Closed Bug 1037080 Opened 7 years ago Closed 5 years ago

Can't login to StartCom control panel due to "ssl_error_unknown_ca_alert" error

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: RyanVM, Unassigned)

References

Details

My StartCom certificate is due to expire shortly. However, when I try to login to their control panel to generate an updated one, I'm getting the following error:

An error occurred during a connection to auth.startssl.com. Peer does not recognize and trust the CA that issued your certificate. (Error code: ssl_error_unknown_ca_alert)
Ryan I for https://auth.startssl.com/ (new profile) I am getting:
Error code: ssl_error_handshake_failure_alert on FF 33 and FF 31 (OSX)
ERR_SSL_PROTOCOL_ERROR on Chrome 35 (OSX)
Presumably you need to have an existing cert installed to get the error I'm getting. They use the installed cert for authentication rather than a username/password.
Same issue here. I can't login to StartCom with my valid client certificate. I tried removing other client certificates but still the same.
However when I tried importing the same certificate into portable version of Firefox 31 it all worked fine. I guess it would be worth to try duplicate the issue with plugins/addons off to see if it's caused by settings or something in Certificate Manager.
I have followed this page:
https://forum.startcom.org/viewtopic.php?f=15&t=2522&start=0&st=0&sk=t&sd=a&sid=8e35c7ce6440a09fbf7e808e0444e579&view=print

And removing the "Software Security Device" CAs helped (Firefox 31.0).
I have the same issue, this used to work in previous Firefox and probably stopped working with PKIX (my guess). I have a valid client certificate installed which used to work for authentication and is not expired.
Confirmed comment 4 as a possible fix. It seems that some stored CA or intermediate for StartCom caused the issue. I deleted all except the built-in ones and it's working now.
I addressed my problem by removing only the StartCom Ltd entries for "Software Securty Device".
Worked for me as well, removing all Softare Security Device entries for Startcom Ltd.
The solution in comment 4 worked for me as well. I wonder how it came this way.
It's a bit scary, but yes, removing all "Software Security Device"s listed under "SmartCom" will resolve this problem.
Fwiw, encountered the same issue with 33.0 using my regular profile filled with junk from the past years - imported the .p12 file into an empty new profile in 33.0 or 31.2.0 workarounds the issue.
I've observed this issue with the default Firefox 33.0 package under Fedora 20. Workaround from comment 4 (i.e. removing all 'Software Security Device's under node 'StartCom Ltd.', which is accessible in the tree view at Edit->Preferences->Advanced->Certificates->View Certificates->Authorities at node 'StartCom Ltd.') did resolve this issue.
Experienced this as well, not only on the Auth panel, but also on my very own server that checked for client certificates (and actually processed a CA request on them).

This fix solved my issue.

I think removing the "software security device" certificates upon session ending would solve a lot of those issues. The certificates are automatically downloaded from the webserver when needed, and shouldn't stay there anyway in my opinion.

I don't know if the ones you import yourself are in the same "software security device" category, but if so, maybe create a supplementary field only for the manually imported ones, that wouldn't be wiped across reloads.
Same issue here, comment #4 worked for me as well.

I had to revoke trust for "StartCom Class 1 Primary Intermediate Client CA" in order to be able to sign-in on startssl.com again.
Same issue here with Firefox 34.0, and the workaround in comment #4 worked fine, I deleted about 8 "Software Security Device" entries in the list of CAs under Startcom
Same here, Firefox Nightly 37, workaround works fine
On Firefox 31.3.  I don't have "Software Security Device" entries, but I found the Dennis's suggestion to remove "StartCom Class 1 Primary Intermediate Client CA" solved the problem for me.
Had to remove the "StartCom Class 1 Primary Intermediate Client CA" certificate as well. This is a SHA1 certificate while the CA and the client certificates are signed with SHA-256.

After removal, Wireshark reveals that the SHA1-signed intermediate and SHA-256-signed root CA certificates are not sent anymore (just the client certificate).
Hey, what Firefox people are waiting for update the trust store with the right certificate?!

You should update the "StartCom Class 1 Primary Intermediate Client CA" and probably other…

Thanks.
Duplicate of this bug: 1089323
I can confirm that comment #4 worked for me. The crucial bit that might have people doubting is to delete all _StartCom_ CA entries that mention the Software Security Device - leave everything else in tact.
#4 worked for me too.
I also ran into this. Comment 4 did the trick.
As said in #4, the fix is to delete the following entries: https://i.imgur.com/QNgberS.png
That fixed the problem also for me, thanks
StartCom's server is closing the connection in these cases. Until that's fixed, use the workaround as documented in various comments in this bug.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.