I am having a problem passing my test user's PKI certificates in the headless mode. I am using Java Selenium WebDriver 4.3.0. When I run my test suite in normal mode, my profile and certificates are picked up perfectly. Profile users are selected by the ChromeOptions class by identifying the --user-data-dir= . I have different profiles for each of my test users. Then the certificate is selected by the policy setting (i.e, AutoSelectCertificateForUrls). That also works perfectly. As I navigate to different URL locations my test certificates are presented and accepted correctly when I run in the normal mode.
When I change the mode to Headless=true (i.e., ChromeOptions.addArguents("--headless"), it all falls apart and no certificate is presented when I open a Chrome browser and hit any webpage.
I found that Firefox was extremely simple to manage profiles and PKI test certificates!!! When a test runs in normal mode and works perfectly, all I have to do is set the FirefoxOptions.addCommandLineOptions("--headless"); and it still works perfectly in the headless mode. Not so with Chrome!!!
Does anyone know the correct solution? I could use the information. I am really stuck here.... Is there a way to still make Chrome present PKI certificates in headless mode or does anyone know that this feature really does not work for Chrome/Chromium? Then I could stop wasting my time!
Thanks in advance for your help!
Well I actually found my own answer.
Unfortunately, it does not work!!!
It is all explained in the following issue.
Issue 1310715: Headless Chrome not using installed client (authentication) certificates from the store.
This issue shows the steps to reproduce.
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Steps to reproduce the problem:
Have a website behind a webserver that has browser client authentication with an SSL certificate.
Install the certificate in the certificate store of Chrome under $HOME/pki/nssdb folder. My certificate was in pk12 format, so I used pk12util to install it.
The installation must exit with: 'pk12util: PKCS12 IMPORT SUCCESSFUL' message.
Add a policy to your website under /etc/opt/chrome/policies/managed, so that Chrome provides the certificate automatically to the site's webserver.
Open the website.
What is the expected behavior?
When the browser is started in headless or headful mode, the browser should provide the certificate to the webserver and proceed further.
What went wrong?
Only in headful mode does the browser provide the certificate to the webserver. Headless mode does not. There's this error in the logs:
The issue response states the following:
Headless Chrome doesn't currently implement client certs. Switching this to a feature request that the headless folks can triage. Mechanically, client certs are come out of //content via CreateClientCertStore and SelectClientCertificate. Headless doesn't have a way to show UI, so it always continues without a client certificate.
https://bugs.chromium.org/p/chromium/issues/detail?id=1310715&q=component%3AInternals%3EHeadless&can=2
Related
Im trying to access a url and run tests which specifically needs client certificate .client certificate is installed in my system and even though if I have multiple certs I’m able to select the one needed for the url and run the tests using selenium automation perfectly in normal mode but when I’m trying to run tests In headless mode it is unable to detect the cert which is installed in my system . Not sure what is the issue but is there any way I could resolve this issue.
I am getting this error “org.openqa.selenium.WebDriverException:unknown error:net :: ERR_SSL_PROTOCOL_ERROR”
Note :
I have tried “AutoselectcertificateforUrls “ As well but it didn’t work I don’t see any configuration settings for chrome
And also I don’t have permissions to download cert in .p12 format
When testing on opera browser with python selenium on browserstack I see the following certificate error
How can I bypass this with python selenium? I have tried adding the capability
desired_cap['acceptSslCerts']=True but that doesn't work.
As per the link, https://www.browserstack.com/automate/capabilities, I believe the correct way of setting 'acceptSslCerts' capability is('true' and not 'True'):
'acceptSslCerts' : 'true'
Let me know if that helps.
As Opera 20 and above uses the Windows certificate store, the warning can be bypassed.
If you want to use a unknown selfsigned certificate, you have to add it to Windows Trusted Root Certificates (But be careful using certificates without proofing they are really for the server!).
See: https://www.thewindowsclub.com/manage-trusted-root-certificates-windows
I am running non http url inside of my tests (so migration to https wont be easy) and because of that I am getting an warning inside of browser.
