Réponses récentes à SEC_ERROR_UNKNOWN_CRITICAL_EXTENSIONhttps://support.mozilla.org/fr/questions/12649642019-09-18T02:20:01-07:00Thank you jscher2000.
I've posted my comments along with one of the countless "problematic" certific2019-09-18T02:20:01-07:00dark7stalkerhttps://support.mozilla.org/fr/questions/1264964#answer-1253030<p>Thank you jscher2000.
</p><p>I've posted my comments along with one of the countless "problematic" certificates on the bug that you shared with me.
</p><p>Hopefully, it will be resolved soon.
</p>Hi PraSSaDaR, do you want to review the following bug that's on file for Firefox 69 and see whether 2019-09-18T01:14:34-07:00jscher2000https://support.mozilla.org/fr/questions/1264964#answer-1253019<p>Hi PraSSaDaR, do you want to review the following bug that's on file for Firefox 69 and see whether it covers the type of certificate that's causing the problem for you:
</p><p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1570222" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1570222</a>
</p>Firefox is the most secure browser I've ever used and it's one of the main reasons I keep using it. 2019-09-18T00:51:07-07:00dark7stalkerhttps://support.mozilla.org/fr/questions/1264964#answer-1253012<p>Firefox is the most secure browser I've ever used and it's one of the main reasons I keep using it. However, this is not the point I'm trying to make here.
</p><p>I tested this in a corporate environment with other users experiencing the same issue. I would encourage you to raise it with the Developers as on setups like Firefox 69 + other OSes (such as Windows 8 and Windows Server 2012R2) + BitDefender it is working fine.
</p><p>The problem occurs on Firefox 68 and 69 on Windows 10 (Build 1809 and latest). This eliminates BitDefender, Firefox PKI handling changes, and changes to our internal certificates as probable causes.
</p>Firefox is very strict with certificates, making it more secure.
2019-09-11T02:13:50-07:00fredmcd-hotmailhttps://support.mozilla.org/fr/questions/1264964#answer-1251094<p>Firefox is very strict with certificates, making it more secure.
</p>Why would I generate new certificates just for Firefox while they work with other browsers? Is this 2019-09-11T01:26:49-07:00dark7stalkerhttps://support.mozilla.org/fr/questions/1264964#answer-1251073<p>Why would I generate new certificates just for Firefox while they work with other browsers? Is this a PKI security issue and cert specifications that other browsers haven't caught up with yet?
</p><p>How was it working on Firefox 68 and stopped working on 69 if no changes have been made to our certificates and to the underlying PKI structure of Firefox?
</p>Hi PraSSaDaR, this error code is very specific, so I think you may need to try generating new certif2019-09-10T00:59:04-07:00jscher2000https://support.mozilla.org/fr/questions/1264964#answer-1250847<p>Hi PraSSaDaR, this error code is very specific, so I think you may need to try generating new certificates consistent with the discussion here:
</p><p><a href="https://wiki.mozilla.org/SecurityEngineering/x509Certs" rel="nofollow">https://wiki.mozilla.org/SecurityEngineering/x509Certs</a>
</p>Hi jscher2000,
The workaround that you mentioned didn't work unfortunately. The error reads:
No info2019-09-10T00:28:00-07:00dark7stalkerhttps://support.mozilla.org/fr/questions/1264964#answer-1250837<p>Hi jscher2000,
</p><p>The workaround that you mentioned didn't work unfortunately. The error reads:
</p><p><strong>No information available</strong>
</p><p>Unable to obtain identification status for this site.
</p><p>I tried multiple sites that weren't working before and the one that just broke after the upgrade to Firefox 69.
</p><p>The certificate hasn't changed at all which clearly points that this is a Firefox issue.
</p>PraSSaDaR said
Issue still persists on version 69.
Site was working fine with Firefox 68.
After u2019-09-09T01:06:48-07:00jscher2000https://support.mozilla.org/fr/questions/1264964#answer-1250539<p><em>PraSSaDaR <a href="#answer-1250524" rel="nofollow">said</a></em>
</p>
<blockquote>
Issue still persists on version 69.
Site was working fine with Firefox 68.
After upgrading to 69, error described above comes up.
Can this be reported to the developers as a bug please?
