Untrusted Certificates are preventing browsing to a number of sites
I have common Untrusted Certificates both in Firefox and Chromium across 4 machines (2 x Windows 10, 1 x W2008, 1 x Ubuntu 16.04 LTS. I have not been able to remove or replace these certificates in any environment. At the moment I cannot get to mail.google.com and www.google.com or sub-domains. There are a number of other untrusted certificates but I do not use their services so I am less concerned about those although having spent the best part of the last 3 days trying to resolve this issue I am no closer to a solution.
I have cleared browser profiles, deleted mozilla application data and uninstalled/reinstalled the app. I have purged the certificate store on all machines, I have resynchronised the time-settings for each device. The untrusted certificates appear to match a list of know certificates which have caused problems in the past and I patched against those issues.
Regardless of my efforts the end solution is that these certificates reappear. The list of certificates is:-
global trustee addons.mozilla.org login.live.com login.skype.com login.yahoo.com login.yahoo.com login.yahoo.com mail.google.com www.google.com
I was syncing my browsers but I have disabled the synching in the firefox environment but I still get these certificates.
H-e-l-p! Please!
Alle svar (13)
feeks said
Regardless of my efforts the end solution is that these certificates reappear. The list of certificates is:-global trustee addons.mozilla.org login.live.com login.skype.com login.yahoo.com login.yahoo.com login.yahoo.com mail.google.com www.google.com
Where do those appear -- in Firefox's Certificate Manager?
I mean the one you access from the Preferences page, either:
- Linux: "3-bar" menu button (or Edit menu) > Preferences
- Mac: "3-bar" menu button (or Firefox menu) > Preferences
- Windows: "3-bar" menu button (or Tools menu) > Options
In the left column, click Advanced. Then on the right side, with the "Certificates" mini-tab active, click "View Certificates".
Is there a common thread among the certificates, e.g., same suspicious issuer?
The certificates appear in the Server tab and yes day are common between machines. Including a machine that I have not Firefox (synched) with but is within my local network environment. There is a common issuer:-
CN = UTN-USERFirst-Hardware OU = http://www.usertrust.com O = The USERTRUST Network L = Salt Lake City ST = UT C = US
- <<>> DiG 9.10.3-P4-Ubuntu <<>> www.usertrust.com
- global options: +cmd
- Got answer:
- ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52866
- flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
- OPT PSEUDOSECTION:
- EDNS: version: 0, flags:; udp: 1280
- QUESTION SECTION:
- www.usertrust.com. IN A
- ANSWER SECTION:
www.usertrust.com. 865 IN A 91.199.212.176
- Query time: 171 msec
- SERVER: 192.168.0.12#53(192.168.0.12)
- WHEN: Fri Jun 16 13:43:55 AEST 2017
- MSG SIZE rcvd: 62
Browsing to the website returns a 403 forbidden
If you are using the Linux supplied from a repository instead of Mozilla's site, you could try switching, but the existing settings likely will persist; you may need to create a new profile as well.
Since I'm a Windows person, I'll just link to some pages:
- Firefox full installer downloads: https://www.mozilla.org/firefox/all/
- Profile Manager - Create, remove or switch Firefox profiles
- Recovering important data from an old profile
Thank you @jscher2000 and I appreciate your thought process, but I have completely replaced both the authoritative certificate sets from the Linux source, reprofiled and uninstalled/reinstalled firefox and cleaned the mozilla "appdata" equivalent from the machine. Hence the H-e-l-p in the original post.
Additionally the fact remains that I am getting equivalent certs turn up on my Windows machines, while I have not reprofiled/reinstalled in those enviironments I have manually deleted them and the fact remains that the certificates are still returning after a restart. I have also desynced the Linux from the Windows firefox profile share update and repeated all above instructions.
It's possible for external software to add certificates to either your OS certificate store or Firefox's certificate store, but I don't know what software would add certificates for Mozilla, Google, Skype and Yahoo.
What did you mean by this:
feeks said
The untrusted certificates appear to match a list of know certificates which have caused problems in the past and I patched against those issues.
Perhaps my focus is too narrow on the issue of the Untrusted certificates.
My reasoning for saying this is that addons.mozilla.org is in the list and yet this does not stop me from installing firefox addons.
