security.enterprise_roots.enabled is not working on some cases

RESOLVED INVALID

Status

()

defect
RESOLVED INVALID
11 months ago
3 months ago

People

(Reporter: h2141751, Unassigned)

Tracking

60 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 months ago
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20180118122319

Steps to reproduce:

1. create file policies.json in distribution subfolder in installation folder
2. add content into JSON file
{
	"policies":
	{
		"Certificates":
		{
			"ImportEnterpriseRoots": true
		}
	}
}

3. run Firefox Quantum ESR version 60
4. show about:config


Actual results:

Firefox ignore ImportEnterpriseRoots setting whether is true or false, value is always set to true and Firefox does not import certificate from Windows Certification Store.


Expected results:

Setting have to set from policy setting. When value is set to true, Firefox imports certificate from Windows Certificate Storage,

Updated

11 months ago
Has STR: --- → yes
Component: Untriaged → Enterprise Policies
Version: 52 Branch → 60 Branch
I was going to ask the following question for the reporter, but their account is disabled.. So for now I'll close this bug.. If the question below is cleared up we can re-open it.

-----


Can you check if the value of security.enterprise_roots.enabled is being set to true (and locked) in about:config?

Also, please note that this pref doesn't import everything from the Windows Certificate Store.. It only imports the added certs (non-default) that don't come pre-installed with Windows.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → INCOMPLETE

Comment 2

11 months ago
(In reply to :Felipe Gomes (needinfo me!) from comment #1)
> I was going to ask the following question for the reporter, but their
> account is disabled.. So for now I'll close this bug.. If the question below
> is cleared up we can re-open it.
> 
> -----
> 
> 
> Can you check if the value of security.enterprise_roots.enabled is being set
> to true (and locked) in about:config?
> 
> Also, please note that this pref doesn't import everything from the Windows
> Certificate Store.. It only imports the added certs (non-default) that don't
> come pre-installed with Windows.

Value of security.enterprise_roots.enabled setting is locked and true. But setting from JSON file is ignored (when value is set to false). When setting in JSON exists, value in about:config is locked, but whether in JSON is true or false, in about:config is true and this setting does not work. On previous version of Firefox, security.enterprise_roots.enabled setting work correct.

Comment 3

11 months ago
So you're saying the failure happens even if the policy engine is not involved?

Even if you set security.enterprise_roots.enabled manually in about:config, it doesn't work the same way it did before?

Comment 4

11 months ago
When set security.enterprise_roots.enabled manually in about:config, certificate import does not work.

Comment 5

11 months ago
> When set security.enterprise_roots.enabled manually in about:config, certificate import does not work.

And it worked on a previous version?

Can you use

https://mozilla.github.io/mozregression/

to determine when it broke for you?

We've had no other reports of this.
Status: RESOLVED → REOPENED
Component: Enterprise Policies → General
Ever confirmed: true
Resolution: INCOMPLETE → ---
Summary: Ignored ImportEnterpriseRoots setting in policies.json → security.enterprise_roots.enabled is not working on some cases
Flags: needinfo?(guser)

Comment 6

11 months ago
Just to say i got the same problem with 60.0.2 ESR. Trying to deploy security.enterprise_roots.enabled by GPO. The registry key get created, the status go to enabled in about:config , but the Certificate does'nt get imported. I have the problem on 2 computer who i updated from 52.7.3 ESR. Got one computer where it his working correctly...

I never try the setting before v60.0.2 so don't know if it was working on older version.

Comment 7

10 months ago
dkeeler:

Can you offer any help in debugging?
Flags: needinfo?(dkeeler)

Comment 8

10 months ago
Would be a pleasure,But I could need some spoon feeding sadly. I have try moxregression, but wasn't able to do anything usefull with it.
What windows registry location is the certificate you're trying to import in? (currently the implementation only imports from CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE)
If you set the environment variable MOZ_LOG to "pipnss:4" and run Firefox from a terminal, you should get some output that may indicate what's going on. (If that doesn't work, try setting MOZ_LOG_FILE to some file location.)
Flags: needinfo?(dkeeler) → needinfo?(lacroix.phil)

Comment 10

10 months ago
Can<t find the registry location named for the certificate, but they are under local computer / Trusted Root Certification Authorities and Intermediate Certification Autorities.

I did set MOZ_LOG_FILE and got some result. It's seem like he his importing them like "MyCert Root CA" but I can<t see them in the Certificate store in Firefox and Firefox keep telling me my intranet his insecure, where IE and Chrome does'nt.


