X
Tap here to go to the mobile version of the site.

Support Forum

PR_CONNECT_RESET_ERROR when browsing to our internal Thycotic Secret Server with own MS PKI issued certs

  • No replies
  • 2 have this problem
  • 13 views
Posted

We have our own internal Microsoft certificate root authority and we have certs issued from it automatically to all of our Windows endpoints and servers. Our internal Thycotic Secret Server is one of these endpoints, and SS runs over IIS. I have many, many servers in our environment that are bound to these certificates, and they work just fine in Firefox. The cert for the Secret Server is just like all of the other certs in our enterprise. The certificate is fully valid and trusted in IE, Edge, Chrome and in Firefox. We have GPO's in place to ensure the CA Root Authority of our PKI and issuing server is trusted and the certs are compliant, fully standard and functional in all web browsers.

But this one server absolutely WILL NOT bring up a web page when we browse to Secret Server in Firefox. It stops cold with a PR_CONNECT_RESET_ERROR, and there is no option to bypass it whatsoever. We don't have these issues with other servers using the same type of certs. We don't have this issue with any other browsers - only Firefox. I've even generated a wildcard cert that works everywhere on our internal domain, in all browsers, but if I bind it in IIS on the Secret Server, it just won't work.

I've worked with Thycotic support, and they have no solutions, only to point their fingers at the browser, because the error is in the browser, and not from the web server (even though they can't see any errors from the web server, because no page ever gets displayed.

I'm stumped on this, and because it works everywhere except for this browser on this server (and this happens on ANY workstation in our environment - existing or brand new Firefox install), I can't understand what is causing this. Is there anything I can look at in some logs, config file or somewhere else?

I did see an option in the SS config to disable HSTS, and I tried to disable that, but it didn't make any difference. I'm still fully inclined to point the finger at Thycotic and their software, but since they can't replicate the issue on their end, they refuse to accept any ownership in resolving this.

If anyone has anything to offer, I would greatly appreciate it. I would really like Firefox to be my one and only daily driver web browser, but because the server that serves up the passwords for the accounts, endpoints and websites in our environment doesn't work, it kinda makes it difficult to use, or recommend to others.

We have our own internal Microsoft certificate root authority and we have certs issued from it automatically to all of our Windows endpoints and servers. Our internal Thycotic Secret Server is one of these endpoints, and SS runs over IIS. I have many, many servers in our environment that are bound to these certificates, and they work just fine in Firefox. The cert for the Secret Server is just like all of the other certs in our enterprise. The certificate is fully valid and trusted in IE, Edge, Chrome and in Firefox. We have GPO's in place to ensure the CA Root Authority of our PKI and issuing server is trusted and the certs are compliant, fully standard and functional in all web browsers. But this one server absolutely WILL NOT bring up a web page when we browse to Secret Server in Firefox. It stops cold with a PR_CONNECT_RESET_ERROR, and there is no option to bypass it whatsoever. We don't have these issues with other servers using the same type of certs. We don't have this issue with any other browsers - only Firefox. I've even generated a wildcard cert that works everywhere on our internal domain, in all browsers, but if I bind it in IIS on the Secret Server, it just won't work. I've worked with Thycotic support, and they have no solutions, only to point their fingers at the browser, because the error is in the browser, and not from the web server (even though they can't see any errors from the web server, because no page ever gets displayed. I'm stumped on this, and because it works everywhere except for this browser on this server (and this happens on ANY workstation in our environment - existing or brand new Firefox install), I can't understand what is causing this. Is there anything I can look at in some logs, config file or somewhere else? I did see an option in the SS config to disable HSTS, and I tried to disable that, but it didn't make any difference. I'm still fully inclined to point the finger at Thycotic and their software, but since they can't replicate the issue on their end, they refuse to accept any ownership in resolving this. If anyone has anything to offer, I would greatly appreciate it. I would really like Firefox to be my one and only daily driver web browser, but because the server that serves up the passwords for the accounts, endpoints and websites in our environment doesn't work, it kinda makes it difficult to use, or recommend to others.
Attached screenshots

Modified by Glenn Berkshier

Quote

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

More Information

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.