This thread was archived. Please ask a new question if you need help.
Why won't Firefox let me add an exception?
Firefox tells me that a site has an invalid security certificate, which I know. It asks if I want to Add an Exception and I click to add one. It pops up the Add Security Exception window and that window tells me that this site has a valid certificate and there is no need to add an exception; but I DO need to add an exception and it won't do it for me. Why? I am working in a secure test lab and use Firefox to login to our systems under test. Each time we change or add hardware we must add exceptions to login to a system. I have done this for years with Firefox but now Firefox 4 seems confused. We now need to use EI, which I would rather not.
I was able to fix this on one machine by clearing my recent history through the Options dialog. On a second occasion, I was able to rule out "Browsing & Download History" and "Form & Search History", so I can say at this point that the problem can be fixed by clearing one or more of Cookies, Cache, "Active Logons", or "Site Preferences".
Oh, in all cases, I selected "Everything" for the time period to clear.Read this answer in context 👍 8
All Replies (20)
Actually, your question is a bit different. It seems to be a contradiction to display the SSL error page but then say that no exception needs to be added. Can you copy and paste the error here?
Could you remove the previously approved certificate here and try adding it again?
Tools > Options > Advanced > Encryption sub-tab > View Certificates button > Servers tab
--- Earlier Comment Deleted ---
Modified by jscher2000
I already tried removing the old certificate, more than once (different systems/sites). Yes it is a contradiction; that's the bug.
One message says "This Connection is Untrusted" and the next one says "Valid Certificate This site provides valid, verified identification. There is no need to add an exception."? The last one is the error. I know the site doesn't have a valid certificate.
You might want to make a backup before proceeding. See Backing up your information for suggestions.
The certificate store in your Firefox profile might have become corrupted. You could try renaming the cert8.db file in your existing profile folder to hide previously stored certificates, then start Firefox and try again. To location your profile folder, see Profiles | How to | Firefox Help.
If the problem recurs, perhaps it is some add-on or setting? You could test by accessing the test site with a new (blank) profile. This article describes starting up to the profile manager where you can create a new blank profile: Managing profiles. To switch the default back to your existing profile, restart to the profile manager.
It looks to me like firefox 4 has a bug in its certificate retrieval system when accessing servers using SNI (I am using SNI on my server to run multiple virtual hosts with SSL using apache). The reason I say this is because I am observing the following behavior:
The certificate is only valid for the following names:
The certificate expired on 10/01/2010 05:32 PM. The current time is 06/08/2011 01:32 PM.
(Error code: ssl_error_bad_cert_domain)
This info is correct; the cert has expired. Because I'm too lazy to renew it just now, I click on 'Add Exception', which pops up the dialog that lets me add an exception. That dialog has the 'Confirm Security Exception' button grayed out, because it says the certificate is valid. Only problem is, the certificate it's saying is valid is NOT the certificate that it previously complained about. The certificate that shows when I click 'View...' under 'Certificate Status' heading in the dialog, is the default certificate for that web server, 'www.aoaforums.com' and THAT certificate IS valid.
In other words, it looks like FF4 is correctly doing the SNI negotiation to display the initial error, but then is NOT doing the SNI negotiation when retrieving the cert info to make the exception for. Why it needs to make a separate request when it should already have the required info, I really don't understand, but that's certainly what it LOOKS like.
Only solution appears to be to get off my lazy duff and fix the cert on the www.giz-works.com URL.
Only problem is, the certificate it's saying is valid is NOT the certificate that it previously complained about.
That seems wrong. There is a setting as to whether to fetch the problem certificate automatically when showing the Add Exception dialog, or require you to click the Get Certificate button (see http://kb.mozillazine.org/Browser.ssl_override_behavior). If you click Get Certificate, does it correctly show as expired?
Of course, wrong information shouldn't be in there at any time, so there could be a bug in that dialog if it neither loads the correct info nor clears prior info.
Some additional information: This is on FF 4.0.1 running on Fedora 15 with all the current patches. I do not currently have any other Firefox extensions loaded.
If I go to the 'Edit' Menu and select 'Preferences', then select the 'Advanced' settings in the 'Preferences' dialog, then select the 'Servers' tab, and the 'Add Exception' button, this brings up a dialog to manually add an exception. Manually enter the url 'https://www.giz-works.com' and select 'Get Certificate' and I get the default certificate for the web server (www.aoaforums.com) NOT the certificate for www.giz-works.com.
