X
Nhấn vào đây để đến phiên bản di động của trang web.

Diễn đàn trợ giúp

Secure Connection Failed (Error code: sec_error_ca_cert_invalid)

Được đăng

Hello

I'm having troulbes accessing HP iLO with FF 36.0 on Ubuntu 14.04 LTS, getting the following error message:

========================

Secure Connection Failed

An error occurred during a connection to 172.25.X.X. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem.
========================

It seems to work with other browser such as Chromium, so the problem seems to be FF 36.0. Unfortunately, I don't have an "Add exception" button in FF that would allow me to bypass this warning.

I've already followed the following links: https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/troubleshoot-extensions-themes-to-fix-problems

But I didn't managed to get it work. Any idea how to get it fixed?

Hello I'm having troulbes accessing HP iLO with FF 36.0 on Ubuntu 14.04 LTS, getting the following error message: ==================================== Secure Connection Failed An error occurred during a connection to 172.25.X.X. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. ==================================== It seems to work with other browser such as Chromium, so the problem seems to be FF 36.0. Unfortunately, I don't have an "Add exception" button in FF that would allow me to bypass this warning. I've already followed the following links: https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/troubleshoot-extensions-themes-to-fix-problems But I didn't managed to get it work. Any idea how to get it fixed?

Chi tiết hệ thống bổ sung

Phần bổ trợ đã cài đặt

  • DivX Web Player version 1.4.0.233
  • Next Generation Java Plug-in 11.31.2 for Mozilla browsers
  • The Videos 3.10.1 plugin handles video and audio streams.
  • Shockwave Flash 11.2 r202
  • This plug-in detects the presence of iTunes when opening iTunes Store URLs in a web page with Firefox.

Ứng dụng

  • Chuỗi đại diện người dùng: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0

Thông tin chi tiết

guigs 1072 giải pháp 11697 câu trả lời
Được đăng

Hi hansende,

Is this happening for just this cert connection? Is there a proxy being used? And if you change the Network Settings to "No Proxy"

In order to make sure that the certificate is compatible with the security settings built into Firefox, it is possible to look at the Certificate for the site from the url bar.

  1. Right Click on the page and select "Page Info"
  2. Click on Security and "View Certificate"

The CA certificate policy can be referenced: https://www.mozilla.org/en-US/about/g.../policy/

Hi hansende, Is this happening for just this cert connection? Is there a proxy being used? And if you change the Network Settings to "No Proxy" In order to make sure that the certificate is compatible with the security settings built into Firefox, it is possible to look at the Certificate for the site from the url bar. #Right Click on the page and select "Page Info" # Click on Security and "View Certificate" The CA certificate policy can be referenced: [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/]

Người tạo câu hỏi

Hi guigs2

I have a bunch of other (newer) HP servers with iLO enabled. Seems to work fine there.

guigs2 said

  1. Right Click on the page and select "Page Info"
  2. Click on Security and "View Certificate"

Under the tab security I don't have an option View Certificate (I guess because the SSL connection couldn't get established, so no certificate info could be received?). But this might help:

==============

$ openssl s_client -connect X.X.X.X:443 CONNECTED(00000003) depth=1 /C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain

0 s:/CN=<redacted>/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US
  i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust)
1 s:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust)
  i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust)

--- Server certificate


BEGIN CERTIFICATE-----

<redacted>


END CERTIFICATE-----

subject=/CN=<redacted>/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US issuer=/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) --- No client certificate CA names sent --- SSL handshake has read 1919 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session:

   Protocol  : TLSv1
   Cipher    : EDH-RSA-DES-CBC3-SHA
   Session-ID: <redacted>
   Session-ID-ctx: 
   Master-Key: <redacted>
   Key-Arg   : None
   Start Time: <redacted>
   Timeout   : 300 (sec)
   Verify return code: 19 (self signed certificate in certificate chain)
==============

Regardsguigs2 said

The CA certificate policy can be referenced: https://www.mozilla.org/en-US/about/g.../policy/

Not sure what I should do with that. This is default, self-signed SSL certificate that comes out of the box when buying a HP server. Here's the certificate from a working iLO 4 interface:

-> Not working (iLO ? - HP ProLiant DL360 Gen7) -> Working (iLO 4 - HP ProLiant DL360 Gen9)

==============

$ openssl s_client -connect X.X.X.X:443 CONNECTED(00000003) depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain

0 s:/CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US
  i:/CN=iLO Default Issuer (Do not trust)/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US

--- Server certificate


BEGIN CERTIFICATE-----

<redacted>


END CERTIFICATE-----

subject=/CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US issuer=/CN=iLO Default Issuer (Do not trust)/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US --- No client certificate CA names sent --- SSL handshake has read 852 bytes and written 307 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session:

   Protocol  : TLSv1
   Cipher    : RC4-SHA
   Session-ID: <redacted>
   Session-ID-ctx: 
   Master-Key: <redacted>
   Key-Arg   : None
   Start Time: <redacted>
   Timeout   : 300 (sec)
   Verify return code: 21 (unable to verify the first certificate)
==============

