Automattic · gavande1 · May 13, 2026 · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/apps/studio/src/components/content-tab-settings.tsx b/apps/studio/src/components/content-tab-settings.tsx
@@ -15,12 +15,14 @@ import { SettingsMenuItem } from 'src/components/settings-site-menu';
 import { useDeleteSite } from 'src/hooks/use-delete-site';
 import { useGetWpVersion } from 'src/hooks/use-get-wp-version';
 import { useSiteDetails } from 'src/hooks/use-site-details';
+import { isLinux } from 'src/lib/app-globals';
 import { getIpcApi } from 'src/lib/get-ipc-api';
 import EditSiteDetails from 'src/modules/site-settings/edit-site-details';
 import { useAppDispatch } from 'src/stores';
 import {
 	certificateTrustApi,
 	useCheckCertificateTrustQuery,
+	useGetLinuxBrowserCertSupportStatusQuery,
 } from 'src/stores/certificate-trust-api';
 
 interface ContentTabSettingsProps {
@@ -42,6 +44,9 @@ export function ContentTabSettings( { selectedSite }: ContentTabSettingsProps )
 	const dispatch = useAppDispatch();
 	const { __ } = useI18n();
 	const { data: isCertificateTrusted } = useCheckCertificateTrustQuery();
+	const { data: linuxBrowserCertStatus } = useGetLinuxBrowserCertSupportStatusQuery( undefined, {
+		skip: ! isLinux(),
+	} );
 	const username = selectedSite.adminUsername || 'admin';
 	// Empty strings account for legacy sites lacking a stored password.
 	const storedPassword = decodePassword( selectedSite.adminPassword ?? '' );
@@ -151,6 +156,18 @@ export function ContentTabSettings( { selectedSite }: ContentTabSettingsProps )
 								<LearnHowLink docsLinksKey="docsSslInStudio" />
 							</div>
 						) }
+						{ ! isCertificateTrusted &&
+							selectedSite.enableHttps &&
+							linuxBrowserCertStatus?.firefoxDetected && (
+								<div className="mt-1 max-w-96" data-testid="trust-cert-firefox-notice">
+									<span className="text-frame-text-secondary mt-1">
+										{ __(
+											'Firefox uses its own certificate store. If Firefox doesn’t recognize the certificate, import it manually to avoid the security warning.'
+										) }
+									</span>{ ' ' }
+									<LearnHowLink docsLinksKey="docsSslLinuxFirefox" />
+								</div>
+							) }
 					</SettingsRow>
 					<SettingsRow label={ __( 'Local path' ) }>
 						<CopyTextButton

diff --git a/apps/studio/src/ipc-handlers.ts b/apps/studio/src/ipc-handlers.ts
@@ -89,6 +89,7 @@ import {
 	isRootCATrusted,
 	trustRootCA,
 } from 'src/lib/certificate-manager';
+import { isFirefoxInstalledOnLinux } from 'src/lib/detect-linux-browsers';
 import { download } from 'src/lib/download';
 import { simplifyErrorForDisplay } from 'src/lib/error-formatting';
 import { buildFeatureFlags } from 'src/lib/feature-flags';
@@ -1864,6 +1865,15 @@ export async function isCATrusted(): Promise< boolean > {
 	return isRootCATrusted();
 }
 
+export async function getLinuxBrowserCertSupportStatus(): Promise< {
+	firefoxDetected: boolean;
+} > {
+	if ( process.platform !== 'linux' ) {
+		return { firefoxDetected: false };
+	}
+	return { firefoxDetected: isFirefoxInstalledOnLinux() };
+}
+
 export async function trustCertificate( event: IpcMainInvokeEvent ): Promise< void > {
 	const platform = process.platform;
 	if ( platform === 'win32' || platform === 'linux' ) {

