Can't login to StartCom control panel due to "ssl_error_unknown_ca_alert" error

RESOLVED INVALID

Status

()

defect
RESOLVED INVALID
5 years ago
3 years ago

People

(Reporter: RyanVM, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
My StartCom certificate is due to expire shortly. However, when I try to login to their control panel to generate an updated one, I'm getting the following error:

An error occurred during a connection to auth.startssl.com. Peer does not recognize and trust the CA that issued your certificate. (Error code: ssl_error_unknown_ca_alert)
Ryan I for https://auth.startssl.com/ (new profile) I am getting:
Error code: ssl_error_handshake_failure_alert on FF 33 and FF 31 (OSX)
ERR_SSL_PROTOCOL_ERROR on Chrome 35 (OSX)
(Reporter)

Comment 2

5 years ago
Presumably you need to have an existing cert installed to get the error I'm getting. They use the installed cert for authentication rather than a username/password.

Comment 3

5 years ago
Same issue here. I can't login to StartCom with my valid client certificate. I tried removing other client certificates but still the same.
However when I tried importing the same certificate into portable version of Firefox 31 it all worked fine. I guess it would be worth to try duplicate the issue with plugins/addons off to see if it's caused by settings or something in Certificate Manager.

Comment 4

5 years ago
I have followed this page:
https://forum.startcom.org/viewtopic.php?f=15&t=2522&start=0&st=0&sk=t&sd=a&sid=8e35c7ce6440a09fbf7e808e0444e579&view=print

And removing the "Software Security Device" CAs helped (Firefox 31.0).
I have the same issue, this used to work in previous Firefox and probably stopped working with PKIX (my guess). I have a valid client certificate installed which used to work for authentication and is not expired.
Confirmed comment 4 as a possible fix. It seems that some stored CA or intermediate for StartCom caused the issue. I deleted all except the built-in ones and it's working now.

Comment 7

5 years ago
I addressed my problem by removing only the StartCom Ltd entries for "Software Securty Device".
Worked for me as well, removing all Softare Security Device entries for Startcom Ltd.

Comment 9

5 years ago
The solution in comment 4 worked for me as well. I wonder how it came this way.

Comment 10

5 years ago
It's a bit scary, but yes, removing all "Software Security Device"s listed under "SmartCom" will resolve this problem.
Fwiw, encountered the same issue with 33.0 using my regular profile filled with junk from the past years - imported the .p12 file into an empty new profile in 33.0 or 31.2.0 workarounds the issue.

Comment 12

5 years ago
I've observed this issue with the default Firefox 33.0 package under Fedora 20. Workaround from comment 4 (i.e. removing all 'Software Security Device's under node 'StartCom Ltd.', which is accessible in the tree view at Edit->Preferences->Advanced->Certificates->View Certificates->Authorities at node 'StartCom Ltd.') did resolve this issue.

Comment 13

5 years ago
Experienced this as well, not only on the Auth panel, but also on my very own server that checked for client certificates (and actually processed a CA request on them).

This fix solved my issue.

I think removing the "software security device" certificates upon session ending would solve a lot of those issues. The certificates are automatically downloaded from the webserver when needed, and shouldn't stay there anyway in my opinion.

I don't know if the ones you import yourself are in the same "software security device" category, but if so, maybe create a supplementary field only for the manually imported ones, that wouldn't be wiped across reloads.

Comment 14

5 years ago
Same issue here, comment #4 worked for me as well.

I had to revoke trust for "StartCom Class 1 Primary Intermediate Client CA" in order to be able to sign-in on startssl.com again.
Same issue here with Firefox 34.0, and the workaround in comment #4 worked fine, I deleted about 8 "Software Security Device" entries in the list of CAs under Startcom

Comment 16

4 years ago
Same here, Firefox Nightly 37, workaround works fine

Comment 17

4 years ago
On Firefox 31.3.  I don't have "Software Security Device" entries, but I found the Dennis's suggestion to remove "StartCom Class 1 Primary Intermediate Client CA" solved the problem for me.

Comment 18

4 years ago
Had to remove the "StartCom Class 1 Primary Intermediate Client CA" certificate as well. This is a SHA1 certificate while the CA and the client certificates are signed with SHA-256.

After removal, Wireshark reveals that the SHA1-signed intermediate and SHA-256-signed root CA certificates are not sent anymore (just the client certificate).
Hey, what Firefox people are waiting for update the trust store with the right certificate?!

You should update the "StartCom Class 1 Primary Intermediate Client CA" and probably other…

Thanks.

Updated

4 years ago
Duplicate of this bug: 1089323

Comment 21

4 years ago
I can confirm that comment #4 worked for me. The crucial bit that might have people doubting is to delete all _StartCom_ CA entries that mention the Software Security Device - leave everything else in tact.
#4 worked for me too.
I also ran into this. Comment 4 did the trick.

Comment 24

4 years ago
As said in #4, the fix is to delete the following entries: https://i.imgur.com/QNgberS.png

Comment 25

4 years ago
That fixed the problem also for me, thanks
StartCom's server is closing the connection in these cases. Until that's fixed, use the workaround as documented in various comments in this bug.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.