Search Support

PR_CONNECT_RESET_ERROR when browsing to our internal Thycotic Secret Server with own MS PKI issued certs

  • Akukho zimpendulo
  • 2 zinale nkinga
  • 15 views
more options

We have our own internal Microsoft certificate root authority and we have certs issued from it automatically to all of our Windows endpoints and servers. Our internal Thycotic Secret Server is one of these endpoints, and SS runs over IIS. I have many, many servers in our environment that are bound to these certificates, and they work just fine in Firefox. The cert for the Secret Server is just like all of the other certs in our enterprise. The certificate is fully valid and trusted in IE, Edge, Chrome and in Firefox. We have GPO's in place to ensure the CA Root Authority of our PKI and issuing server is trusted and the certs are compliant, fully standard and functional in all web browsers.

But this one server absolutely WILL NOT bring up a web page when we browse to Secret Server in Firefox. It stops cold with a PR_CONNECT_RESET_ERROR, and there is no option to bypass it whatsoever. We don't have these issues with other servers using the same type of certs. We don't have this issue with any other browsers - only Firefox. I've even generated a wildcard cert that works everywhere on our internal domain, in all browsers, but if I bind it in IIS on the Secret Server, it just won't work.

I've worked with Thycotic support, and they have no solutions, only to point their fingers at the browser, because the error is in the browser, and not from the web server (even though they can't see any errors from the web server, because no page ever gets displayed.

I'm stumped on this, and because it works everywhere except for this browser on this server (and this happens on ANY workstation in our environment - existing or brand new Firefox install), I can't understand what is causing this. Is there anything I can look at in some logs, config file or somewhere else?

I did see an option in the SS config to disable HSTS, and I tried to disable that, but it didn't make any difference. I'm still fully inclined to point the finger at Thycotic and their software, but since they can't replicate the issue on their end, they refuse to accept any ownership in resolving this.

If anyone has anything to offer, I would greatly appreciate it. I would really like Firefox to be my one and only daily driver web browser, but because the server that serves up the passwords for the accounts, endpoints and websites in our environment doesn't work, it kinda makes it difficult to use, or recommend to others.

Ama-screenshot ananyekiwe

Okulungisiwe ngu Glenn Berkshier

Kufanele ulogele ukungena ku-akhawunti yakho ukuze uphendule amaphosti. Uyacelwauqale umbuzo omusha, uma ungekabi nayo i-akhawunti namanje.