XPI is not getting installed with error "The add-on could not be downloaded because of a connection failure" when application is accessed using "https"

RESOLVED WORKSFORME

Status

()

--
blocker
RESOLVED WORKSFORME
3 years ago
3 years ago

People

(Reporter: narayana.grandhi, Unassigned)

Tracking

45 Branch
x86_64
Windows 8.1
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce:

We have an application which as Firefox extension (.XPI) packaged. We expose this XPI as URL and End users can install this XPI after logging into our application. 

This XPI has been signed by Mozilla APIs and it gets installed successfully when the application is accessed using "http" protocol.

But, when we access the application using "https", XPI installation fails with error "The add-on could not be downloaded because of a connection failure"

This failure is happening in both the below cases:
1. When self-signed certificate (created using java keytool) is used as SSL certificate
2. When certificate is signed with local root/intermediate certs. These root CA & intermediate certs are manually imported to Firefox -> Advanced -> Certificates -> Certificate Manager -> Authorities tab -> Import


Actual results:

In both the scenarios mentioned above, with Firefox ESR 45.x & Firefox 47.x, XPI is not getting installed and fails with "The add-on could not be downloaded because of a connection failure"


Expected results:

We expect XPI installation go through successfully when we import root CA and intermediate certs to Authorities tab of Certificate Manager.

We also used extensions.update.requireBuiltInCerts=false and It didn't help.
(Reporter)

Comment 1

3 years ago
We are able to reproduce the same error in Firefox ESR 38.x, ESR 45.x & normal firefox 47.x consistently. Is extensions.update.requireBuiltInCerts flag is valid for the above mentioned versions?

Updated

3 years ago
Component: Untriaged → Add-ons Manager
Product: Firefox → Toolkit
(Reporter)

Comment 2

3 years ago
Can someone help with this? This is currently blocking our latest release with Firefox ESR 38 and above.
(Reporter)

Updated

3 years ago
Severity: normal → blocker
OS: Unspecified → Windows 8.1
Hardware: Unspecified → x86_64
(In reply to Narayana Rao, Grandhi from comment #0)
> We also used extensions.update.requireBuiltInCerts=false and It didn't help.

But this is for the install, not for an update.  Try setting extension.install.requireBuiltInCerts to false.

If that doesn't work, can you check that the browser is actually trusting all your certs?  (i.e., can you load a simple html page from the same server without any warnings?)
Flags: needinfo?(narayana.grandhi)
(Reporter)

Comment 4

3 years ago
Thank you Andrew. Will try the option extension.install.requireBuiltInCerts=false. looks like we didn't notice "update" vs "install".

Hoping both these extension.install.requireBuiltInCerts & extensions.update.requireBuiltInCerts properties are still valid and used by Firefox. These are not listed by default in about:config

Also, Issue we were noticing only with XPI installation. We were able to access the web application without issues and firefox confirms it as "Connection secure" (Green message/indicator)

Thanks,
Narayana
(Reporter)

Comment 5

3 years ago
using extensions.install.requireBuiltInCerts = false (Boolean about:config attribute) helped resolve the issue. We have imported our Root and Intermediate CA certs in Authorities tab with all options checked.

Thanks for quick help on this. We have this extensions.install.requireBuiltInCerts will be maintained for future ESR releases.

Thanks,
Narayana
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(narayana.grandhi)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.