Hi, as someone who got bitten by this and spent like half day figuring it out I fully support this.
I found out that diverting/replacing that file is not enough as Firefox and Thunderbird are shipped with their own versions (not sure if applies to Bullseye too, I only checked Buster).
I wrote this script:
function replace_libnssckbi() {
# TODO: support other archs
dpkg-divert --rename --package selfhost-clearnet-certbot --add "$1" || return 1
ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so "$1"
}
# TODO: support other archs
replace_libnssckbi /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
replace_libnssckbi /usr/lib/firefox-esr/libnssckbi.so
replace_libnssckbi /usr/lib/thunderbird/libnssckbi.so
I guess it will need some checks or calls to mkdir but works at least for me.
Side note: Firefox will not accept a self-signed server certificate added to ca-certificates. You have to create a CA, add its certificate to ca-certificates, generate a separate server certificate signed by that CA and use it for server. I think this is OK, just mentioning in case someone finds this and wants to set it up.