</blockquote>
<p>Hi PraSSaDaR, I found a bug on file where several people started getting this error code with self-signed certificates (157022). It's possible the error code is inaccurate in some cases, since someone could use an alternate method to add an exception:
</p>
<blockquote>Found this bug report because many of our internal certificates stopped working in Firefox 69, giving the SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error message. ... Workaround for me is to go to about:preferences#privacy and view the certificates, then on the Servers tab enter the URL to the server. The certificate is then fetched and can be stored, after which Firefox can connect again. This should have the same result as the checkbox on certificate warning pages in Firefox 68, that would store the exception.</blockquote>
<p>That should only work if the error code is inaccurate and the real reason is something more common such as an incomplete chain of trust (normal for self-signed certificates).
</p><p>To clarify the steps:
</p>
<ul><li> Windows: "3-bar" menu button (or Tools menu) &gt; Options
</li><li> Mac: "3-bar" menu button (or Firefox menu) &gt; Preferences
</li><li> Linux: "3-bar" menu button (or Edit menu) &gt; Preferences
</li><li> Any system: type or paste <strong>about:preferences</strong> into the address bar and press Enter/Return to load it
</li></ul>
<p>In the search box at the top of the page, type <em>cert</em> and Firefox should filter to the <strong>Certificates</strong> section.
</p><p>Click the "View Certificates" button and in the Certificate Manager, click the Servers tab. At the bottom, click the "Add Exception" button (first screenshot). That will pop up a small dialog where you can enter the URL to retrieve the extension (second screenshot).
</p><p>If that works, then the error code was mistaken.
</p>Issue still persists on version 69.
Site was working fine with Firefox 68.
After upgrading to 69, er2019-09-09T00:06:18-07:00dark7stalkerhttps://support.mozilla.org/fr/questions/1264964#answer-1250524<p>Issue still persists on version 69.
</p><p>Site was working fine with Firefox 68.
After upgrading to 69, error described above comes up.
</p><p>Can this be reported to the developers as a bug please?
</p>Um, the behavior you're describing, with:
One day website works fine, the other day it comes with2019-07-23T21:30:40-07:00kgbmehttps://support.mozilla.org/fr/questions/1264964#answer-1239923<p>Um, the behavior you're describing, with:
</p>
<ul><li> One day website works fine, the other day it comes with the error and no certificate has been changed and
</li><li> At some point I recreated my Firefox profile to see if that would help, but websites that have been working originally, keep breaking.
</li></ul>
<p>... It would seem like there's a - Firefox, not Firefox (?) - Windows Registry rootkit, or something. I'd say there's at least 50/50 chance that your browser is (hi)jacked, right? I mean, if you're <strong>sure</strong> that you had earlier ran "firefox.exe -P" and made a -completely- fresh profile.
</p><p>Are you not running some sort of a (automatic) sandbox - such as COMODO's "Auto-Containment", which would place Firefox.exe in 'UNRECOGNIZED FILES' - and if not, or it's not being detected: then it may be the case that your Registry got b0rked?? What do you think? o.0
</p><p><strong>EDIT</strong>: ^^ Would it be too late to try it now, think that Firefox sigs should be built-in to the software (COMODO Firewall, or IS) and so it'll still report if it's funny - yea?
</p><p>Mozilla's WebPKI thingy says that:
</p>
<ul><li> SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION
</li><li> A certificate contains an extension marked as critical that is not handled by mozilla::pkix
</li></ul>
<p>@https://<a href="http://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates" rel="nofollow">developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates</a>
</p><p>And that you should "Re-generate the certificate without the extension or with it not marked as critical" which you obviously got nothing to do with - so, that information is entirely useless.&nbsp;:)
</p><p>Basically, I'm just spamming at this point, so I should prolly just wait for you to post back about this highly-unusual issue...
</p><p>(I mean, <em>it could be</em> that Bitdefender - or, whatever - is still throwing a fit, even though its SSL intercept is set to "off", because such software is -generally, just- invasive af? ++ Sorry if none of this has helped, like at all.)
</p>It doesn't look like there is anything more to be added.
Thank you both for your help.
If I find out2019-07-23T20:24:19-07:00dark7stalkerhttps://support.mozilla.org/fr/questions/1264964#answer-1239912<p>It doesn't look like there is anything more to be added.