[4552:Main Thread]: D/pipnss nsNSSComponent::ctor
[4552:Main Thread]: D/pipnss Beginning NSS initialization
[4552:Main Thread]: D/pipnss nsNSSComponent::InitializeNSS
[4552:Main Thread]: D/pipnss NSS Initialization beginning
[4552:Main Thread]: D/pipnss NSS profile at 'C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\F2ESVV~1.DEF'
[4552:Main Thread]: D/pipnss inSafeMode: 0
[4552:Main Thread]: D/pipnss initialized NSS in r/w mode
[4552:Main Thread]: D/pipnss UnloadFamilySafetyRoot
[4552:Main Thread]: D/pipnss Family Safety Root wasn't present
[4552:Main Thread]: D/pipnss UnloadEnterpriseRoots
[4552:Main Thread]: D/pipnss no enterprise roots were present
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'Baltimore CyberTrust Root'
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'Microsoft Root Certificate Authority'
[4552:Main Thread]: D/pipnss certificate not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss skipping cert not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'Microsoft Root Authority'
[4552:Main Thread]: D/pipnss certificate not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss skipping cert not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'Microsoft Root Certificate Authority 2011'
[4552:Main Thread]: D/pipnss certificate not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss skipping cert not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'DigiCert High Assurance EV Root CA'
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'Microsoft Root Certificate Authority 2010'
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'vmware-localhost'
[4552:Main Thread]: D/pipnss certificate not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss skipping cert not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss certificate not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss skipping cert not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'support'
[4552:Main Thread]: D/pipnss imported 8 roots
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'FGT60E4Q16090915'
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'MyCert Root CA'
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'FGT80E4Q17001033'
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'FGT80E4Q17001033'
[4552:Main Thread]: D/pipnss certificate is trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss Imported 'FGT60E4Q16090915'
[4552:Main Thread]: D/pipnss imported 5 roots
[4552:Main Thread]: D/pipnss certificate not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss skipping cert not trust anchor for TLS server auth
[4552:Main Thread]: D/pipnss imported 0 roots
[4552:Main Thread]: D/pipnss NSS Initialization done
[4552:Main Thread]: D/pipnss nsNSSComponent: adding observers
[4552:LoadRoots]: D/pipnss loaded CKBI from C:\PROGRA~2\MOZILL~1
[4552:Socket Thread]: D/pipnss [2426A660] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304)
[4552:Socket Thread]: D/pipnss [2426A660] Socket set up
[4552:Socket Thread]: D/pipnss [2426A660] connecting SSL socket
[4552:Socket Thread]: E/pipnss [2426A660] Lower layer connect error: -5934
[4552:Socket Thread]: D/pipnss [2271ADA0] starting AuthCertificateHook
[4552:SSL Cert #1]: D/pipnss [242A5120] SSLServerCertVerificationJob::Run
[4552:SSL Cert #1]: D/pipnss nsNSSHttpRequestSession::trySendAndReceiveFcn to http://ocsp.pki.goog:80/GTSGIAG3
[4552:SSL Cert #1]: D/pipnss AuthCertificate setting NEW cert 259B6B60
[4552:Socket Thread]: D/pipnss [2271ADA0] HandshakeCallback: succeeded using TLS version range (0x0301,0x0304)
[4552:Socket Thread]: D/pipnss HandshakeCallback KEEPING existing cert
[4552:Socket Thread]: D/pipnss [2426A660] nsNSSSocketInfo::NoteTimeUntilReady