diff --git a/apps/studio/src/lib/certificate-manager.ts b/apps/studio/src/lib/certificate-manager.ts
@@ -6,7 +6,9 @@ import { promisify } from 'node:util';
 import * as Sentry from '@sentry/electron/main';
 import { CERT_UNTRUSTED_ROOT, SERVER_AUTH_OID } from '@studio/common/constants';
 import {
+	areAllFirefoxProfilesTrustedLinux,
 	buildLinuxTrustInstallCommand,
+	importCAIntoFirefoxProfilesLinux,
 	importCAIntoUserNssDbsLinux,
 	isCAImportedInUserNssDbsLinux,
 	isCATrustedOnLinux,
@@ -52,11 +54,14 @@ export async function isRootCATrusted(): Promise< boolean > {
 			return false;
 		}
 	} else if ( process.platform === 'linux' ) {
-		// The CA is fully trusted on Linux only when it lives in both the system
-		// bundle (covers curl/openssl/Node) AND every NSS DB candidate (covers
-		// Chromium-family browsers, including Snap-Chromium's sandboxed DB).
+		// The CA is fully trusted on Linux only when it lives in the system
+		// bundle (curl/openssl/Node), every Chromium-family NSS DB (including
+		// Snap-Chromium's sandboxed DB), and every existing Firefox profile
+		// NSS DB. Firefox profiles that don't exist yet are vacuously trusted.
 		return (
-			( await isCATrustedOnLinux( CA_CERT_PATH ) ) && ( await isCAImportedInUserNssDbsLinux() )
+			( await isCATrustedOnLinux( CA_CERT_PATH ) ) &&
+			( await isCAImportedInUserNssDbsLinux() ) &&
+			( await areAllFirefoxProfilesTrustedLinux() )
 		);
 	}
 
@@ -118,6 +123,10 @@ export async function trustRootCA(): Promise< void > {
 			// Always run NSS imports — they're idempotent (-D before -A) and don't
 			// need sudo, so re-running covers the install-browser-after-trust case.
 			await importCAIntoUserNssDbsLinux( CA_CERT_PATH );
+			// Firefox keeps a per-profile NSS DB; the system + Chromium imports
+			// above don't reach it. Profiles that don't exist yet are skipped —
+			// the in-app notice covers that case until first Firefox launch.
+			await importCAIntoFirefoxProfilesLinux( CA_CERT_PATH );
 		} else {
 			console.error( 'Unsupported platform for automatic certificate trust:', platform );
 		}

diff --git a/apps/studio/src/lib/detect-linux-browsers.ts b/apps/studio/src/lib/detect-linux-browsers.ts
@@ -0,0 +1,18 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { findOnPath } from 'src/lib/find-on-path';
+
+export function isFirefoxInstalledOnLinux( homeDir: string = os.homedir() ): boolean {
+	if ( findOnPath( 'firefox' ) !== null ) {
+		return true;
+	}
+	// Snap and Flatpak wrappers don't always land on $PATH for the current
+	// shell session, so fall back to the profile / data dirs they create.
+	const candidates = [
+		path.join( homeDir, '.mozilla', 'firefox' ),
+		path.join( homeDir, 'snap', 'firefox' ),
+		path.join( homeDir, '.var', 'app', 'org.mozilla.firefox' ),
+	];
+	return candidates.some( ( dir ) => fs.existsSync( dir ) );
+}
diff --git a/apps/studio/src/lib/get-localized-link.ts b/apps/studio/src/lib/get-localized-link.ts
@@ -37,6 +37,9 @@ const DOCS_LINKS = {
 	docsSslInStudio: {
 		en: 'https://developer.wordpress.com/docs/developer-tools/studio/ssl-in-studio/',
 	},
+	docsSslLinuxFirefox: {
+		en: 'https://developer.wordpress.com/docs/developer-tools/studio/ssl-in-studio/#linux-firefox',
+	},
 	docsMcp: {
 		en: 'https://developer.wordpress.com/docs/developer-tools/studio/mcp-on-studio/',
 	},

