X
點擊此處開啟此網站的行動版。

技術支援討論區

Security certificate no longer valid after upgrading to latest FF.

已張貼

I upgraded to the very latest version of FF over the weekend and now I can't access a site I had been accessing for the following error: An error occurred during a connection to grdpmgr01.dmz.domainname.com:7799. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)

The certificate is self-signed. We have a similar problem with IE that we've worked around.

I upgraded to the very latest version of FF over the weekend and now I can't access a site I had been accessing for the following error: An error occurred during a connection to grdpmgr01.dmz.domainname.com:7799. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid) The certificate is self-signed. We have a similar problem with IE that we've worked around.

被選擇的解決方法

You can try to set security.use_mozillapkix_verification to false on the about:config page as a test to see if that has effect.

從原來的回覆中察看解決方案 19

額外的系統細節

已安裝的外掛程式

  • The plugin allows you to have a better experience with Microsoft Lync
  • The plugin allows you to have a better experience with Microsoft SharePoint
  • Next Generation Java Plug-in 11.5.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Shockwave Flash 14.0 r0
  • RealPlayer(tm) LiveConnect-Enabled Plug-In
  • RealPlayer Download Plugin
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Adobe Shockwave for Director Netscape plug-in, version 12.1.3.153
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.07
  • SiteAdvisor
  • iTunes Detector Plug-in
  • 5.1.30214.0
  • Intel web components for Intel® Identity Protection Technology
  • Intel web components updater - Installs and updates the Intel web components
  • VMware Remote Console Plug-in
  • RealNetworks(tm) RealDownloader Chrome Background Extension Plug-In
  • RealNetworks(tm) RealDownloader PepperFlashVideoShim Plug-In
  • RealNetworks(tm) RealDownloader HTML5VideoShim Plug-In
  • RealDownloader Plugin
  • VMware Remote Console and Client Integration Plug-in

應用程式

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0

更多資訊

ricardodev 1 個解決方法 4 個答案

Other possible solution that doesn't make Firefox generally unsafer is Deleting or Distrusting the "problematic" certificates from the Authorities and add it again.

Please refer to [post]

Other possible solution that doesn't make Firefox generally unsafer is Deleting or Distrusting the "problematic" certificates from the Authorities and add it again. Please refer to [[https://support.mozilla.org/en-US/questions/1012728#answer-616338|this post]]

由 ricardodev 於 修改

mrwboilers 0 個解決方法 5 個答案

Thanks for the reply. I submitted a suggestion to the feedback site.

I'm not sure I'd consider this issue resolved. I'm having the same issue on the latest version of Firefox. Disabling security for every site doesn't seem like a valid work around to me.

Thanks for the reply. I submitted a suggestion to the feedback site. I'm not sure I'd consider this issue resolved. I'm having the same issue on the latest version of Firefox. Disabling security for every site doesn't seem like a valid work around to me.
mrwboilers 0 個解決方法 5 個答案

Ok, I guess this isn't as bad as I thought. I thought disabling the mozillapkix_verification setting would disable security checks. That's not the case. It still warns you of a bad certificate, but gives you the option to proceed anyway -- which is how it should be by default (in my opinion.) So I guess this can be marked as resolved.

Ok, I guess this isn't as bad as I thought. I thought disabling the mozillapkix_verification setting would disable security checks. That's not the case. It still warns you of a bad certificate, but gives you the option to proceed anyway -- which is how it should be by default (in my opinion.) So I guess this can be marked as resolved.
Farbauti 0 個解決方法 6 個答案

Now it happend!

I updated to FF 33.x to check, and indeed - I'm no longer able to access my own Router as it holds its own self-signed certificate. There is no "add exception" in FF any longer and the security.use_mozillapkix_verification=false workaround is also not working.

So, thank you Mozilla, it was a pleasure using FF the last years, but now it is time to turn to a handy browser that actually can be used.

Now it happend! I updated to FF 33.x to check, and indeed - I'm no longer able to access my own Router as it holds its own self-signed certificate. There is no "add exception" in FF any longer and the security.use_mozillapkix_verification=false workaround is also not working. So, thank you Mozilla, it was a pleasure using FF the last years, but now it is time to turn to a handy browser that actually can be used.
Tyler Downer
  • Top 25 Contributor
  • Moderator
1538 個解決方法 10735 個答案

You should contact your router company to see if there is an update for its software, and second, you access your router that much that you will switch browsers entirely? At the very least, you could use IE for your router (I access min about once a year to update firmware) and Firefox the rest of the year.

You should contact your router company to see if there is an update for its software, and second, you access your router that much that you will switch browsers entirely? At the very least, you could use IE for your router (I access min about once a year to update firmware) and Firefox the rest of the year.

提出問題者

I think we're missing the point in many of the replies. Self-signed certificates are not unusual. I've worked with many of them. The over-arching issue is how do FF users deal with these certificates? Yes, they're a security hole -- a BIG one -- and every user has to decide how to deal with that issue. We can't take the position that only Mozilla Firefox developers know the way, the truth and the right.

I've seen all the answers and the vehemence in some of the replies should be a clue that there has to be an accommodation or risk losing a large number of dedicated users, including this one.

