cancel
Showing results for 
Search instead for 
Did you mean: 

Why won't Firefox let me add an exception?

SOLVED
Highlighted
New User

Why won't Firefox let me add an exception?

Firefox tells me that a site has an invalid security certificate, which I know. It asks if I want to Add an Exception and I click to add one. It pops up the Add Security Exception window and that window tells me that this site has a valid certificate and there is no need to add an exception; but I DO need to add an exception and it won't do it for me. Why? I am working in a secure test lab and use Firefox to login to our systems under test. Each time we change or add hardware we must add exceptions to login to a system. I have done this for years with Firefox but now Firefox 4 seems confused. We now need to use EI, which I would rather not.

1 ACCEPTED SOLUTION

Accepted Solutions
New User

Re: Why won't Firefox let me add an exception?

I was able to fix this on one machine by clearing my recent history through the Options dialog. On a second occasion, I was able to rule out "Browsing & Download History" and "Form & Search History", so I can say at this point that the problem can be fixed by clearing one or more of Cookies, Cache, "Active Logons", or "Site Preferences".

Oh, in all cases, I selected "Everything" for the time period to clear.

23 REPLIES
SUMO Contributor

Re: Why won't Firefox let me add an exception?

Actually, your question is a bit different. It seems to be a contradiction to display the SSL error page but then say that no exception needs to be added. Can you copy and paste the error here?

Could you remove the previously approved certificate here and try adding it again?

Tools > Options > Advanced > Encryption sub-tab > View Certificates button > Servers tab

--- Earlier Comment Deleted ---

New User

Re: Why won't Firefox let me add an exception?

Thanks.

I already tried removing the old certificate, more than once (different systems/sites).  Yes it is a contradiction; that's the bug.

One message says "This Connection is Untrusted" and the next one says "Valid Certificate This site provides valid, verified identification. There is no need to add an exception."? The last one is the error. I know the site doesn't have a valid certificate.

SUMO Contributor

Re: Why won't Firefox let me add an exception?

You might want to make a backup before proceeding. See Backing up your information for suggestions.

The certificate store in your Firefox profile might have become corrupted. You could try renaming the cert8.db file in your existing profile folder to hide previously stored certificates, then start Firefox and try again. To location your profile folder, see Profiles | How to | Firefox Help.

If the problem recurs, perhaps it is some add-on or setting? You could test by accessing the test site with a new (blank) profile. This article describes starting up to the profile manager where you can create a new blank profile: Managing profiles. To switch the default back to your existing profile, restart to the profile manager.

Any luck?

New User

Re: Why won't Firefox let me add an exception?

It looks to me like firefox 4 has a bug in its certificate retrieval system when accessing servers using SNI (I am using SNI on my server to run multiple virtual hosts with SSL using apache). The reason I say this is because I am observing the following behavior:

https://www.giz-works.com - Untrusted Connection Under 'Technical Details' I have the following information: www.giz-works.com uses an invalid security certificate.

The certificate is only valid for the following names:

 ssl1test.giz-works.com , giz-works.com  

The certificate expired on 10/01/2010 05:32 PM. The current time is 06/08/2011 01:32 PM.

(Error code: ssl_error_bad_cert_domain)

This info is correct; the cert has expired. Because I'm too lazy to renew it just now, I click on 'Add Exception', which pops up the dialog that lets me add an exception. That dialog has the 'Confirm Security Exception' button grayed out, because it says the certificate is valid. Only problem is, the certificate it's saying is valid is NOT the certificate that it previously complained about. The certificate that shows when I click 'View...' under 'Certificate Status' heading in the dialog, is the default certificate for that web server, 'www.aoaforums.com' and THAT certificate IS valid.

In other words, it looks like FF4 is correctly doing the SNI negotiation to display the initial error, but then is NOT doing the SNI negotiation when retrieving the cert info to make the exception for. Why it needs to make a separate request when it should already have the required info, I really don't understand, but that's certainly what it LOOKS like.

Only solution appears to be to get off my lazy duff and fix the cert on the www.giz-works.com URL.

SUMO Contributor

Re: Why won't Firefox let me add an exception?

Only problem is, the certificate it's saying is valid is NOT the certificate that it previously complained about.

That seems wrong. There is a setting as to whether to fetch the problem certificate automatically when showing the Add Exception dialog, or require you to click the Get Certificate button (see http://kb.mozillazine.org/Browser.ssl_override_behavior). If you click Get Certificate, does it correctly show as expired?

Of course, wrong information shouldn't be in there at any time, so there could be a bug in that dialog if it neither loads the correct info nor clears prior info.

New User

Re: Why won't Firefox let me add an exception?

No, I get the same info after I click 'Get Certificate' as I got before clicking 'Get Certificate'.: it shows the aoaforums.com certificate information instead of the giz-works.com certificate info.

New User

Re: Why won't Firefox let me add an exception?

Some additional information: This is on FF 4.0.1 running on Fedora 15 with all the current patches. I do not currently have any other Firefox extensions loaded.

If I go to the 'Edit' Menu and select 'Preferences', then select the 'Advanced' settings in the 'Preferences' dialog, then select the 'Servers' tab, and the 'Add Exception' button, this brings up a dialog to manually add an exception. Manually enter the url 'https://www.giz-works.com' and select 'Get Certificate' and I get the default certificate for the web server (www.aoaforums.com) NOT the certificate for www.giz-works.com.

Should I file a bugzilla on this?

SUMO Contributor

Re: Why won't Firefox let me add an exception?

Found it: you have TLS disabled, and SNI requires TLS.

Edit > Preferences > Advanced > Encryption tab

Check the box for "Use TLS 1.0"

Reload and try again. Fixed?

New User

Re: Why won't Firefox let me add an exception?

Doesn't work for me. I already have both protocols turned on.

And I now have three lab systems which Firefox will no longer allow me to login to. I have no idea, so far, why it seems to randomly hit some and not others.

I think this is a Firefox 4 bug.