[4552:Socket Thread]: D/pipnss [2426A660] nsNSSSocketInfo::SetHandshakeCompleted
[4552:Socket Thread]: D/pipnss [277B5620] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304)
[4552:Socket Thread]: D/pipnss [277B5620] Socket set up
[4552:Socket Thread]: D/pipnss [277B5620] connecting SSL socket
[4552:Socket Thread]: E/pipnss [277B5620] Lower layer connect error: -5934
[4552:Socket Thread]: D/pipnss [277B5700] starting AuthCertificateHook
[4552:SSL Cert #1]: D/pipnss [242A5780] SSLServerCertVerificationJob::Run
[4552:SSL Cert #1]: D/pipnss nsNSSHttpRequestSession::trySendAndReceiveFcn to http://ocsp.digicert.com:80/
[4552:SSL Cert #1]: D/pipnss AuthCertificate setting NEW cert 202EBE00
[4552:Socket Thread]: D/pipnss [277B5620] nsNSSSocketInfo::NoteTimeUntilReady
[4552:Socket Thread]: D/pipnss CanFalseStartCallback [277B5700] ok
[4552:Socket Thread]: D/pipnss [277B5700] HandshakeCallback: succeeded using TLS version range (0x0301,0x0304)
[4552:Socket Thread]: D/pipnss HandshakeCallback KEEPING existing cert
[4552:Socket Thread]: D/pipnss [277B5620] nsNSSSocketInfo::SetHandshakeCompleted
[4552:Socket Thread]: D/pipnss [26907700] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304)
[4552:Socket Thread]: D/pipnss [26907700] Socket set up
[4552:Socket Thread]: D/pipnss [26907700] connecting SSL socket
[4552:Socket Thread]: E/pipnss [26907700] Lower layer connect error: -5934
[4552:Socket Thread]: D/pipnss [269077C0] starting AuthCertificateHook
[4552:SSL Cert #1]: D/pipnss [26904120] SSLServerCertVerificationJob::Run
[4552:SSL Cert #1]: D/pipnss nsNSSHttpRequestSession::trySendAndReceiveFcn to http://ocsp.pki.goog:80/GTSGIAG3
[4552:Socket Thread]: D/pipnss [260AF860] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304)
[4552:Socket Thread]: D/pipnss [260AF860] Socket set up
[4552:Socket Thread]: D/pipnss [260AF860] connecting SSL socket
[4552:Socket Thread]: E/pipnss [260AF860] Lower layer connect error: -5934
[4552:Socket Thread]: D/pipnss [25153D80] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304)
[4552:Socket Thread]: D/pipnss [25153D80] Socket set up
[4552:Socket Thread]: D/pipnss [25153D80] connecting SSL socket
[4552:Socket Thread]: E/pipnss [25153D80] Lower layer connect error: -5934
[4552:Socket Thread]: D/pipnss [269072A0] starting AuthCertificateHook
[4552:SSL Cert #2]: D/pipnss [26904670] SSLServerCertVerificationJob::Run
[4552:SSL Cert #2]: D/pipnss nsNSSHttpRequestSession::trySendAndReceiveFcn to http://ocsp.pki.goog:80/GTSGIAG3
[4552:Socket Thread]: D/pipnss [202DE0E0] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304)
[4552:Socket Thread]: D/pipnss [202DE0E0] Socket set up
[4552:Socket Thread]: D/pipnss [202DE0E0] connecting SSL socket
[4552:Socket Thread]: E/pipnss [202DE0E0] Lower layer connect error: -5934
[4552:SSL Cert #1]: D/pipnss AuthCertificate setting NEW cert 202D7640
[4552:Socket Thread]: D/pipnss [269077C0] HandshakeCallback: succeeded using TLS version range (0x0301,0x0304)
[4552:Socket Thread]: D/pipnss HandshakeCallback KEEPING existing cert
[4552:Socket Thread]: D/pipnss [26907700] nsNSSSocketInfo::NoteTimeUntilReady
[4552:Socket Thread]: D/pipnss [26907700] nsNSSSocketInfo::SetHandshakeCompleted
[4552:Socket Thread]: D/pipnss [259AF5E0] starting AuthCertificateHook
[4552:SSL Cert #1]: D/pipnss [269049A0] SSLServerCertVerificationJob::Run
[4552:SSL Cert #1]: D/pipnss nsNSSHttpRequestSession::trySendAndReceiveFcn to http://ocsp.pki.goog:80/GTSGIAG3
[4552:SSL Cert #2]: D/pipnss AuthCe
Flags: needinfo?(lacroix.phil)
So it looks like the root is being imported, but Firefox can't build a valid certificate chain to it. Is your server sending the right intermediate certificates? It might help if you attach the chain you're trying to use to this bug.
Flags: needinfo?(lacroix.phil)