Should I file a bugzilla on this?
Modified by gizmo4321
Found it: you have TLS disabled, and SNI requires TLS.
Edit > Preferences > Advanced > Encryption tab
Check the box for "Use TLS 1.0"
Reload and try again. Fixed?
Doesn't work for me. I already have both protocols turned on.
And I now have three lab systems which Firefox will no longer allow me to login to. I have no idea, so far, why it seems to randomly hit some and not others.
I think this is a Firefox 4 bug.
Try to delete (or rename/move as a test) the file cert8.db in the Firefox Profile Folder
Modified by cor-el
jscher2000: I have TLS 1.0 checked in that dialog already. I also have SSL 3.0 checked.
cor-el: already did that, 3 times now. Doesn't have any effect.
Modified by gizmo4321
The TLS setting was the only way I could re-create the problem. I wonder whether there is some deeper problem with TLS/SNI that the checkbox doesn't cure. I think we might need another test server, since yours returns a valid certificate at the moment.
Another interesting tidbit: I set up another site, ssl-test.giz-works.com, with a self-signed certificate.
That site works just fine. Properly allows me to add the self-signed cert an everything.
Sorry about mucking up the testing; I needed access to my system, so I put a proper certificate on it.
I use a lot of equipment with internal (untrusted/self-signed) certificates and I face this problem one or two times a month. This has been going on since FF 4.0 came out and has continued with v5 and v6. I know someone said nothing has changed with regard to cert handling - you are wrong.
This issue is nearly crippling to me and is driving me away from FF entirely. Were it not for a couple irreplaceable plugins I use, I would already be gone. No other modern browser is as irritating WRT the handling of untrusted SSL certificates as firefox is, and no other modern browser has a problem like this. I'm facing this issue right now with a system that I *need* to be able to access, and I simply cannot use FF to do so because of this infuriating issue.
I had the same problem w/ version 7.0.1 I fixed it by:
1) Exported website's cert using IE to my local file system 2) In FF, go to Options >> Advanced >> Encyrption tab >> View Certificates 3) On server tab, found the certificate (self-signed) and deleted it 4) Import cert from file system 5) Click on certificate and select "Edit Trust" 6) Select "Trust the authenticity of this certificate" 7) Click "Edit CA Trust" and select "This certificate can identify web sites" 8) Click OK > OK >OK, restart firefox
Now I can get to the website without issue.
I think I figured out what is causing my problem and I have a workaround, but this is still a bug. Here's the cause; Some of our systems under test use duplicated servers and an alias name used to access whichever one happens to be active. This function is intended to be transparent to the user. So if I access the server pair for the first time using the alias and server "1" happens to be active and I add an exception. Fine. Now if I try to access the server pair again using the alias but now server "2" happens to be active, this is when I see the problem; same server name; different MAC address. OK, fine. I don't mind firefox telling me there is a problem and forcing me to add a new exception. But it should not tell me there is a problem and then change it's mind and tell me there is not a problem when I try to account for it. That is the BUG. I can get around this by simply accessing the active server using it's real name and not the alias, but that will prevent me accessing our systems in the same manner our customers do. I can assume that our costumers will not encounter this because they are not working in a lab and therefor they will have valid certificates on there servers; but you know what happens when we assume.
I have the same problem in very similar circumstances. We have clustered firewall appliances, and this has occurred twice in this scenario: 1. I first connect to the cluster with unit #1 active and add an exception for its SSL certificate. 2. Later, unit #2 is active, and I add an exception for its SSL certificate. All is still OK at this point. 3. When unit #1 is again active, I encounter the problem described here (see screenshot).
This problem is not resolved by removing the relevant certificates from the Firefox Certificate Manager.
I can further report that the problem is NOT resolved by renaming cert8.db, as was suggested by another member.
I have tried ejdst21's solution above, but I could not do step 7. When I click on Edit CA Trust, Firefox says the CA certificate could not be found.
I was finally able to get rid of this issue by clearing my entire history. Fortunately this was not may main Firefox profile, otherwise clearing my entire history would be a major problem. I'm not sure what part of the history was causing the problem, but I can say that it was NOT any of the following files, each of which I tried renaming:
localstore.rdf [Renaming this made a very small difference: I got an error dialog about the certificate on my next attempt. In fact, I think that error dialog also appeared when the problem began.]
Modified by elangeland