X
Tippen Sie hierhin, um die Version dieser Website für Mobilgeräte aufzurufen.

Hilfeforum

Security certificate no longer valid after upgrading to latest FF.

Veröffentlicht

I upgraded to the very latest version of FF over the weekend and now I can't access a site I had been accessing for the following error: An error occurred during a connection to grdpmgr01.dmz.domainname.com:7799. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)

The certificate is self-signed. We have a similar problem with IE that we've worked around.

I upgraded to the very latest version of FF over the weekend and now I can't access a site I had been accessing for the following error: An error occurred during a connection to grdpmgr01.dmz.domainname.com:7799. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid) The certificate is self-signed. We have a similar problem with IE that we've worked around.

Ausgewählte Lösung

You can try to set security.use_mozillapkix_verification to false on the about:config page as a test to see if that has effect.

Diese Antwort im Kontext lesen 19

Mehr Details zum System

Installierte Plugins

  • The plugin allows you to have a better experience with Microsoft Lync
  • The plugin allows you to have a better experience with Microsoft SharePoint
  • Next Generation Java Plug-in 11.5.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Shockwave Flash 14.0 r0
  • RealPlayer(tm) LiveConnect-Enabled Plug-In
  • RealPlayer Download Plugin
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Adobe Shockwave for Director Netscape plug-in, version 12.1.3.153
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.07
  • SiteAdvisor
  • iTunes Detector Plug-in
  • 5.1.30214.0
  • Intel web components for Intel® Identity Protection Technology
  • Intel web components updater - Installs and updates the Intel web components
  • VMware Remote Console Plug-in
  • RealNetworks(tm) RealDownloader Chrome Background Extension Plug-In
  • RealNetworks(tm) RealDownloader PepperFlashVideoShim Plug-In
  • RealNetworks(tm) RealDownloader HTML5VideoShim Plug-In
  • RealDownloader Plugin
  • VMware Remote Console and Client Integration Plug-in

Anwendung

  • User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0

Weitere Informationen

Sourjobraato Banerjee 14 Lösungen 232 Antworten
Veröffentlicht

In order to change your Firefox Configuration please do the following steps :

  1. In the Location bar, type about:config and press Enter. The about:config "This might void your warranty!" warning page may appear.
  2. Click I'll be careful, I promise! to continue to the about:config page.
In order to change your Firefox Configuration please do the following steps : # In the [[Location bar autocomplete|Location bar]], type '''about:config''' and press '''Enter'''. The about:config "''This might void your warranty!''" warning page may appear. # Click '''I'll be careful, I promise!''' to continue to the about:config page.
jscher2000
  • Top 10 Contributor
8783 Lösungen 71823 Antworten
Veröffentlicht

Is this the only site with a problem?

Does the page have the third section (I understand the risks) allowing you to add an exception for this certificate (since you do trust your own self-signed cert)?

Is this the only site with a problem? Does the page have the third section (I understand the risks) allowing you to add an exception for this certificate (since you do trust your own self-signed cert)?

Fragesteller

Here's the rest of the page: The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

Here's the rest of the page: The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

Fragesteller

Version is 31.0

I'm not trying to change the config unless that's necessary. What changes would you suggest?

Version is 31.0 I'm not trying to change the config unless that's necessary. What changes would you suggest?
Tyler Downer
  • Top 25 Contributor
  • Moderator
1538 Lösungen 10731 Antworten
Veröffentlicht

This is likely because you self-signed your certificate rather than having one through a trusted CA. Please read https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/

This is likely because you self-signed your certificate rather than having one through a trusted CA. Please read https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/

Fragesteller

True enough. Then the question is why did it work on Sunday and not on Monday when the only change made was to upgrade to FF 31.0?

True enough. Then the question is why did it work on Sunday and not on Monday when the only change made was to upgrade to FF 31.0?
cor-el
  • Top 10 Contributor
  • Moderator
17566 Lösungen 158879 Antworten
Veröffentlicht

Ausgewählte Lösung

You can try to set security.use_mozillapkix_verification to false on the about:config page as a test to see if that has effect.

You can try to set <b>security.use_mozillapkix_verification</b> to false on the <b>about:config</b> page as a test to see if that has effect.

Fragesteller

Thanks, folks! Changing the pkix to false fixed the problem, though I'm not sure if that's a good thing in general.

Thanks, folks! Changing the pkix to false fixed the problem, though I'm not sure if that's a good thing in general.
Tyler Downer
  • Top 25 Contributor
  • Moderator
1538 Lösungen 10731 Antworten
Veröffentlicht

In Firefox 31 we introduced a new security backend. Leaving it disabled is not a good idea long-term. Please reach out to the Security crypto group, https://groups.google.com/forum/#!msg/mozilla.dev.tech.crypto/EbWse7Ryj8I/mgNRW4yGAwU for help resolving this long term.