I think we're missing the point in many of the replies. Self-signed certificates are not unusual. I've worked with many of them. The over-arching issue is how do FF users deal with these certificates? Yes, they're a security hole -- a BIG one -- and every user has to decide how to deal with that issue. We can't take the position that only Mozilla Firefox developers know the way, the truth and the right. I've seen all the answers and the vehemence in some of the replies should be a clue that there has to be an accommodation or risk losing a large number of dedicated users, including this one.
Farbauti 0 個解決方法 6 個答案

I simply don't want to support/encourage senseless "improvements"!

I mean what was wrong with the old procedure? Untrusted cert -> warning and option to add an exception.

I simply don't want to support/encourage senseless "improvements"! I mean what was wrong with the old procedure? Untrusted cert -> warning and option to add an exception.
mrwboilers 0 個解決方法 5 個答案

That sounds reasonable if you have just that one router to deal with. I have IPMI (DRAC, ILO, etc.) on over 100 servers to deal with, plus a few other appliances as well. All of these are only available on my internal network (no route to/from the internet) so I'm not concerned about security so much. So I have no interest in managing their certificates. I'm just sick of having to switch to a different browser every time I need to get to one of these.

Did the security.use_mozillapkix_verification setting go away? Setting that to false worked fine for me, but on a new installation of Firefox, I don't even see that setting anymore.

Please make the default (or even only) setting to warn about a bad cert, but with the option to go to the site anyway. If you start dictating to people which sites they can and can't go to, you're gonna have a bad time.

That sounds reasonable if you have just that one router to deal with. I have IPMI (DRAC, ILO, etc.) on over 100 servers to deal with, plus a few other appliances as well. All of these are only available on my internal network (no route to/from the internet) so I'm not concerned about security so much. So I have no interest in managing their certificates. I'm just sick of having to switch to a different browser every time I need to get to one of these. Did the security.use_mozillapkix_verification setting go away? Setting that to false worked fine for me, but on a new installation of Firefox, I don't even see that setting anymore. Please make the default (or even only) setting to warn about a bad cert, but with the option to go to the site anyway. If you start dictating to people which sites they can and can't go to, you're gonna have a bad time.
user619333 0 個解決方法 7 個答案

I totally agree with Bill here. There must be a better way for self signed certificate cannot they just be added under the personal store and be trusted?

There is still a wide use of self signed certificate for internal network and going ahead might even be a heavier use since the cab forum changed the rules of how internal domains are to be secured.

I totally agree with Bill here. There must be a better way for self signed certificate cannot they just be added under the personal store and be trusted? There is still a wide use of self signed certificate for internal network and going ahead might even be a heavier use since the cab forum changed the rules of how internal domains are to be secured.
user619333 0 個解決方法 7 個答案

Just for the records I work with client certificates issued from a CA and since FF32 I started having huge problems with that. In that case it was enough for me to re-import all my certs and I kept working.

Once FF33 arrived I think something went wrong during the update and not only all my certs were wiped but also I was not able to import any of them.

The only thing that resolved was creating a new user profile. Hope this helps tracking the cause it really seemed something went wrong in the moving of the certificate store or with the permission...don't know.

Just for the records I work with client certificates issued from a CA and since FF32 I started having huge problems with that. In that case it was enough for me to re-import all my certs and I kept working. Once FF33 arrived I think something went wrong during the update and not only all my certs were wiped but also I was not able to import any of them. The only thing that resolved was creating a new user profile. Hope this helps tracking the cause it really seemed something went wrong in the moving of the certificate store or with the permission...don't know.
cor-el
  • Top 10 Contributor
  • Moderator
17578 個解決方法 159012 個答案

Next week a special Firefox 33.1 version (Firefox 10th anniversary) will be released that includes some fixes that may help with certificate issues. So keep an eye on that.

Next week a special Firefox 33.1 version (Firefox 10th anniversary) will be released that includes some fixes that may help with certificate issues. So keep an eye on that.
Farbauti 0 個解決方法 6 個答案

Yay, with FF 33.1 it works - again.

:-)

Glad to see that this former 'improvment' was classified as a bug worth fixing, in the end. Thank you.

Yay, with FF 33.1 it works - again. :-) Glad to see that this former 'improvment' was classified as a bug worth fixing, in the end. Thank you.
clandau 0 個解決方法 2 個答案

I still have no way to access a site with a self-signed certificate. security.use_mozillapkix_verification seems to be gone from the about:config page beginning in FF 3.3. And there is still no "I understand the risks" option.

I still have no way to access a site with a self-signed certificate. security.use_mozillapkix_verification seems to be gone from the about:config page beginning in FF 3.3. And there is still no "I understand the risks" option.
jscher2000
  • Top 10 Contributor
8792 個解決方法 71920 個答案

Hi clandau, can you give a link to the problem site?

Hi clandau, can you give a link to the problem site?
clandau 0 個解決方法 2 個答案

I now have FireFox 35.0, and it seems to be working. I can access the site with a self-signed certificate.

I now have FireFox 35.0, and it seems to be working. I can access the site with a self-signed certificate.