Firefox tells me that a site has an invalid security certificate, which I know. It asks if I want to Add an Exception and I click to add one. It pops up the Add Security Exception window and that window tells me that this site has a valid certificate and there is no need to add an exception; but I DO need to add an exception and it won't do it for me. Why? I am working in a secure test lab and use Firefox to login to our systems under test. Each time we change or add hardware we must add exceptions to login to a system. I have done this for years with Firefox but now Firefox 4 seems confused. We now need to use EI, which I would rather not.
Solved! Go to Solution.
I was able to fix this on one machine by clearing my recent history through the Options dialog. On a second occasion, I was able to rule out "Browsing & Download History" and "Form & Search History", so I can say at this point that the problem can be fixed by clearing one or more of Cookies, Cache, "Active Logons", or "Site Preferences".
Oh, in all cases, I selected "Everything" for the time period to clear.
Actually, your question is a bit different. It seems to be a contradiction to display the SSL error page but then say that no exception needs to be added. Can you copy and paste the error here?
Could you remove the previously approved certificate here and try adding it again?
Tools > Options > Advanced > Encryption sub-tab > View Certificates button > Servers tab
--- Earlier Comment Deleted ---
I already tried removing the old certificate, more than once (different systems/sites). Yes it is a contradiction; that's the bug.
One message says "This Connection is Untrusted" and the next one says "Valid Certificate This site provides valid, verified identification. There is no need to add an exception."? The last one is the error. I know the site doesn't have a valid certificate.
You might want to make a backup before proceeding. See Backing up your information for suggestions.
The certificate store in your Firefox profile might have become corrupted. You could try renaming the cert8.db file in your existing profile folder to hide previously stored certificates, then start Firefox and try again. To location your profile folder, see Profiles | How to | Firefox Help.
If the problem recurs, perhaps it is some add-on or setting? You could test by accessing the test site with a new (blank) profile. This article describes starting up to the profile manager where you can create a new blank profile: Managing profiles. To switch the default back to your existing profile, restart to the profile manager.
It looks to me like firefox 4 has a bug in its certificate retrieval system when accessing servers using SNI (I am using SNI on my server to run multiple virtual hosts with SSL using apache). The reason I say this is because I am observing the following behavior:
The certificate is only valid for the following names:
The certificate expired on 10/01/2010 05:32 PM. The current time is 06/08/2011 01:32 PM.
(Error code: ssl_error_bad_cert_domain)
This info is correct; the cert has expired. Because I'm too lazy to renew it just now, I click on 'Add Exception', which pops up the dialog that lets me add an exception. That dialog has the 'Confirm Security Exception' button grayed out, because it says the certificate is valid. Only problem is, the certificate it's saying is valid is NOT the certificate that it previously complained about. The certificate that shows when I click 'View...' under 'Certificate Status' heading in the dialog, is the default certificate for that web server, 'www.aoaforums.com' and THAT certificate IS valid.
In other words, it looks like FF4 is correctly doing the SNI negotiation to display the initial error, but then is NOT doing the SNI negotiation when retrieving the cert info to make the exception for. Why it needs to make a separate request when it should already have the required info, I really don't understand, but that's certainly what it LOOKS like.
Only solution appears to be to get off my lazy duff and fix the cert on the www.giz-works.com URL.
Only problem is, the certificate it's saying is valid is NOT the certificate that it previously complained about.
That seems wrong. There is a setting as to whether to fetch the problem certificate automatically when showing the Add Exception dialog, or require you to click the Get Certificate button (see http://kb.mozillazine.org/Browser.ssl_override_beh
Of course, wrong information shouldn't be in there at any time, so there could be a bug in that dialog if it neither loads the correct info nor clears prior info.
Some additional information: This is on FF 4.0.1 running on Fedora 15 with all the current patches. I do not currently have any other Firefox extensions loaded.
If I go to the 'Edit' Menu and select 'Preferences', then select the 'Advanced' settings in the 'Preferences' dialog, then select the 'Servers' tab, and the 'Add Exception' button, this brings up a dialog to manually add an exception. Manually enter the url 'https://www.giz-works.com' and select 'Get Certificate' and I get the default certificate for the web server (www.aoaforums.com) NOT the certificate for www.giz-works.com.
Should I file a bugzilla on this?
Found it: you have TLS disabled, and SNI requires TLS.
Edit > Preferences > Advanced > Encryption tab
Check the box for "Use TLS 1.0"
Reload and try again. Fixed?
Doesn't work for me. I already have both protocols turned on.
And I now have three lab systems which Firefox will no longer allow me to login to. I have no idea, so far, why it seems to randomly hit some and not others.
I think this is a Firefox 4 bug.