In Firefox 31 we introduced a new security backend. Leaving it disabled is not a good idea long-term. Please reach out to the Security crypto group, https://groups.google.com/forum/#!msg/mozilla.dev.tech.crypto/EbWse7Ryj8I/mgNRW4yGAwU for help resolving this long term.
cor-el
  • Top 10 Contributor
  • Moderator
17566 Lösungen 158879 Antworten
Veröffentlicht

That disables the new PKIX implementation and thus should be used with caution.

See also Behavior Changes and Things for CAs to Fix:

That disables the new PKIX implementation and thus should be used with caution. See also Behavior Changes and Things for CAs to Fix: *https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing
ricardodev 1 Lösungen 4 Antworten
Veröffentlicht

Other possible solution that doesn't make Firefox generally unsafer is Deleting or Distrusting the "problematic" certificates from the Authorities and add it again.

Please refer to this post.

Other possible solution that doesn't make Firefox generally unsafer is '''Deleting or Distrusting the "problematic" certificates from the Authorities and add it again'''. Please refer to [https://support.mozilla.org/en-US/questions/1012728#answer-616338 this post].
muddy_selene 0 Lösungen 3 Antworten
Veröffentlicht

Hilfreiche Antwort

Having this problem, I checked that security.use_mozillapkix_verification setting in my Firefox 31 on Linux (CentOS). Its default value was 'false', and it was already set to this value. For the hell of it, I tried changing it to 'true'. Lo and behold, the problem was cured. I suppose the moral is, "whether this setting is 'true' or 'false', try toggling it". Sorry to muddy the waters!

Having this problem, I checked that security.use_mozillapkix_verification setting in my Firefox 31 on Linux (CentOS). Its default value was 'false', and it was already set to this value. For the hell of it, I tried changing it to 'true'. Lo and behold, the problem was cured. I suppose the moral is, "whether this setting is 'true' or 'false', try toggling it". Sorry to muddy the waters!
cor-el
  • Top 10 Contributor
  • Moderator
17566 Lösungen 158879 Antworten
Veröffentlicht

Note that the security.use_mozillapkix_verification pref is only present in Firefox 31 and 32 and that you won't be able to disable PKIX in Firefox 33 and later.

Note that the security.use_mozillapkix_verification pref is only present in Firefox 31 and 32 and that you won't be able to disable PKIX in Firefox 33 and later.
Farbauti 0 Lösungen 6 Antworten
Veröffentlicht

Hilfreiche Antwort

"... you won't be able to disable PKIX in Firefox 33 and later."

On "https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message#w_the-certificate-is-not-trusted-because-it-is-self-signed" is states:

"...uses an invalid security certificate. The certificate is not trusted because it is self signed. (Error code: sec_error_ca_cert_invalid) Self-signed certificates make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly."

With disabling the workaround to access self-signed https sites, Mozilla makes it impossible to access valid websites (like intranet pages, router administration, etc.).

BRAVO !!! That's the first - but major - reason to never ever use Firefox again...

"... you won't be able to disable PKIX in Firefox 33 and later." On "https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message#w_the-certificate-is-not-trusted-because-it-is-self-signed" is states: "...uses an invalid security certificate. The certificate is not trusted because it is self signed. (Error code: sec_error_ca_cert_invalid) Self-signed certificates make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly." With disabling the workaround to access self-signed https sites, Mozilla makes it impossible to access valid websites (like intranet pages, router administration, etc.). BRAVO !!! That's the first - but major - reason to never ever use Firefox again...

Geändert am von Farbauti

cor-el
  • Top 10 Contributor
  • Moderator
17566 Lösungen 158879 Antworten
Veröffentlicht

You can try if it works in the current beta release (33.0 b4 or later).

  • Bug 1034124 - mozilla::pkix: the error encountered when a CA certificate is used as an end-entity is not overridable
You can try if it works in the current beta release (33.0 b4 or later). *Bug 1034124 - mozilla::pkix: the error encountered when a CA certificate is used as an end-entity is not overridable *https://www.mozilla.org/en-US/firefox/all-beta.html *https://www.mozilla.org/en-US/firefox/beta/
user619333 0 Lösungen 7 Antworten
Veröffentlicht

Hi There,

I have the same issue. After the update all the certificate in my certificate store were wiped. I have certificate from a CA. This is the second time it happen same happened last time after the previous update.

Furthermore Now when I am trying to import the p12 into the your certificate tab I don't get the prompt for the password anymore and I cannot import any certificate.

You're really going down the drain with this updates guys. Fix this as I want to continue working with FF.

tried the proposed solution : You can try to set security.use_mozillapkix_verification to false on the about:config page as a test to see if that has effect.

There is no change.

