X
Tap here to go to the mobile version of the site.

Support Forum

pfSense cert was trusted and now is not (nor can I manually do it)

Posted

So I've upgraded pfsense (which has my own self-signed cert for the GUI) to 2.3. For some reason, this has broken management for it via Firefox. It still works with Chrome.

Here is the error- The connection to 192.168.50.1:449 was interrupted while the page was loading.

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem.

What I have done to try to rectify this.... 1) Checked that both time of pfsense and my computer match (they do and Chrome works right with this anyway.) 2) Manually imported both the CA and cert. 3) Deleted cert8.db and let FF recreate it. 4) Tried a new profile (which works once and then fails as soon as FF is restarted.) 5) Tried on both Windows and Linux (neither side works.) 6) Generated a new cert for the GUI (which Chrome again just accepts but FF refuses.)

FF version is 45.0.1

I haven't seen anything else that addresses this. The key did not change in the upgrade. Even had it done that, I would think that by generating a new cert entirely should prompt for making a permanent exception again.

I've narrowed it down to FF as both Chrome and Vivaldi work perfectly on it. Nothing seems to have helped and the FF landing page doesn't reveal any useful info (as in SEC_ERROR_INSECURE_CIPHER or the like.)

Any help is very much appreciated as I hate opening Chrome solely to manage my firewall.

So I've upgraded pfsense (which has my own self-signed cert for the GUI) to 2.3. For some reason, this has broken management for it via Firefox. It still works with Chrome. Here is the error- The connection to 192.168.50.1:449 was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. What I have done to try to rectify this.... 1) Checked that both time of pfsense and my computer match (they do and Chrome works right with this anyway.) 2) Manually imported both the CA and cert. 3) Deleted cert8.db and let FF recreate it. 4) Tried a new profile (which works once and then fails as soon as FF is restarted.) 5) Tried on both Windows and Linux (neither side works.) 6) Generated a new cert for the GUI (which Chrome again just accepts but FF refuses.) FF version is 45.0.1 I haven't seen anything else that addresses this. The key did not change in the upgrade. Even had it done that, I would think that by generating a new cert entirely should prompt for making a permanent exception again. I've narrowed it down to FF as both Chrome and Vivaldi work perfectly on it. Nothing seems to have helped and the FF landing page doesn't reveal any useful info (as in SEC_ERROR_INSECURE_CIPHER or the like.) Any help is very much appreciated as I hate opening Chrome solely to manage my firewall.

Chosen solution

cor-el said

Cert8.db is not SQLite although Firefox can use an cert9.db file that is an SQLite database (NSS_DEFAULT_DB_TYPE="sql"). You would have to use certutil.exe to inspect the file or check the Certificate Manager for items marked as "Software Security Device"

I was not able to get cert util to work on either Linux or Windows.

I DID get it fixed though. I simply set up new profiles and they're fine. I've attached them to sync WITHOUT syncing prefs (all others checked) and so far, so good. Waiting for the others to fall off then I'll sync prefs from one good machine.

It definitely is something with sync from what I can see. I guess it was at some point just distrusted and that screwed everything up.

Thanks for the help mate.

Read this answer in context 0

Additional System Details

Installed Plug-ins

  • The Evince 3.18.2 plugin handles documents inside the browser window.
  • This plugin provides integration with Gnome Shell for live extension enabling and disabling. It can be used only by extensions.gnome.org
  • Version: 5.41.0.0
  • Shockwave Flash 11.2 r202
  • This plug-in detects the presence of iTunes when opening iTunes Store URLs in a web page with Firefox.

Application

  • Firefox 45.0.1
  • User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
  • Support URL: https://support.mozilla.org/1/firefox/45.0.1/Linux/en-US/

Extensions

  • Coupons at Checkout 2.0.6 (jid0-5R3LLpyrG0a1kPDXAA8ZKmM0bgM@jetpack)
  • Duplicate in Tab Context Menu 1.0.10 (DuplicateInTabContext@schuzak.jp)
  • FfChrome 2.2.1-signed ({9bc51d13-3849-4541-a69c-da418934ca05})
  • Firefox Hello Beta 1.1.6 (loop@mozilla.org)
  • FireGestures 1.10.7 (firegestures@xuldev.org)
  • Flash and Video Download 1.81 ({bee6eb20-01e0-ebd1-da83-080329fb9a3a})
  • Greasemonkey 3.7 ({e4a8a97b-f2ed-450b-b12d-ee082ba24781})
  • HTitle 3.4.1-signed ({c6448328-31f7-4b12-a2e0-5c39d0290307})
  • LastPass 3.3.1 (support@lastpass.com)
  • Pushbullet 316 (jid1-BYcQOfYfmBMd9A@jetpack)
  • Reddit Enhancement Suite 4.6.1 (jid1-xUfzOsOFlzSOXg@jetpack)
  • Tab Groups 1.0.2 (tabgroups@quicksaver)
  • uBlock 0.9.5.0.1-let-fixed ({2b10c1c8-a11f-4bad-fe9c-1c11e82cac42})

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: nouveau -- Gallium 0.4 on NVA5
  • adapterDeviceID: Gallium 0.4 on NVA5
  • adapterDrivers:
  • adapterRAM:
  • adapterVendorID: nouveau
  • driverDate:
  • driverVersion: 3.0 Mesa 11.1.0 (git-525f3c2)
  • info: {u'CairoUseXRender': 1, u'AzureCanvasBackend': u'cairo', u'AzureFallbackCanvasBackend': u'none', u'AzureContentBackend': u'cairo', u'AzureSkiaAccelerated': 0}
  • numAcceleratedWindows: 0
  • numAcceleratedWindowsMessage: [u'']
  • numTotalWindows: 1
  • supportsHardwareH264: No;
  • webglRenderer: nouveau -- Gallium 0.4 on NVA5
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Basic

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No

Question owner

No ideas? Figured this would get some attention from devs or someone. I can provide more info if needed- just not sure what anyone would need to help me diagnose this.

