Firefox won't let me SAVE a security exception (issue exists for more than 5 years now, no solutions i gotta use IE instead)
As long as the box for the permanent exception is ticked, no exceptions for untrusted certificates can be added. Sometimes even if it is unticked it does not work. The site I am trying to access is a reputable US institution. And no, i do not want to downgrade my Firefox back in the stone age! How is that supposed to be safer?!?
All Replies (14)
Make sure that you do not run Firefox in permanent Private Browsing mode (Always use Private Browsing mode; Never Remember History).
- Tools > Options > Privacy > Firefox will: "Use custom settings for history"
- Deselect: [ ] "Always use Private Browsing mode"
Try to create a new profile to test if your current profile is causing the problem.
See "Creating a profile":
- https://support.mozilla.org/kb/profile-manager-create-and-remove-firefox-profiles
- http://kb.mozillazine.org/Standard_diagnostic_-_Firefox#Profile_issues
If the new profile works then you can transfer files from a previously used profile to the new profile, but be cautious not to copy corrupted files to avoid carrying over problems.
Always be cautious when you get an 'Untrusted' error message and never create a permanent exception without investigating the cause.
If you can't inspect the certificate via Advanced (I Understand the Risks) then try this:
Open the "Add Security Exception" window by pasting this chrome URL in the Firefox location/address bar and check the certificate:
- chrome://pippki/content/exceptionDialog.xul
In the location field of this window type or paste the URL of the website with the https:// protocol prefix (https://xxx.xxx).
- retrieve the certificate via the "Get certificate" button
- click the "View..." button to inspect the certificate in the Certificate Viewer
You can inspect details like the issuer and the certificate chain in the Details tab of the Certificate Viewer. Check who is the issuer of the certificate. If necessary then please attach a screenshot that shows the Certificate Viewer with the issuer.
eberlef said
The site I am trying to access is a reputable US institution.
If they are a reputable institution that also knows how to run a proper secure site, then Firefox should not need you to make an exception. Do you want to provide a link to get a second opinion?
If you are encountering certificate issues on a regular basis (for example, more often than once a month), it would be wise to stop and research what is causing the problem. Maybe it's the site, but maybe it's an issue with how Firefox is configured, or stealthy malware.
Thanks for the suggestions so far! Firefox is not in permanent private browsing mode, I do send a "Do not track" request though. The problem does persist with different profiles on different pc's and using the "chrome://pippki/content/exceptionDialog.xul" window does not change anything. The site in question is https://www.chem.tamu.edu/
The site is sending an incomplete certificate chain. They really should fix that, because unlike some other browsers, Firefox will not go searching the web for missing intermediate certificates. However, if you happened to have visited another site that did send the missing intermediate, Firefox would have saved that and will be able to check it locally to give you a green lock on the site. Luckily for me, I get the green lock. Unluckily for you, you do not.
Could you try to acquire that missing certificate by visiting this site that has the same issuer on its certificate: https://spaces.internet2.edu/
Note: the "Do Not Track" setting doesn't affect what Firefox does, other than sending (or not sending) a signal to the website that you prefer they not track your browsing.
Modified
Hmm upon visiting the site https://spaces.internet2.edu/#all-updates i did get a green lock for that site, but not https://www.chem.tamu.edu/ is there a way to manually find and store the right certificate?
I see that Firefox only uses TLS 1.0, so the website is far behind on its security software.
Update: i found a site that has the same certificate. upon visiting this site i get the green lock on the site https://www.chem.tamu.edu/ without allowing any exceptions. The solution is not permanent but the best so far.
eberlef said
Hmm upon visiting the site https://spaces.internet2.edu/#all-updates i did get a green lock for that site, but not https://www.chem.tamu.edu/ is there a way to manually find and store the right certificate?
Yes.
(1) On the "working" site, open the certificate viewer from the Page Info dialog. Either:
- right-click a blank area of the page and choose View Page Info > Security > "View Certificate"
- (menu bar) Tools > Page Info > Security > "View Certificate"
- click the padlock or "i" icon in the address bar, then the ">" button, then More Information, and finally the "View Certificate" button
(2) Click the Details tab, select the intermediate certificate, then click the Export button. Save in the default format to the location of your choice. Example screen shot attached.
(3) Open the Certificate Manager using:
"3-bar" menu button (or Tools menu) > Options
In the left column, click Advanced
On the right side, make sure the Certificates mini-tab is selected and then click the View Certificates button
(4) In the Certificate Manager dialog, click the "Authorities" mini-tab (not the Personal or Servers mini-tab, which might initially be displayed by default), and then the Import button. Example screen shot attached.
(5) Select and open the certificate you just exported moments ago. Now you're done with the Certificate Manager and you can test the problem site.
It seems that it is close, but from the "working" site https://ogsdpss.tamu.edu/ i can only download one certificate and this gives the error message "This is not a certificate authority certificate, so it can't be imported into the certificate authority list."
Hi eberlef, that's strange.
Did you select the InCommon one before clicking the Export button?
If it doesn't work on that site, can you try the one I mentioned before?
No, in the window under Certificate Hierarchy, where I should select the InCommon there is only one option, that gives the message "This is not a certificate authority certificate, so it can't be imported into the certificate authority list." upon import
There is only the website's own certificate listed in the Certificate Hierarchy? That's... wrong. Have you ever tried this:
Clean Reinstall
We use this name, but it's not about removing your settings, it's about making sure the program files are clean (no inconsistent or alien code files). As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed.
(A) Download a fresh installer for Firefox 46.0 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.) For maximum plugin compatibility, choose the 32-bit version.
(B) Exit out of Firefox (if applicable).
(C) Rename the program folder as follows:
32-bit install on 64-bit Windows
C:\Program Files (x86)\Mozilla Firefox
to
C:\Program Files (x86)\OldFirefox
All other installations
C:\Program Files\Mozilla Firefox
to
C:\Program Files\OldFirefox
(D) Run the installer you downloaded in step (A). It should automatically connect to your existing settings.
Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders:
- \OldFirefox\Plugins
- \OldFirefox\browser\plugins
No idea whether that will help, but you already tried most other things.
jscher2000 said
There is only the website's own certificate listed in the Certificate Hierarchy? That's... wrong.
Or did you add an exception? If you added an exception because the certificate had an unknown issuer, then it's normal for the Certificate Hierarchy to be incomplete.
Firefox automatically stores intermediate certificates that servers send in the Certificate Manager for future use. Stored intermediate certificates show as "Software Security Device" in the "Security Device" column in the Certificate Manager.
A server needs to send the full certificate chain that includes all required intermediate certificates. Firefox automatically stores intermediate certificates that servers send in the Certificate Manager for future use, so if you have visited a website that has send this intermediate certificate in the past then Firefox will not display the error page when you visit a server that doesn't send this intermediate certificate.
If you visit a server that doesn't send a full certificate chain then you will only get an untrusted error if Firefox hasn't yet stored this intermediate certificate because you have visited a server in the past that has send this certificate, but you do get an untrusted error if this intermediate certificate isn't stored yet.
Visiting a website that sends an intermediate certificate that you need for another website is the same as installing such an intermediate certificate from other sources like the web page of the issuer of the certificate.
Modified