Cuireadh an snáithe seo sa chartlann. Cuir ceist nua má tá cabhair uait.
Security certificate no longer valid after upgrading to latest FF.
I upgraded to the very latest version of FF over the weekend and now I can't access a site I had been accessing for the following error: An error occurred during a connection to grdpmgr01.dmz.domainname.com:7799. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)
The certificate is self-signed. We have a similar problem with IE that we've worked around.
You can try to set security.use_mozillapkix_verification to false on the about:config page as a test to see if that has effect.Read this answer in context 👍 19
All Replies (15)
Other possible solution that doesn't make Firefox generally unsafer is Deleting or Distrusting the "problematic" certificates from the Authorities and add it again.
Please refer to [post]
Athraithe ag ricardodev ar
Thanks for the reply. I submitted a suggestion to the feedback site.
I'm not sure I'd consider this issue resolved. I'm having the same issue on the latest version of Firefox. Disabling security for every site doesn't seem like a valid work around to me.
Ok, I guess this isn't as bad as I thought. I thought disabling the mozillapkix_verification setting would disable security checks. That's not the case. It still warns you of a bad certificate, but gives you the option to proceed anyway -- which is how it should be by default (in my opinion.) So I guess this can be marked as resolved.
Now it happend!
I updated to FF 33.x to check, and indeed - I'm no longer able to access my own Router as it holds its own self-signed certificate. There is no "add exception" in FF any longer and the security.use_mozillapkix_verification=false workaround is also not working.
So, thank you Mozilla, it was a pleasure using FF the last years, but now it is time to turn to a handy browser that actually can be used.
You should contact your router company to see if there is an update for its software, and second, you access your router that much that you will switch browsers entirely? At the very least, you could use IE for your router (I access min about once a year to update firmware) and Firefox the rest of the year.
I think we're missing the point in many of the replies. Self-signed certificates are not unusual. I've worked with many of them. The over-arching issue is how do FF users deal with these certificates? Yes, they're a security hole -- a BIG one -- and every user has to decide how to deal with that issue. We can't take the position that only Mozilla Firefox developers know the way, the truth and the right.
I've seen all the answers and the vehemence in some of the replies should be a clue that there has to be an accommodation or risk losing a large number of dedicated users, including this one.
I simply don't want to support/encourage senseless "improvements"!
I mean what was wrong with the old procedure? Untrusted cert -> warning and option to add an exception.
That sounds reasonable if you have just that one router to deal with. I have IPMI (DRAC, ILO, etc.) on over 100 servers to deal with, plus a few other appliances as well. All of these are only available on my internal network (no route to/from the internet) so I'm not concerned about security so much. So I have no interest in managing their certificates. I'm just sick of having to switch to a different browser every time I need to get to one of these.
Did the security.use_mozillapkix_verification setting go away? Setting that to false worked fine for me, but on a new installation of Firefox, I don't even see that setting anymore.
Please make the default (or even only) setting to warn about a bad cert, but with the option to go to the site anyway. If you start dictating to people which sites they can and can't go to, you're gonna have a bad time.
I totally agree with Bill here. There must be a better way for self signed certificate cannot they just be added under the personal store and be trusted?
There is still a wide use of self signed certificate for internal network and going ahead might even be a heavier use since the cab forum changed the rules of how internal domains are to be secured.
Just for the records I work with client certificates issued from a CA and since FF32 I started having huge problems with that. In that case it was enough for me to re-import all my certs and I kept working.
Once FF33 arrived I think something went wrong during the update and not only all my certs were wiped but also I was not able to import any of them.
The only thing that resolved was creating a new user profile. Hope this helps tracking the cause it really seemed something went wrong in the moving of the certificate store or with the permission...don't know.
Next week a special Firefox 33.1 version (Firefox 10th anniversary) will be released that includes some fixes that may help with certificate issues. So keep an eye on that.
Yay, with FF 33.1 it works - again.
Glad to see that this former 'improvment' was classified as a bug worth fixing, in the end. Thank you.
I still have no way to access a site with a self-signed certificate. security.use_mozillapkix_verification seems to be gone from the about:config page beginning in FF 3.3. And there is still no "I understand the risks" option.
Hi clandau, can you give a link to the problem site?
I now have FireFox 35.0, and it seems to be working. I can access the site with a self-signed certificate.