when making a proper library.

kerem commented

2026-02-25 22:32:46 +03:00

Author

Owner

@aktiver commented on GitHub (Dec 9, 2021):

Do we just need to install nss and mkcert does the rest for FF on MacOS X?

@aktiver commented on GitHub (Dec 9, 2021): Do we just need to install nss and mkcert does the rest for FF on MacOS X?