pfSense cert was trusted and now is not (nor can I manually do it)
So I've upgraded pfsense (which has my own self-signed cert for the GUI) to 2.3. For some reason, this has broken management for it via Firefox. It still works with Chrome.
Here is the error- The connection to 192.168.50.1:449 was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
What I have done to try to rectify this.... 1) Checked that both time of pfsense and my computer match (they do and Chrome works right with this anyway.) 2) Manually imported both the CA and cert. 3) Deleted cert8.db and let FF recreate it. 4) Tried a new profile (which works once and then fails as soon as FF is restarted.) 5) Tried on both Windows and Linux (neither side works.) 6) Generated a new cert for the GUI (which Chrome again just accepts but FF refuses.)
FF version is 45.0.1
I haven't seen anything else that addresses this. The key did not change in the upgrade. Even had it done that, I would think that by generating a new cert entirely should prompt for making a permanent exception again.
I've narrowed it down to FF as both Chrome and Vivaldi work perfectly on it. Nothing seems to have helped and the FF landing page doesn't reveal any useful info (as in SEC_ERROR_INSECURE_CIPHER or the like.)
Any help is very much appreciated as I hate opening Chrome solely to manage my firewall.
الحل المُختار
cor-el said
Cert8.db is not SQLite although Firefox can use an cert9.db file that is an SQLite database (NSS_DEFAULT_DB_TYPE="sql"). You would have to use certutil.exe to inspect the file or check the Certificate Manager for items marked as "Software Security Device"
I was not able to get cert util to work on either Linux or Windows.
I DID get it fixed though. I simply set up new profiles and they're fine. I've attached them to sync WITHOUT syncing prefs (all others checked) and so far, so good. Waiting for the others to fall off then I'll sync prefs from one good machine.
It definitely is something with sync from what I can see. I guess it was at some point just distrusted and that screwed everything up.
Thanks for the help mate.
Read this answer in context 👍 0All Replies (6)
No ideas? Figured this would get some attention from devs or someone. I can provide more info if needed- just not sure what anyone would need to help me diagnose this.
For what it's worth, FF beta on Android can connect with no issues (just add the exception and go.) It still might be tied to something with Sync via desktop FFs but apparently not with whatever on mobile.
Modified by blueduckdock
Think I have found the issue. A new profile DOES solve it. Once you add a sync profile to it though, it reverts. FF sync is bringing across certs and other things in the cert8.db I think. I can't open it (says it's encrypted) but that appears to be it I think.
Any way to gracefully remove that from my profile? I'd hate to get a new sync account simply for this.
I don't think that Sync would include certificates. Sync can include whitelisted prefs that have a corresponding services.sync.prefs.sync.* pref, so you may have prefs set on another device that are causing problems.
Did you compare the cert8.db file before and after connecting to Sync?
cor-el said
I don't think that Sync would include certificates. Sync can include whitelisted prefs that have a corresponding services.sync.prefs.sync.* pref, so you may have prefs set on another device that are causing problems. Did you compare the cert8.db file before and after connecting to Sync?
Is there a way to check that? I tried using sqlite from the terminal and it was no go. I'd love to compare but that really is the only thing I can think of as it's perfectly fine with a different profile (non sync affiliated.) I will check on the prefs file and yes, it does seem strange that it would sync certs across.
Cert8.db is not SQLite although Firefox can use an cert9.db file that is an SQLite database (NSS_DEFAULT_DB_TYPE="sql").
You would have to use certutil.exe to inspect the file or check the Certificate Manager for items marked as "Software Security Device"
الحل المُختار
cor-el said
Cert8.db is not SQLite although Firefox can use an cert9.db file that is an SQLite database (NSS_DEFAULT_DB_TYPE="sql"). You would have to use certutil.exe to inspect the file or check the Certificate Manager for items marked as "Software Security Device"
I was not able to get cert util to work on either Linux or Windows.
I DID get it fixed though. I simply set up new profiles and they're fine. I've attached them to sync WITHOUT syncing prefs (all others checked) and so far, so good. Waiting for the others to fall off then I'll sync prefs from one good machine.
It definitely is something with sync from what I can see. I guess it was at some point just distrusted and that screwed everything up.
Thanks for the help mate.