Regards

Hi guigs2 I have a bunch of other (newer) HP servers with iLO enabled. Seems to work fine there. ''guigs2 [[#answer-698869|said]]'' <blockquote> #Right Click on the page and select "Page Info" # Click on Security and "View Certificate" </blockquote> Under the tab ''security'' I don't have an option ''View Certificate'' (I guess because the SSL connection couldn't get established, so no certificate info could be received?). But this might help: ========================== $ openssl s_client -connect X.X.X.X:443 CONNECTED(00000003) depth=1 /C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=<redacted>/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) 1 s:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) --- Server certificate -----BEGIN CERTIFICATE----- <redacted> -----END CERTIFICATE----- subject=/CN=<redacted>/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US issuer=/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) --- No client certificate CA names sent --- SSL handshake has read 1919 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: <redacted> Session-ID-ctx: Master-Key: <redacted> Key-Arg : None Start Time: <redacted> Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ========================== Regards''guigs2 [[#answer-698869|said]]'' <blockquote> The CA certificate policy can be referenced: https://www.mozilla.org/en-US/about/g.../policy/ </blockquote> Not sure what I should do with that. This is default, self-signed SSL certificate that comes out of the box when buying a HP server. Here's the certificate from a working iLO 4 interface: -> Not working (iLO ? - HP ProLiant DL360 Gen7) -> Working (iLO 4 - HP ProLiant DL360 Gen9) ========================== $ openssl s_client -connect X.X.X.X:443 CONNECTED(00000003) depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US i:/CN=iLO Default Issuer (Do not trust)/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US --- Server certificate -----BEGIN CERTIFICATE----- <redacted> -----END CERTIFICATE----- subject=/CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US issuer=/CN=iLO Default Issuer (Do not trust)/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US --- No client certificate CA names sent --- SSL handshake has read 852 bytes and written 307 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: <redacted> Session-ID-ctx: Master-Key: <redacted> Key-Arg : None Start Time: <redacted> Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ========================== Regards
cor-el
  • Top 10 Contributor
  • Moderator
17532 giải pháp 158531 câu trả lời
Được đăng

Câu trả lời hữu ích

You can no longer use RC4 cipher suites, these are considered deprecated. So you can't connect to servers that only offer SSL3 and RC4 certificate.

This is now a standard:

You can no longer use RC4 cipher suites, these are considered deprecated. So you can't connect to servers that only offer SSL3 and RC4 certificate. *https://developer.mozilla.org/en-US/Firefox/Releases/36/Site_Compatibility#Security This is now a standard: *RFC 7465 - Prohibiting RC4 Cipher Suites:<br>https://tools.ietf.org/html/rfc7465

Người tạo câu hỏi

Hummmm ok, so what should I do with all my HP ProLiant DL360 Gen7 servers that are hosted in a DC 1000 miles away from here? I'm no longer able to administrate them (which means that I'm also not able to generate a new SSL certificate for iLO).

How can I re-enable rc4 in FF?

Hummmm ok, so what should I do with all my HP ProLiant DL360 Gen7 servers that are hosted in a DC 1000 miles away from here? I'm no longer able to administrate them (which means that I'm also not able to generate a new SSL certificate for iLO). How can I re-enable rc4 in FF?
Saurav 4 giải pháp 39 câu trả lời
Được đăng

had to ran update on ubuntu ?

please run these commands in terminal

  1. apt-get update
  2. apt-get upgrade -y

Last week there were some updates related to certificates.

had to ran update on ubuntu ? please run these commands in terminal # apt-get update # apt-get upgrade -y Last week there were some updates related to certificates.

Được chỉnh sửa bởi Saurav vào

Người tạo câu hỏi

@Saurav: Yep, my Ubuntu is up to date. I can't find any way to renable RC4 in FF :-(

@Saurav: Yep, my Ubuntu is up to date. I can't find any way to renable RC4 in FF :-(
Saurav 4 giải pháp 39 câu trả lời
Được đăng

Hello

  1. Go to navigation var and type about:config
  2. search rc4

Set all to false.

Hopefully it solve your problem.

Hello # Go to navigation var and type about:config # search rc4 Set all to false. Hopefully it solve your problem.

Được chỉnh sửa bởi Saurav vào

Người tạo câu hỏi

Saurav said

Hello
  1. Go to navigation var and type about:config
  2. search rc4
Set all to false. Hopefully it solve your problem.

Done, & restarted FF. Still doesn't work :-(

''Saurav [[#answer-703214|said]]'' <blockquote> Hello # Go to navigation var and type about:config # search rc4 Set all to false. Hopefully it solve your problem. </blockquote> Done, & restarted FF. Still doesn't work :-(
guigs 1072 giải pháp 11697 câu trả lời
Được đăng

Ya they are all default set to true, and its not a great experience that you have had to wait this long without being able to administrate the servers.

I do not want to recommend this a a permanent solution, however using a working older version of Firefox in the meantime might be a good way to update the security. Back up and restore information in Firefox profiles and Install an older version of Firefox

Ya they are all default set to true, and its not a great experience that you have had to wait this long without being able to administrate the servers. I do not want to recommend this a a permanent solution, however using a working older version of Firefox in the meantime might be a good way to update the security. [[Back up and restore information in Firefox profiles]] and [[Install an older version of Firefox]]
guigs 1072 giải pháp 11697 câu trả lời
Được đăng

Câu trả lời hữu ích

I have a better answer, upgrade to version 37 via bug 1138332

I have a better answer, upgrade to version 37 via bug 1138332

Người tạo câu hỏi

I can confirm that upgrading to FF 37 solved this problem. Thanks!

I can confirm that upgrading to FF 37 solved this problem. Thanks!