How to disable "Non secure" warning inside of Chrome during selenium tests?
I've tried to play with arguments but nothing works
args: [
'start-maximized',
'disable-webgl',
'blacklist-webgl',
'blacklist-accelerated-compositing',
'disable-accelerated-2d-canvas',
'disable-accelerated-compositing',
'disable-accelerated-layers',
'disable-accelerated-plugins',
'disable-accelerated-video',
'disable-accelerated-video-decode',
'disable-gpu',
'disable-infobars',
'test-type',
'disable-extensions',
'allow-running-insecure-content',
'disable-web-security',
'ignore-certificate-errors',
'ignore-gpu-blacklist',
'no-default-browser-check',
'no-first-run',
'disable-default-apps'
]
The issue is that I need to resize windows to 420x800 but because of warning browser can't do that.
"Not Secure" SSL Error
As per Fix “Not Secure” SSL Error on Chrome Browser | Remove Warning with the release of Chrome 68, Google started showing all the HTTP sites as Not Secure on Chrome Browser.
Treatment of HTTP pages
This feature can be turned On / Off by accessing the page at chrome://flags/#enable-mark-http-as and setting the following attribute:
Mark non-secure origins as non-secure: Changes the UI treatment for HTTP pages on Mac, Windows, Linux, Chrome OS, Android
Default
Enabled
Enabled (mark as actively dangerous)
Enabled (mark with a Non Secure warning and dangerous on form edits)
Disabled
Using Selenium to disable this feature you need to use the ChromeOption --allow-running-insecure-content as follows:
Python:
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument("start-maximized")
chrome_options.add_argument('disable-infobars')
chrome_options.add_argument('--allow-running-insecure-content')
driver = webdriver.Chrome(chrome_options=chrome_options, executable_path=r'C:\Utility\BrowserDrivers\chromedriver.exe')
driver.get("http://www.legislation.vic.gov.au/")
This does not work for chrome on android devices. It's a bad idea for companies to tell users what and what they can not look at. Tech giants like Google have gone too far and the government is letting it happen.
I have started looking into testing our site with BrowserStack.
However, I'm having issues with live-testing (as opposed to automated testing with Selenium, which mostly works fine) a site we're developing as we're serving it with a self-signed certificate.
Manually approving the certificate doesn't bother me as much as the fact that some Ajax request are failing (at least on IE10) due to security issues and this makes it impossible to actually manually test the site.
An acceptable solution would be to somehow add our self-signed cert. into the list of trusted root CAs. However, I haven't found out how to upload files into the BrowserStack test environment (not sure if that's even possible, really).
Any ideas ?
I contacted BrowserStack about this issue, and their formal response is:
"We currently do not support installing client certificates on the remote machines. However, this is on our list, and we’ll keep you posted."
Hopefully this issues will be resolved soon and I'll post a different answer here.
April 2021 update:
BrowserStack has shipped a toggle to trust self-signed certs.
It is available on iOS and Android devices for now.
When it happens, open the "Network" tab, and open in a new tab the request which is failing. If it is "just" a certificate issue, you would then be able to bypass the warning. Then, your request should work correctly.
When the "Cannot Verify Server Identity" dialogue pops up, click details, then 'Trust'. This will work if all calls are to the same domain as the website.
Experimenting with Phantomjs to scrape some information from a vendor application our company uses. When I open the page and render it, I can see that the only output is the message
SPNEGO authentication is not supported on this client.
I had seen that message in Firefox before, and the solution was to add the host to the trusted uris. That's great for FF, but in the context of a phantomjs script, is there a way to declare a site as trusted?
UPDATE: Tried the command-line parameters per Artjom's suggestion but no difference.
I don't think this protocol is implemented in PhantomJS. PhantomJS is built on top of QtWebKit. I found an old Aurora issue. Aurora is also based on QtWebKit.
If you search for SPNEGO or kerberos in the phantomjs repo, you don't find much. Searching for negotiate shows only some constants, but no actual implementation.