After updating FF to 33.0 I now get: error code: sec_error_invalid_key
I visit sites that have local ssl certificates installed (self signed), typically I get the warning about this, accept, confirm, etc. All used to be good. I just now received an update to FF to 33.0, now none of these sites work. (I'm in the Beta channel) I'm getting: error code: sec_error_invalid_key
The sites in question, are all mine, and work well on other browsers.
Additional System Details
- Microsoft Office for Mac SharePoint Browser Plug-in
- thinkorswim loader
- thinkDesktop configuration loader
- Displays Java applet content, or a placeholder if Java is not installed.
- Blue Jeans Installation Plugin
- Blue Jeans Video Plugin
- Shockwave Flash 14.0 r0
- Provides information about the default web browser
- Version 188.8.131.5203
- Microsoft Lync 2010 Meeting Join Plug-in
- The QuickTime Plugin allows you to view a wide variety of multimedia content in web pages. For more information, visit the QuickTime Web site.
- Adobe® Acrobat® Plug-in for Web Browsers, Version 11.0.07
- The Google Earth Plugin allows you to view 3D imagery and terrain in your web browser.
- Unity Web Player version 4.2.0f4. (c) 2013 Unity Technologies ApS. All rights reserved.
- WebEx64 General Plugin Container Version 205
- Office Live Update v1.0
- NPAPI Plguin used by inSite(sm) from American Express(R)
- Picasa plugin.
- User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:33.0) Gecko/20100101 Firefox/33.0
Did (does) Firefox 32 work or does that version fail as well?
You can try to rename the cert8.db file in the Firefox profile folder to see if that has effect.
I have same problem. I downgraded to FF 32, site with self-signed certificate works normally. Then I again upgraded to FF33beta, error code: sec_error_invalid_key.
Renaming cert8.db file doesn't help.
That is probably because Firefox 33 has fully switched to libPKIX that is more stricter and you can no longer disable this library and fall back to the previous NSS code.
- bug 975229 - Remove NSS-based certificate verification
Please do not comment in bug reports
So that means I need to use IE or Chrome instead? I downgraded to FF 32 and it is working again.
FF has to fix this!
I trust that you are aware that Firefox 33 is a Beta build, which won't be released until Oct 14th.
Are you using Extended Validation (EV) certificates or the Domain Validated (DV) certificates?
"I trust that you are aware that Firefox 33 is a Beta build, which won't be released until Oct 14th."
Yes, but the question is: will it be fixed? AFAICS this breaks Webmin, in general. Worse, if I try and add an exception in Options, FF says it can't get any identifying information from the site, so even that simple workaround isn't available. I'm not inclined to buy commercial SSL certificates for Webmin!
And the answer is NO it won't be fixed, 33.0 released today and this is still an issue. Must revert back to 32.x or go to some other browser.
Modified by FTWMike
I had this problem with Firefox 33 and 2 of my 3 webmin sites, I checked the certificates expiration date and the ones with problems had expired.
I renewed the certificates in Webmin and Firefox asked me to add an exception for those selfsigned certificates as usual.
Modified by JokMontoya
I have 10th of routers with self-sign certs. I checked the cert with a still 32 FF and the cert expires in 2020. When I try to connect with FF33 I get the same sec_error_invalid_key. I removed the permanent exception cert from the local store and try to set it manually again: I get the error: ~unable to get identification status for the site~ (approx translation to english)
Here is a temporary workaround for Linux: sudo apt-get remove firefox (do not specify purge, this will keep your profile as is) sudo dpkg -i /var/cache/apt/archives/firefox then type tab key to list the available versions in your apt cache. Do the same with related packages (eg. locale language pack, desktop integration) that are already installed. Then complete the command: sudo dpkg -i /var/cache/apt/archives/firefox*32*.deb At this time you're nearly safe. Immediately launch synaptic package manager, seach firefox (32 and related) installed, select it, click Package in the menu and check the "Lock version". You are now safe. Monitor the firefox release notes to know when you can release the version lock.
Modified by Fab de Coarraze
hello, i'm not sure if it applies to your situation, but support for some certificates with weak signatures has been removed in firefox 33: https://developer.mozilla.org/en-US/Firefox/Releases/33/Site_Compatibility#Security
I have the same problem with Firefox 33.0 when connecting to Webmin running on a local network Ubuntu 12.04 Server.
I create in Webmin a new local ssl certificate and now it is working with FF 33.
Webmin Configuration -> SSL Encryption -> Self-Signed Certificate
Kind regard PapsW
Apparently the root issue with non-Webmin certs is key length within the certificates. FF 34 beta broke out the error with a new error text of "mozilla_pkix_error_inadequate_key_size" but I'm still not finding any kind of override. 'They' need to understand we don't have any say over the key length on many of these devices, they are what they are and we need to be able to override them.
Encrypted traffic even weakly encrypted is preferable to clear text when it contains logins and passwords.
Modified by FTWMike
- Several cipher suites have been disabled
- RSA certificates using weak signatures less than 1024-bit are no longer accepted
I visited https://news.ycombinator.com/ with Firefox 33.0.2 on Windows 7 and it's giving me "(Error code: sec_error_unknown_issuer)" and there is no "I understand the risks" button. In this case, I'm not particularly bothered about having a secure connection but the http:// site auto redirects to the https:// one and Firefox will not let me ignore the validation error.
Whilst I understand that this behaviour is probably sensible for the typical Firefox user, it is not acceptable for developers and those who use admin control panels. Could we perhaps have an "about:config" variable such as "security.tls.allow-ignore-errors" that brings back the "I understand the risks" button?
Modified by cor-el
Problem still exists, including Firefox 34, 35, 36.0b7 see https://support.mozilla.org/en-US/questions/1045971
important addition: I have restored https-access to my router by these tricks in about:config Modify security.tls.version.min from 1 to 0 sometimes it's necessary also to Modify security.tls.version.fallback-limit from 1 to 0 please see link above
Modified by pion19
Phasing out Certificates with 1024-bit RSA Keys:
Phase 2: Phasing out Certificates with 1024-bit RSA Keys: