Intermittent SEC_ERROR_REUSED_ISSUER_AND_SERIAL
Hi everyone,
I'm using Firefox 61.0.1 on a corporate network. To access SSL sites I need a specific CA certificate installed in Firefox (I don't know the technical details but it has something to do with content inspection). This has been working fine for years.
Over the weekend some firewall-related changes were made (again, I don't know the specifics) but now I'm intermittently getting the dreaded SEC_ERROR_REUSED_ISSUER_AND_SERIAL error when trying to view SSL sites. I've deleted the various cert and key DB files (four in total) and reimported the CA certificate, but no luck.
IE is fine, and apparently Chrome is fine, but Firefox isn't. I've heard from two other Firefox users who are having the same problem, so it's not just my machine.
I suppose the most pertinent question is "how do I find out which certificate is affected?". I was assuming that it was our custom CA certificate, but I'm no longer certain. We removed the CA cert and tried using a "PAN" cert instead, but ended up with the same error. It would seem to indicate that the problem is elsewhere, but how do I find out where?
Any other suggestions?
כל התגובות (13)
Hi, it may have nothing to do with that as several Security programs can cause this issue : There is security software like Avast/AVG, Kaspersky (turn off the SSL check from kaspersky), BitDefender and ESET that intercept secure connections and send their own certificate. If you are running any of the above software please check their community forum for a work around to apply settings.
These pages are also for the errors you may have besides relating to the above.
- https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can
- https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites
- https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
- https://support.mozilla.org/en-US/kb/connection-untrusted-error-message
- http://kb.mozillazine.org/Error_loading_websites
- https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER
As well as the error you describe. You can turn off things in these programs or go to their community forum for information.
Please let us know if this solved your issue or if need further assistance.
We have Sophos; I'll need to ask IT whether anything's changed with it over the weekend (since it was fine last week).
OK, thanks for those links. I've done some more testing.
- Sophos isn't the problem; we tested on a machine without it, and the problem persists.
- The local date and time are correct.
- Disabling IPv6 (network.dns.disableIPv6) didn't help.
- Disabling prefetch (network.dns.disablePrefetch) didn't help.
- ipconfig /flushdns didn't help.
- security.enterprise_roots.enabled didn't help, but it will likely prove useful in the future, so thanks again for the links (I deleted the DB files again after changing this setting, to clean up the old manually-imported cert).
What should I try next?
השתנתה ב־ על־ידי Behodar
Hi Behodar, how intermittent is it? What I mean is, if you reload the page, will Firefox connect, or once the problem starts, it persists indefinitely. What are the circumstances where the problem goes away?
To see the certificate to which Firefox is objecting, you can try clicking the SEC_ERROR_REUSED_ISSUER_AND_SERIAL code (usually it's styled as a link) and hopefully Firefox then will display a coded version of the certificate that someone can decode. (For example, using https://certlogik.com/decoder/)
But I don't know if that will tell us why this error suddenly started. Perhaps there is some subtle new incompatibility with your proxy server.
Unfortunately I haven't been able to find much of a pattern to it. Usually when it fails, it'll keep failing, but then if I retry several minutes later it might work again. But other times it'll fail once, then immediately work again.
IT tells me that there's no load balancer or anything like that on the Internet connection.
The "SEC_ERROR_REUSED_ISSUER_AND_SERIAL" text is not clickable. The only clickable elements on the error page are "Learn more" (which goes to a generic page on mozilla.org), "Try Again", and a "Report errors to Mozilla" field.
If I click the "i" in the address bar and proceed through to "More Information" then I get a Page Info window with a section called "Web Site Identity", but all the fields are blank. There is also a "View Certificate" button but clicking it does nothing whatsoever. Interestingly I only get this section if I go through "i" and "More Information"; if I go to Tools/Page Info then the Web Site Identity section doesn't appear.
There is no manually-configured proxy server, although I can't speak for what may be behind the scenes.
השתנתה ב־ על־ידי Behodar
I can't help thinking there is a "man in the middle" problem...
This error typically arises when users need to save "exceptions" and the fake certificates are not completely unique.
But you didn't mention anything like that. Does your Firefox work normally on HTTPS sites otherwise?
I don't have any manual exceptions whatsoever.
Aside from this error, HTTPS sites are fine when they do manage to load; no warnings or anything like that. The sole exception seems to be intermittent loss of CSS or JavaScript; I haven't checked, but I presume that these are being served over HTTPS themselves and are failing behind the scenes with the same error. Naturally I can't get it to fail right now but I'll post an update if I can confirm that that's what's happening.
You did rename cert9.db and cert8.db (when present) in the profile folder?
You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.
- Help -> Troubleshooting Information -> Profile Directory:
Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder - http://kb.mozillazine.org/Profile_folder_-_Firefox
Yes, along with the key.db files.
Everything seems to have gone a bit quiet in here! I'm no closer to a fix, and am still having to suffer with IE until we can figure this out.
I've tried blocking access to the internal CA via the hosts file, but this had no effect. I'm not 100% certain how SSL works, but it seems that the certs are coming from the Web servers (or, in this case, presumably the corporate firewall) and not directly from the CA. I just thought Firefox might be doing some sort of validation against the CA, but it seems that this isn't the case.
I still have no idea how to get the details of the bad certificate. That's probably the most important thing at the moment; without this information I have no idea where to look next.
I've had IT look into this and they'd talked to their supplier (Palo Alto), who seems to think that it's a bug in Firefox. But I don't know what to do next!
You can try to check the certificate chain in Google Chrome on pages where you have a problem and then check these certificates in the Firefox Certificate Manager to see if you can isolate one or more certificates.
Not getting anywhere, I'm afraid. Both browsers are showing the same certificates and they seem to match up.
Thanks for the help, but since this is just dragging on and on I think it'll be quicker to bite the bullet and migrate to another browser :(