diff --git a/apps/studio/src/lib/tests/detect-linux-browsers.test.ts b/apps/studio/src/lib/tests/detect-linux-browsers.test.ts
@@ -0,0 +1,64 @@
+/**
+ * @vitest-environment node
+ */
+import fs from 'node:fs';
+import { vi } from 'vitest';
+import { findOnPath } from 'src/lib/find-on-path';
+import { isFirefoxInstalledOnLinux } from '../detect-linux-browsers';
+
+vi.mock( 'node:fs', () => ( {
+	default: { existsSync: vi.fn() },
+	existsSync: vi.fn(),
+} ) );
+
+// Match the specifier used by the implementation so vi.mock targets the
+// same module identity regardless of how the resolver normalises paths.
+vi.mock( 'src/lib/find-on-path', () => ( {
+	findOnPath: vi.fn(),
+} ) );
+
+const HOME = '/home/tester';
+
+function mockExistingPaths( paths: string[] ) {
+	// Normalise separators so the test passes on Windows CI, where
+	// path.join in the implementation produces backslashes.
+	const normalize = ( p: string ) => p.replace( /\\/g, '/' );
+	const expected = paths.map( normalize );
+	vi.mocked( fs.existsSync ).mockImplementation( ( candidate: fs.PathLike ) =>
+		expected.includes( normalize( String( candidate ) ) )
+	);
+}
+
+describe( 'isFirefoxInstalledOnLinux', () => {
+	beforeEach( () => {
+		vi.resetAllMocks();
+		mockExistingPaths( [] );
+		vi.mocked( findOnPath ).mockReturnValue( null );
+	} );
+
+	it( 'returns true when firefox is on PATH', () => {
+		vi.mocked( findOnPath ).mockImplementation( ( cmd ) =>
+			cmd === 'firefox' ? '/usr/bin/firefox' : null
+		);
+		expect( isFirefoxInstalledOnLinux( HOME ) ).toBe( true );
+	} );
+
+	it( 'returns true when ~/.mozilla/firefox exists', () => {
+		mockExistingPaths( [ `${ HOME }/.mozilla/firefox` ] );
+		expect( isFirefoxInstalledOnLinux( HOME ) ).toBe( true );
+	} );
+
+	it( 'returns true when Snap Firefox data dir exists', () => {
+		mockExistingPaths( [ `${ HOME }/snap/firefox` ] );
+		expect( isFirefoxInstalledOnLinux( HOME ) ).toBe( true );
+	} );
+
+	it( 'returns true when Flatpak Firefox dir exists', () => {
+		mockExistingPaths( [ `${ HOME }/.var/app/org.mozilla.firefox` ] );
+		expect( isFirefoxInstalledOnLinux( HOME ) ).toBe( true );
+	} );
+
+	it( 'returns false when neither PATH nor profile/data dirs exist', () => {
+		expect( isFirefoxInstalledOnLinux( HOME ) ).toBe( false );
+	} );
+} );
diff --git a/apps/studio/src/preload.ts b/apps/studio/src/preload.ts
@@ -71,6 +71,7 @@ const api: IpcApi = {
 	showOpenFolderDialog: ( title, defaultDialogPath ) =>
 		ipcRendererInvoke( 'showOpenFolderDialog', title, defaultDialogPath ),
 	isCATrusted: () => ipcRenderer.invoke( 'isCATrusted' ),
+	getLinuxBrowserCertSupportStatus: () => ipcRenderer.invoke( 'getLinuxBrowserCertSupportStatus' ),
 	trustCertificate: () => ipcRenderer.invoke( 'trustCertificate' ),
 	showSaveAsDialog: ( options ) => ipcRendererInvoke( 'showSaveAsDialog', options ),
 	saveUserLocale: ( locale ) => ipcRendererInvoke( 'saveUserLocale', locale ),

diff --git a/apps/studio/src/stores/certificate-trust-api.ts b/apps/studio/src/stores/certificate-trust-api.ts
@@ -23,7 +23,20 @@ export const certificateTrustApi = createApi( {
 			},
 			providesTags: [ 'CertificateTrust' ],
 		} ),
+		getLinuxBrowserCertSupportStatus: builder.query< { firefoxDetected: boolean }, void >( {
+			queryFn: async () => {
+				try {
+					const status = await getIpcApi().getLinuxBrowserCertSupportStatus();
+					return { data: status };
+				} catch ( error ) {
+					console.error( 'Failed to get Linux browser cert support status:', error );
+					return { data: { firefoxDetected: false } };
+				}
+			},
+			providesTags: [ 'CertificateTrust' ],
+		} ),
 	} ),
 } );
 