Comment 12

10 months ago
Yes, my server should be sending the right Intermediate, but i don't see it as being imported by Firefox in the MOZ_LOG_FILE.

Does Firefox should have imported it or presently it's doesn't import the Intermediate Certification Autorities ?
Flags: needinfo?(lacroix.phil)
Setting the enterprise roots pref won't import any intermediates, but if it's being sent by the server then that should work. I think what you're saying indicates that Firefox has all of the certificates it needs to build a complete chain from the server's certificate to the imported root, but it isn't successfully doing so, which could mean that Firefox considers one or more of the certificates to be invalid. If you attach the chain you're trying to use to this bug, I may be able to help diagnose the issue.
Flags: needinfo?(lacroix.phil)

Comment 14

10 months ago
I have 3 certificate in play, the root one (internal CA), One Intermediate one that Firefox doesn't seem to import and the Website one, that Firefox consider invalid, since it's missing the Intermediate Cert.

I am not sure how to attach the complete chain here. You want me to copie paste the 3 certificate ? 

I am kind of newb on Certificate and i remember reading something about doing a certificate Chain with openSSL, but I wasn't successfull with it and i just pushed the certificate to the computer and everything have started working after :/


And sorry for my English, still working on it.
Flags: needinfo?(lacroix.phil)
Copy/paste would work. You could also put them in a file or a few files and attach them ("attach file" up near the top of this page). Do you know what server you're using? Sometimes you can just append the intermediate certificate to the file that contains the server certificate and that'll work.

Comment 16

10 months ago
I am using server 2008R2 for the website, but CentOS with OpenSSL to make the Certificate.

I will check what i can do to upload the cert.

Comment 17

10 months ago
So, Keeler, I have sent to you the chain by mail, since I didn't want some information included on the Web :/

But you can forget about the bug, it's not working anymore on Chrome, I really must have something wrong in my Cert. I am sure it's was working a month ago...

Thanks for the help.

Comment 18

10 months ago
Okay, forget my last message, it's working under Chrome, it's just the main page that got some http page still linked in it that was throwing me off...

There his still probably something with my cert, since Firrefox doesn't let's me see it when I go on the page and click View Certificate.
In that file, assuming the end-entity is the first certificate, the root is the second certificate, and the intermediate is the 3rd certificate, that should work fine in Firefox (provided that the root is what's in OS storage and the server knows to send along the intermediate in the TLS handshake). What is the error you're seeing? Also, what hostname are you visiting?

Comment 20

10 months ago
We visit intranet, which his a alias for the server name srv1omega. But the server probably don't send the Intermediate certificate, i got it pushed by GPO in the Windows Certificate store. I will check the error message tommorow when I am back at work and post back.

Thanks

Comment 21

10 months ago
The error his SEC_ERROR_UNKNOWN_ISSUER

Seem like Firefox doesn't get the intermediate certificate.

Comment 22

10 months ago
If i manually add the Intermedate certificate in Firefox, everything work fine.

I will try to make the Server send the Intermediate Cert. Still, it's would be nice to see in the Certificate Manager of Firefox the Certificate that are imported from the Windows Cert Store. And maybe let's Firefox import the Intermediate store for Noob like me ;)

Comment 23

10 months ago
If I check the cert chain in Chrome, I see the intermediate Cert, even after I removed it from de computer Cert store, wouldn't that mean that the WebServer his giving the information for the Intermediate Cert correctly and that Firefox should accept the cert ?

Comment 24

10 months ago
I talk too fast.

After a reboot, the cert chain his broken. Meaning IIS doesn't send the intermediate cert along like he should.
So it sounds like this is a configuration issue on the server?

Comment 26

10 months ago
Kind of, It's seem IIS doen't always link the Cert correctly. I seem to have fixed it by re-importing the Intermediate cert after adding the websute cert to it. It's seem like now it's working, but i wanted to test it on another computer before yelling victory.

And now that the chain his working, the Intermediate Cert appears in the Firefox Cert Store, I don't understand why...

In any case, thanks a lot for your time. Wouldn't have gotten it alone.
If you've imported the intermediate manually, Firefox will use it even if the server didn't send the intermediate in the handshake itself.

It sounds like this is a configuration issue, so I'll close this as "not a bug in Firefox" (unfortunately the closest thing bugzilla has is "invalid").
Status: REOPENED → RESOLVED
Last Resolved: 11 months ago10 months ago
Resolution: --- → INVALID

Comment 28

10 months ago
In my case, it was a configuration issue.

But, Firefox doesn't import the intermediate Certificate if you set ImportEnterpriseRoots to true. Would be nice and would have save us time.

And it's doesn't show in his Certificate Store the cert he import. Would also have saved us time, since everything I was seeing was that he didn't import anything, but he did importe the root CA, which would have show me the error was on my side.

Thanks again.

Comment 29

8 months ago
I have encountered what appears to be a similar issue when using a certificate from ADCS with a VMWare host, Firefox does not see the intermediate CA as valid although in another browser (e.g. Chrome) it does. This doesn't seem like a server-side issue if it works OK in Chrome but not in Firefox?

Comment 30

8 months ago
I would like to remind you that there is still Firefox ignore ImportEnterpriseRoots setting whether is true or false, value is always set to true.
> I would like to remind you that there is still Firefox ignore ImportEnterpriseRoots setting whether is true or false, value is always set to true.

This is a separate bug, but I'm unsure why you would ever set it to false? That's the default.

Comment 32

7 months ago
For testing purpose it is sometime needed to disable this setting.
Flags: needinfo?(guser)
(In reply to GUser from comment #32)
> For testing purpose it is sometime needed to disable this setting.

Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1491664 will fix this.
You need to log in before you can comment on or make changes to this bug.