Is there anyway I can revert the change and go back to the previous version?

Hi There, I have the same issue. After the update all the certificate in my certificate store were wiped. I have certificate from a CA. This is the second time it happen same happened last time after the previous update. Furthermore Now when I am trying to import the p12 into the your certificate tab I don't get the prompt for the password anymore and I cannot import any certificate. You're really going down the drain with this updates guys. Fix this as I want to continue working with FF. tried the proposed solution : You can try to set security.use_mozillapkix_verification to false on the about:config page as a test to see if that has effect. There is no change. Is there anyway I can revert the change and go back to the previous version?

Geändert am von user619333

jscher2000
  • Top 10 Contributor
8783 Lösungen 71823 Antworten
Veröffentlicht

Hi snlpnstslocn, certificates should not be deleted during a routine upgrade. Did Firefox perform a reset during the upgrade? You would notice a new folder on the desktop named Old Firefox Data.

Regarding importing your personal certificate, I think this is a different problem and it would be best to start a new question (particularly since this one already is marked as solved). You can do that using this link:

https://support.mozilla.org/questions/new/desktop/fix-problems

Scroll down past the suggestions if they are not right on target, to continue with the new question form.

Hi snlpnstslocn, certificates should not be deleted during a routine upgrade. Did Firefox perform a reset during the upgrade? You would notice a new folder on the desktop named Old Firefox Data. Regarding importing your personal certificate, I think this is a different problem and it would be best to start a new question (particularly since this one already is marked as solved). You can do that using this link: https://support.mozilla.org/questions/new/desktop/fix-problems Scroll down past the suggestions if they are not right on target, to continue with the new question form.
mrwboilers 0 Lösungen 5 Antworten
Veröffentlicht

My last reply didn't get posted. Just wondering if it's awaiting moderation, or if it didn't go through. (This is my first time posting here.)

My last reply didn't get posted. Just wondering if it's awaiting moderation, or if it didn't go through. (This is my first time posting here.)
mrwboilers 0 Lösungen 5 Antworten
Veröffentlicht

Guess it didn't go through.

This is a big deal to me. As in, if this doesn't go away, I'll have to stop using Firefox. As someone else stated, this is a problem on lots of internal "sites" -- such as server IPMI, appliance configuration, etc. These are all things that are only available internally to my company. I don't care if the certs are actually signed or not. I just need to be able to get to them. And now, Firefox is completely useless when dealing with these things. Completely useless to me.

I don't want to turn off security for the whole freaking world just so I can get to my internal sites. Give me an option to click through the error. Give me the "I know the risks" button and let me create an exception for these sites. Without this, I'll be uninstalling Firefox and using Chrome exclusively.

Guess it didn't go through. This is a big deal to me. As in, if this doesn't go away, I'll have to stop using Firefox. As someone else stated, this is a problem on lots of internal "sites" -- such as server IPMI, appliance configuration, etc. These are all things that are only available internally to my company. I don't care if the certs are actually signed or not. I just need to be able to get to them. And now, Firefox is completely useless when dealing with these things. Completely useless to me. I don't want to turn off security for the whole freaking world just so I can get to my internal sites. Give me an option to click through the error. Give me the "I know the risks" button and let me create an exception for these sites. Without this, I'll be uninstalling Firefox and using Chrome exclusively.
jscher2000
  • Top 10 Contributor
8783 Lösungen 71823 Antworten
Veröffentlicht

Hi mrwboilers, this old question is already marked as solved. You can start a new question with details about the error you are getting, please include the description from the Technical Details section of the page.

To start a new question here on the support forum, you can use this link:

https://support.mozilla.org/questions/new/desktop/fix-problems

The form is split over several pages, so scroll down past the suggestions to continue with submission.

Or, to give input on changes you want in future versions of Firefox, I suggest these two avenues:

(1) Input site: https://input.mozilla.org/feedback

(2) Bug tracking site, where you can file a new bug report or vote for an existing one to get fixed: https://bugzilla.mozilla.org/ (see: Bugzilla Etiquette, Voting)

Hi mrwboilers, this old question is already marked as solved. You can start a new question with details about the error you are getting, please include the description from the Technical Details section of the page. To start a new question here on the support forum, you can use this link: https://support.mozilla.org/questions/new/desktop/fix-problems The form is split over several pages, so scroll down past the suggestions to continue with submission. Or, to give input on changes you want in future versions of Firefox, I suggest these two avenues: (1) Input site: https://input.mozilla.org/feedback (2) Bug tracking site, where you can file a new bug report or vote for an existing one to get fixed: https://bugzilla.mozilla.org/ (see: [https://bugzilla.mozilla.org/page.cgi?id=etiquette.html Bugzilla Etiquette], [https://bugzilla.mozilla.org/page.cgi?id=voting.html Voting])