-export const { useCheckCertificateTrustQuery } = certificateTrustApi;
+export const { useCheckCertificateTrustQuery, useGetLinuxBrowserCertSupportStatusQuery } =
+	certificateTrustApi;
diff --git a/tools/common/lib/linux-trust-store.ts b/tools/common/lib/linux-trust-store.ts
@@ -1,5 +1,5 @@
 import { execFile } from 'node:child_process';
-import { existsSync, mkdirSync } from 'node:fs';
+import { existsSync, mkdirSync, readdirSync } from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
 import { promisify } from 'node:util';
@@ -83,3 +83,89 @@ export async function importCAIntoUserNssDbsLinux( caPath: string ): Promise< vo
 		}
 	}
 }
+
+// Firefox keeps a private NSS DB per profile (cert9.db). The auto-trust
+// flow has to walk every install root — apt installs use ~/.mozilla,
+// Snap and Flatpak each have their own profile root.
+function getFirefoxProfileRootsLinux( homeDir: string ): string[] {
+	return [
+		path.join( homeDir, '.mozilla', 'firefox' ),
+		path.join( homeDir, 'snap', 'firefox', 'common', '.mozilla', 'firefox' ),
+		path.join( homeDir, '.var', 'app', 'org.mozilla.firefox', '.mozilla', 'firefox' ),
+	];
+}
+
+// Returns profile dirs that already have a Mozilla NSS DB (cert9.db).
+// Profiles without cert9.db are skipped: Firefox creates the DB on first
+// launch, so there's nothing to import into until the user has opened the
+// browser at least once.
+export function getLinuxFirefoxProfileDbDirs( homeDir: string = os.homedir() ): string[] {
+	const dirs: string[] = [];
+	for ( const root of getFirefoxProfileRootsLinux( homeDir ) ) {
+		if ( ! existsSync( root ) ) continue;
+		let entries: string[];
+		try {
+			entries = readdirSync( root );
+		} catch {
+			continue;
+		}
+		for ( const entry of entries ) {
+			// Firefox profile dirs end with `.default`, `.default-release`,
+			// `.default-esr`, etc. (per profiles.ini conventions).
+			if ( ! /\.default(?:-[^/]+)?$/.test( entry ) ) continue;
+			const profileDir = path.join( root, entry );
+			if ( existsSync( path.join( profileDir, 'cert9.db' ) ) ) {
+				dirs.push( profileDir );
+			}
+		}
+	}
+	return dirs;
+}
+
+// Vacuously true when no Firefox profile exists yet (browser installed but
+// never opened): there is nothing to import into, so the system+Chromium
+// trust state alone is enough to consider the trust flow complete.
+export async function areAllFirefoxProfilesTrustedLinux(
+	homeDir: string = os.homedir()
+): Promise< boolean > {
+	for ( const db of getLinuxFirefoxProfileDbDirs( homeDir ) ) {
+		try {
+			await execFilePromise( 'certutil', [ '-d', `sql:${ db }`, '-L', '-n', LINUX_NSS_NICKNAME ] );
+		} catch {
+			return false;
+		}
+	}
+	return true;
+}
+
+// Best-effort: same contract as importCAIntoUserNssDbsLinux. Profiles with
+// a locked DB (Firefox is running) or missing certutil log a warning and
+// the user falls back to the in-app notice + docs.
+export async function importCAIntoFirefoxProfilesLinux( caPath: string ): Promise< void > {
+	for ( const db of getLinuxFirefoxProfileDbDirs() ) {
+		try {
+			await execFilePromise( 'certutil', [
+				'-d',
+				`sql:${ db }`,
+				'-D',
+				'-n',
+				LINUX_NSS_NICKNAME,
+			] ).catch( () => undefined );
+			await execFilePromise( 'certutil', [
+				'-d',
+				`sql:${ db }`,
+				'-A',
+				'-t',
+				'C,,',
+				'-n',
+				LINUX_NSS_NICKNAME,
+				'-i',
+				caPath,
+			] );
+			console.log( `Imported Studio CA into Firefox profile: ${ db }` );
+		} catch ( error ) {
+			const message = error instanceof Error ? error.message : String( error );
+			console.warn( `Could not import Studio CA into Firefox profile ${ db }: ${ message }` );
+		}
+	}
+}