Thank you both for your help.
</p><p>If I find out anything new, I will post the update here.
</p>Hi PraSSaDaR, unfortunately, I don't know how to extract the certificate details on the "Secure Conn2019-07-19T00:52:24-07:00jscher2000https://support.mozilla.org/fr/questions/1264964#answer-1238772<p>Hi PraSSaDaR, unfortunately, I don't know how to extract the certificate details on the "Secure Connection Failed" error page.
</p>@FredMcD
I have checked BitDefender and SSL scan is off.
This can be verified by checking the certif2019-07-18T18:59:04-07:00dark7stalkerhttps://support.mozilla.org/fr/questions/1264964#answer-1238707<p>@FredMcD
</p><p>I have checked BitDefender and SSL scan is off.
</p><p>This can be verified by checking the certificate when opening an HTTPS page. When BitDefender is intercepting SSL traffic, the BitDefender certificate shows up, and when it doesn't, the normal webpage certificate shows up. Screenshot attached.
</p><p>@jscher
</p><p>Is this something that changed in recent versions?
Those websites were working before.
</p><p>Also, they have self-signed certificates generated by default.
It's highly unlikely they would include a critical extension not recognizable by Firefox pkix.
</p>That's an unusual error code. I found some information that I don't claim to fully understand. Also,2019-07-18T07:12:23-07:00jscher2000https://support.mozilla.org/fr/questions/1264964#answer-1238567<p>That's an unusual error code. I found some information that I don't claim to fully understand. Also, why would it work sometimes and not others? Hmm...
</p><p>SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION means "A certificate contains an extension marked as critical that is not handled by mozilla::pkix."
</p><p>The six extensions Firefox can handle as critical extensions are: Subject Alternate Name, Basic Constraints, Key Usage, Extended Key Usages, Name Constraints, and Authority Information Access.
</p><p>If any other extension is marked as critical, Firefox stops verifying the certificate and won't connect.
</p><p>"What Can I Do: Re-generate the certificate without the extension or with it not marked as critical."
</p><p><em>Source:</em> <a href="https://wiki.mozilla.org/SecurityEngineering/x509Certs" rel="nofollow">https://wiki.mozilla.org/SecurityEngineering/x509Certs</a>
</p>There is security software like Avast, Kaspersky,
BitDefender and ESET that intercept secure
connect2019-07-18T06:44:49-07:00fredmcd-hotmailhttps://support.mozilla.org/fr/questions/1264964#answer-1238555<p>There is security software like Avast, Kaspersky,
BitDefender and ESET that intercept secure
connection certificates and send their own.
</p><p><a href="https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can" rel="nofollow">https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can</a>
</p><p><a href="https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites" rel="nofollow">https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites</a>
</p><p><a href="https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message" rel="nofollow">https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message</a>
</p><p><a href="https://support.mozilla.org/en-US/kb/connection-untrusted-error-message" rel="nofollow">https://support.mozilla.org/en-US/kb/connection-untrusted-error-message</a>
</p><p><a href="https://support.mozilla.org/en-US/kb/websites-dont-load-troubleshoot-and-fix-errors?redirectlocale=en-US&amp;redirectslug=Error+loading+web+sites" rel="nofollow">Websites don't load - troubleshoot and fix error messages</a>
</p><p><a href="http://kb.mozillazine.org/Error_loading_websites" rel="nofollow">http://kb.mozillazine.org/Error_loading_websites</a>
</p><p><a href="https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean" rel="nofollow">What do the security warning codes mean</a>
</p>I wanted to add that I'm an avid Firefox user and fan and have been using it for more than 10 years.2019-07-17T19:26:39-07:00dark7stalkerhttps://support.mozilla.org/fr/questions/1264964#answer-1238409<p>I wanted to add that I'm an avid Firefox user and fan and have been using it for more than 10 years. This started happening about 3 major versions ago, (from 65.0).
</p><p>At some point I recreated my Firefox profile to see if that would help, but websites that have been working originally, keep breaking.
Those websites work on other browsers such as IE and Edge.
</p><p>Any help with this would be much appreciated.
Everytime I open IE for a website that doesn't work because of this issue, it feels like a part of me dies&nbsp;:D&nbsp;:D
</p>