WebEngineKiosk (RPi3) - Installing CA certs for Chromium


I am trying to create “dumb” terminal Nerves app with Nerves + WebEngineKiosk on RPi3. I got the firmware to burn and update ok. The issue is that when the WebView opens my server app (Phoenix app on another Nerves Raspberry Pi) I get “ERR_CERT_AUTHORITY_INVALID”. The certificate and domain are completely legit. The cert is issued via SSL Mate, and it appears completely valid when I access the URL from my computer in Chrome. I have DNS properly set up on the private network, etc.

I even use the chained cert on the Phoenix app.
So my best guess is that the bare chromium on the kiosk_system_rpi3 does not include the root CA cert, with which my cert was signed.

So the question is, how do I go about fixing that. How could I customize the system, to include the CA cert, and make the browser trust it?

Thanks in advance for any pointers.


Just for some more details, I see this on the console:
14:42:17.945 [warn] webengine_kiosk(stderr): [159:236:0208/144217.945061:ERROR:cert_verify_proc_nss.cc(974)] CERT_PKIXVerifyCert for <domain.redacted.net> failed err=-8179

14:42:17.947 [warn] webengine_kiosk(stderr): [159:234:0208/144217.946830:ERROR:ssl_client_socket_impl.cc(962)] handshake failed; returned -1, SSL error code 1, net_error -202

The certificate is completely ok and legit. I think the problem is that Chromium does not recognize either of:
Sectigo RSA Domain Validation Secure Server CA
USERTrust RSA Certification Authority

CA certs. So the question is: how can I make it trust these?

Not 100% sure but I think if you drop the cert into /etc/pki/tls/certs it should work.

Don’t forget to check your time. Carts aren’t valid before their start date. Some Nerves configurations don’t setup the system clock and you get the default Unix epoch (1970). Way before SSL certs. Do a DateTime.utc_now if you’re unsure.