For what it's worth, FF beta on Android can connect with no issues (just add the exception and go.) It still might be tied to something with Sync via desktop FFs but apparently not with whatever on mobile.

No ideas? Figured this would get some attention from devs or someone. I can provide more info if needed- just not sure what anyone would need to help me diagnose this. For what it's worth, FF beta on Android can connect with no issues (just add the exception and go.) It still might be tied to something with Sync via desktop FFs but apparently not with whatever on mobile.

Modified by blueduckdock

Question owner

Think I have found the issue. A new profile DOES solve it. Once you add a sync profile to it though, it reverts. FF sync is bringing across certs and other things in the cert8.db I think. I can't open it (says it's encrypted) but that appears to be it I think.

Any way to gracefully remove that from my profile? I'd hate to get a new sync account simply for this.

Think I have found the issue. A new profile DOES solve it. Once you add a sync profile to it though, it reverts. FF sync is bringing across certs and other things in the cert8.db I think. I can't open it (says it's encrypted) but that appears to be it I think. Any way to gracefully remove that from my profile? I'd hate to get a new sync account simply for this.
cor-el
  • Top 10 Contributor
  • Moderator
17526 solutions 158475 answers

I don't think that Sync would include certificates. Sync can include whitelisted prefs that have a corresponding services.sync.prefs.sync.* pref, so you may have prefs set on another device that are causing problems.

Did you compare the cert8.db file before and after connecting to Sync?

I don't think that Sync would include certificates. Sync can include whitelisted prefs that have a corresponding services.sync.prefs.sync.* pref, so you may have prefs set on another device that are causing problems. Did you compare the cert8.db file before and after connecting to Sync?

Question owner

cor-el said

I don't think that Sync would include certificates. Sync can include whitelisted prefs that have a corresponding services.sync.prefs.sync.* pref, so you may have prefs set on another device that are causing problems. Did you compare the cert8.db file before and after connecting to Sync?

Is there a way to check that? I tried using sqlite from the terminal and it was no go. I'd love to compare but that really is the only thing I can think of as it's perfectly fine with a different profile (non sync affiliated.) I will check on the prefs file and yes, it does seem strange that it would sync certs across.

''cor-el [[#answer-870698|said]]'' <blockquote> I don't think that Sync would include certificates. Sync can include whitelisted prefs that have a corresponding services.sync.prefs.sync.* pref, so you may have prefs set on another device that are causing problems. Did you compare the cert8.db file before and after connecting to Sync? </blockquote> Is there a way to check that? I tried using sqlite from the terminal and it was no go. I'd love to compare but that really is the only thing I can think of as it's perfectly fine with a different profile (non sync affiliated.) I will check on the prefs file and yes, it does seem strange that it would sync certs across.
cor-el
  • Top 10 Contributor
  • Moderator
17526 solutions 158475 answers

Cert8.db is not SQLite although Firefox can use an cert9.db file that is an SQLite database (NSS_DEFAULT_DB_TYPE="sql").

You would have to use certutil.exe to inspect the file or check the Certificate Manager for items marked as "Software Security Device"

Cert8.db is not SQLite although Firefox can use an cert9.db file that is an SQLite database (NSS_DEFAULT_DB_TYPE="sql"). *http://mxr.mozilla.org/mozilla-release/search?string=NSS_DEFAULT_DB_TYPE You would have to use certutil.exe to inspect the file or check the Certificate Manager for items marked as "Software Security Device" *https://developer.mozilla.org/Mozilla/Projects/NSS/tools/NSS_Tools_certutil

Chosen Solution

cor-el said

Cert8.db is not SQLite although Firefox can use an cert9.db file that is an SQLite database (NSS_DEFAULT_DB_TYPE="sql"). You would have to use certutil.exe to inspect the file or check the Certificate Manager for items marked as "Software Security Device"

I was not able to get cert util to work on either Linux or Windows.

I DID get it fixed though. I simply set up new profiles and they're fine. I've attached them to sync WITHOUT syncing prefs (all others checked) and so far, so good. Waiting for the others to fall off then I'll sync prefs from one good machine.

It definitely is something with sync from what I can see. I guess it was at some point just distrusted and that screwed everything up.

Thanks for the help mate.

''cor-el [[#answer-871096|said]]'' <blockquote> Cert8.db is not SQLite although Firefox can use an cert9.db file that is an SQLite database (NSS_DEFAULT_DB_TYPE="sql"). *http://mxr.mozilla.org/mozilla-release/search?string=NSS_DEFAULT_DB_TYPE You would have to use certutil.exe to inspect the file or check the Certificate Manager for items marked as "Software Security Device" *https://developer.mozilla.org/Mozilla/Projects/NSS/tools/NSS_Tools_certutil </blockquote> I was not able to get cert util to work on either Linux or Windows. I DID get it fixed though. I simply set up new profiles and they're fine. I've attached them to sync WITHOUT syncing prefs (all others checked) and so far, so good. Waiting for the others to fall off then I'll sync prefs from one good machine. It definitely is something with sync from what I can see. I guess it was at some point just distrusted and that screwed everything up. Thanks for the help mate.