When firefox browsing to www.google.com I received this error SECURE CONNECTION FAILED: An error occurred during a connection to www.google.com.au. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
When Chrome browsing to www.google.com I get a vaguely similar although more cryptic response of:
This site can’t provide a secure connection
www.google.com.au sent an invalid response. ERR_SSL_PROTOCOL_ERROR
When browsing to addons.mozilla.org I get no such error even though the Untrusted certificates for this site appear in both browsers.
Unfortunately I have not kept the references for the "known certificates" errors and could not easily find them but the patches related to Microsoft security references in regard to DigiNotar a number of years ago. But this is not where I found the references in my original research!
Okay, if you installed a patch which adds certificates with an indication they should be distrusted -- I don't know how you can determine that in Firefox's Certificate Manager -- then it makes sense to find them there. Maybe.
For Google AU, is there any external factor which could affect both your browsers, such as:
- security software filtering web access
- "parental control" software or router feature
- proxy server
- VPN
- custom DNS server settings
- hosts file entry
These permanent block exceptions show for me as well in the Certificate Manager Servers tab. These are likely about certificate that are no longer considered as secure (1024 bit?) and have been disabled to prevent them from being used. There are a lot lot of these exceptions present and the ones you are talking about are from Usertrust and have a date of 03/15/2014.
Websites should use intermediate certificates that chain to a built-in trusted root certificate.
You would have to check the certificate chain to see where this goes wrong in your case.
You can click the "Advanced" button to expand this section and show extra details. If the certificate is not trusted because no issuer chain was provided (SEC_ERROR_UNKNOWN_ISSUER) then click the blue error message to expand this section and show the certificate chain. Please click "Copy text to clipboard" and paste this base64 encoded certificate chain text in a reply. That will allow us to check details like the issuer of the certificate.
You can open the Certificate Manager and go to the "Servers" tab.
- Options/Preferences -> Advanced -> Certificates: View Certificates -> Servers: "Add Exception"
- paste the URL of the website (https://xxx.xxx) in it's location field.
Let Firefox retrieve the certificate -> "Get Certificate"
- click the "View" button and inspect the certificate
You can see details like the issuer of the certificate and used intermediate certificates in the Details tab.
jscher2000 said
- security software filtering web access
- "parental control" software or router feature
- proxy server
- VPN
- custom DNS server settings
- hosts file entry
I am basically using the Linux box for testing and resolution at this point.
- Security filtering has been removed
- No parental control software has been installed and no router filtering implemented
- proxy server is default for install
- No VPN
- Custom DNS settings
DNS is configured as follows Internal DNS server 192.168.x.xx Secondary DNS 8.8.8.8 Ternary DNS 8.8.4.4
- hosts file default as installed
- firewall is default as installed
I found the Microsoft Security Advisory 2524375 - "Fraudulent Digital Certificates Could Allow Spoofing" - note that this advisory is dated March 2011. I have W10 and W2008 Windows boxes patch is not relevant to the W10 and as I say W2008 has been patched which is AD/DNS etc but all of the Untrusted Certificates are as per this advisory.
I also get similar SSL protocol issues with youtube
@cor-el thank you for the response. Unfortunately in performing the action "Get Certificate" the response was No information available - No certificate could be obtained for this site.
This I believe would be a valid response with the certificate Issuer as being usertrust and not google or their certificate provided at least.
In testing and confirming access to google and youtube traffic is going to gw.google.au and failing their, I am wondering if this is the failure point. I am unable to get to any google site (support or otherwise so I am blocked at this point)
Ændret af feeks den
I am starting to see signs that there are issues with Google DNS, although I could be getting off the mark a little quick here! All said and done if this is a Google problem I see nothing in the media that has acknowledge this!
Hello all and thank you for your responses and support. I have been able to track down the issue and resolve it.
The issue was my router (Draytek) where I had applied blocking to the Google services WEB HD entry. The following are the details:-
Google Service 1.11.4865.2530 To block Gmail and Google Drive. If user has login, it can not be blocked.
I do remember updating the firmware but can't recall when perhaps it has coincided. I am not certain but I will be following up with the manufacturer to clarify.
Once again many thanks for the support and feedback. I truly appreciate it.