Receiving 403/403.7 certificate errors from certain sites with new CAC card
Hello,
Whether or not I use CoolKey in Linux or ActivClient in windows, since getting a new CAC/smartcard, I cannot use various DoD and gov sites with Firefox in Linux or Windows.
For instance, I cannot access https://www.bol.navy.mil or https://mypay.dfas.mil/mypay.aspx (click on smartcard login). Although both sites prompt for my CAC pin, they do not allow me to choose a certificate, despite that setting being pressed, and just fail with such errors as:
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
or
Error Code: 403 Forbidden. The page requires a client certificate as part of the authentication process. If you are using a smart card, you will need to insert your smart card to select an appropriate certificate. Otherwise, contact your server administrator. (12213)
---
AKO/Army Knowledge Online/NKO work fine, prompting for my CAC pin, and then prompting for which cert I want to use.
This has all started since I got a new CAC card last week.
When I use IE in Windows, all of the sites work fine. However, that's obviously not a solution, as I don't want to have to use vbox every time I want to access one of these sites.
The issue is in both win and Linux Firefox. I even tried Firefox on an Ubuntu live cd, and the same problem occurred, so it's not a cached cookie/cert issue either.
Any ideas?
所有回复 (3)
Try to rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored.
If that helped to solve the problem then you can remove the renamed cert8.db.old file. Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates. Firefox will automatically store intermediate certificates when you visit websites that send such a certificate.
If that didn't help then remove or rename secmod.db (secmod.db.old) as well.
You can use this button to go to the currently used Firefox profile folder:
- Help > Troubleshooting Information > Profile Directory: Show Folder (Linux: Open Directory; Mac: Show in Finder)
- http://kb.mozillazine.org/Profile_folder_-_Firefox
I have tried this with new firefox profiles, in virtualbox with win32 firefox, etc.
Regardless, I removed both files and tried what you said, with the same problem.
This problem continues to occur. Some .mil or .gov sites work, whereas others give such errors as:
The page requires a client certificate
The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server will recognize. The client certificate is used for identifying you as a valid user of the resource. Please try the following:
Contact the Web site administrator if you believe you should be able to view this directory or page without a client certificate, or to obtain a client certificate. If you already have a client certificate, use your Web browser's security features to ensure that your client certificate is installed properly. (Some Web browsers refer to client certificates as browser or personal certificates.) HTTP Error 403.7 - Forbidden: SSL client certificate is required. Internet Information Services (IIS)
All these same sites work with IE. The sites that don't work don't even prompt for a certificate with Firefox, they just go straight to failing.