Closed
Bug 1037080
Opened 7 years ago
Closed 5 years ago
Can't login to StartCom control panel due to "ssl_error_unknown_ca_alert" error
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
INVALID
People
(Reporter: RyanVM, Unassigned)
References
Details
My StartCom certificate is due to expire shortly. However, when I try to login to their control panel to generate an updated one, I'm getting the following error: An error occurred during a connection to auth.startssl.com. Peer does not recognize and trust the CA that issued your certificate. (Error code: ssl_error_unknown_ca_alert)
Comment 1•7 years ago
|
||
Ryan I for https://auth.startssl.com/ (new profile) I am getting: Error code: ssl_error_handshake_failure_alert on FF 33 and FF 31 (OSX) ERR_SSL_PROTOCOL_ERROR on Chrome 35 (OSX)
Reporter | ||
Comment 2•7 years ago
|
||
Presumably you need to have an existing cert installed to get the error I'm getting. They use the installed cert for authentication rather than a username/password.
Comment 3•7 years ago
|
||
Same issue here. I can't login to StartCom with my valid client certificate. I tried removing other client certificates but still the same. However when I tried importing the same certificate into portable version of Firefox 31 it all worked fine. I guess it would be worth to try duplicate the issue with plugins/addons off to see if it's caused by settings or something in Certificate Manager.
Comment 4•7 years ago
|
||
I have followed this page: https://forum.startcom.org/viewtopic.php?f=15&t=2522&start=0&st=0&sk=t&sd=a&sid=8e35c7ce6440a09fbf7e808e0444e579&view=print And removing the "Software Security Device" CAs helped (Firefox 31.0).
Comment 5•7 years ago
|
||
I have the same issue, this used to work in previous Firefox and probably stopped working with PKIX (my guess). I have a valid client certificate installed which used to work for authentication and is not expired.
Comment 6•7 years ago
|
||
Confirmed comment 4 as a possible fix. It seems that some stored CA or intermediate for StartCom caused the issue. I deleted all except the built-in ones and it's working now.
Comment 7•6 years ago
|
||
I addressed my problem by removing only the StartCom Ltd entries for "Software Securty Device".
Comment 8•6 years ago
|
||
Worked for me as well, removing all Softare Security Device entries for Startcom Ltd.
The solution in comment 4 worked for me as well. I wonder how it came this way.
Comment 10•6 years ago
|
||
It's a bit scary, but yes, removing all "Software Security Device"s listed under "SmartCom" will resolve this problem.
Comment 11•6 years ago
|
||
Fwiw, encountered the same issue with 33.0 using my regular profile filled with junk from the past years - imported the .p12 file into an empty new profile in 33.0 or 31.2.0 workarounds the issue.
Comment 12•6 years ago
|
||
I've observed this issue with the default Firefox 33.0 package under Fedora 20. Workaround from comment 4 (i.e. removing all 'Software Security Device's under node 'StartCom Ltd.', which is accessible in the tree view at Edit->Preferences->Advanced->Certificates->View Certificates->Authorities at node 'StartCom Ltd.') did resolve this issue.
Comment 13•6 years ago
|
||
Experienced this as well, not only on the Auth panel, but also on my very own server that checked for client certificates (and actually processed a CA request on them). This fix solved my issue. I think removing the "software security device" certificates upon session ending would solve a lot of those issues. The certificates are automatically downloaded from the webserver when needed, and shouldn't stay there anyway in my opinion. I don't know if the ones you import yourself are in the same "software security device" category, but if so, maybe create a supplementary field only for the manually imported ones, that wouldn't be wiped across reloads.
Comment 14•6 years ago
|
||
Same issue here, comment #4 worked for me as well. I had to revoke trust for "StartCom Class 1 Primary Intermediate Client CA" in order to be able to sign-in on startssl.com again.
Comment 15•6 years ago
|
||
Same issue here with Firefox 34.0, and the workaround in comment #4 worked fine, I deleted about 8 "Software Security Device" entries in the list of CAs under Startcom
Comment 16•6 years ago
|
||
Same here, Firefox Nightly 37, workaround works fine
Comment 17•6 years ago
|
||
On Firefox 31.3. I don't have "Software Security Device" entries, but I found the Dennis's suggestion to remove "StartCom Class 1 Primary Intermediate Client CA" solved the problem for me.
Comment 18•6 years ago
|
||
Had to remove the "StartCom Class 1 Primary Intermediate Client CA" certificate as well. This is a SHA1 certificate while the CA and the client certificates are signed with SHA-256. After removal, Wireshark reveals that the SHA1-signed intermediate and SHA-256-signed root CA certificates are not sent anymore (just the client certificate).
Comment 19•6 years ago
|
||
Hey, what Firefox people are waiting for update the trust store with the right certificate?! You should update the "StartCom Class 1 Primary Intermediate Client CA" and probably other… Thanks.
Comment 21•6 years ago
|
||
I can confirm that comment #4 worked for me. The crucial bit that might have people doubting is to delete all _StartCom_ CA entries that mention the Software Security Device - leave everything else in tact.
Comment 22•6 years ago
|
||
#4 worked for me too.
Comment 23•6 years ago
|
||
I also ran into this. Comment 4 did the trick.
Comment 24•5 years ago
|
||
As said in #4, the fix is to delete the following entries: https://i.imgur.com/QNgberS.png
Comment 25•5 years ago
|
||
That fixed the problem also for me, thanks
StartCom's server is closing the connection in these cases. Until that's fixed, use the workaround as documented in various comments in this bug.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•