Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Cuireadh an snáithe seo sa chartlann. Cuir ceist nua má tá cabhair uait.

Security certificate no longer valid after upgrading to latest FF.

  • 35 freagra
  • 252 leis an bhfadhb seo
  • 115078 views
  • Freagra is déanaí ó Charlie

more options

I upgraded to the very latest version of FF over the weekend and now I can't access a site I had been accessing for the following error: An error occurred during a connection to grdpmgr01.dmz.domainname.com:7799. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)

The certificate is self-signed. We have a similar problem with IE that we've worked around.

Réiteach roghnaithe

You can try to set security.use_mozillapkix_verification to false on the about:config page as a test to see if that has effect.

Read this answer in context 👍 19

All Replies (15)

more options

Other possible solution that doesn't make Firefox generally unsafer is Deleting or Distrusting the "problematic" certificates from the Authorities and add it again.

Please refer to [post]

Athraithe ag ricardodev ar

more options

Thanks for the reply. I submitted a suggestion to the feedback site.

I'm not sure I'd consider this issue resolved. I'm having the same issue on the latest version of Firefox. Disabling security for every site doesn't seem like a valid work around to me.

more options

Ok, I guess this isn't as bad as I thought. I thought disabling the mozillapkix_verification setting would disable security checks. That's not the case. It still warns you of a bad certificate, but gives you the option to proceed anyway -- which is how it should be by default (in my opinion.) So I guess this can be marked as resolved.

more options

Now it happend!

I updated to FF 33.x to check, and indeed - I'm no longer able to access my own Router as it holds its own self-signed certificate. There is no "add exception" in FF any longer and the security.use_mozillapkix_verification=false workaround is also not working.

So, thank you Mozilla, it was a pleasure using FF the last years, but now it is time to turn to a handy browser that actually can be used.

more options

You should contact your router company to see if there is an update for its software, and second, you access your router that much that you will switch browsers entirely? At the very least, you could use IE for your router (I access min about once a year to update firmware) and Firefox the rest of the year.

more options

I think we're missing the point in many of the replies. Self-signed certificates are not unusual. I've worked with many of them. The over-arching issue is how do FF users deal with these certificates? Yes, they're a security hole -- a BIG one -- and every user has to decide how to deal with that issue. We can't take the position that only Mozilla Firefox developers know the way, the truth and the right.

I've seen all the answers and the vehemence in some of the replies should be a clue that there has to be an accommodation or risk losing a large number of dedicated users, including this one.

more options

I simply don't want to support/encourage senseless "improvements"!

I mean what was wrong with the old procedure? Untrusted cert -> warning and option to add an exception.

more options

That sounds reasonable if you have just that one router to deal with. I have IPMI (DRAC, ILO, etc.) on over 100 servers to deal with, plus a few other appliances as well. All of these are only available on my internal network (no route to/from the internet) so I'm not concerned about security so much. So I have no interest in managing their certificates. I'm just sick of having to switch to a different browser every time I need to get to one of these.

Did the security.use_mozillapkix_verification setting go away? Setting that to false worked fine for me, but on a new installation of Firefox, I don't even see that setting anymore.

Please make the default (or even only) setting to warn about a bad cert, but with the option to go to the site anyway. If you start dictating to people which sites they can and can't go to, you're gonna have a bad time.

more options

I totally agree with Bill here. There must be a better way for self signed certificate cannot they just be added under the personal store and be trusted?

There is still a wide use of self signed certificate for internal network and going ahead might even be a heavier use since the cab forum changed the rules of how internal domains are to be secured.

more options

Just for the records I work with client certificates issued from a CA and since FF32 I started having huge problems with that. In that case it was enough for me to re-import all my certs and I kept working.

Once FF33 arrived I think something went wrong during the update and not only all my certs were wiped but also I was not able to import any of them.

The only thing that resolved was creating a new user profile. Hope this helps tracking the cause it really seemed something went wrong in the moving of the certificate store or with the permission...don't know.

more options

Next week a special Firefox 33.1 version (Firefox 10th anniversary) will be released that includes some fixes that may help with certificate issues. So keep an eye on that.

more options

Yay, with FF 33.1 it works - again.

:-)

Glad to see that this former 'improvment' was classified as a bug worth fixing, in the end. Thank you.

more options

I still have no way to access a site with a self-signed certificate. security.use_mozillapkix_verification seems to be gone from the about:config page beginning in FF 3.3. And there is still no "I understand the risks" option.

more options

Hi clandau, can you give a link to the problem site?

more options

I now have FireFox 35.0, and it seems to be working. I can access the site with a self-signed certificate.

  1. 1
  2. 2