Closed Bug 1549061 Opened 7 months ago Closed 7 months ago

Create patches for add-on signing intermediate certificate dot release

Categories

(Toolkit :: General, defect, P1, major)

defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
relnote-firefox --- 66+
firefox-esr60 66+ fixed
firefox66 blocking fixed
firefox67 blocking fixed
firefox68 blocking fixed

People

(Reporter: mgoodwin, Assigned: robwu)

References

(Depends on 1 open bug)

Details

(Whiteboard: cert2019)

Attachments

(3 files, 1 obsolete file)

No description provided.
Summary: Create patches for addon intermediate certificate dot release → Create patches for add-on signing intermediate certificate dot release

Not actually r?keeler - but tooling wants a reviewer in the commit message...

Assignee: nobody → mgoodwin
Status: NEW → ASSIGNED
Attachment #9062696 - Attachment description: Bug 1549061 - Add intermediate certificate, force signature reverification r?keeler → Bug 1549061 - Add intermediate certificate, force signature reverification r?zombie
Attached file Bug 1549061 - add await to verify call (obsolete) —

Depends on D29940

Attachment #9062708 - Attachment is obsolete: true
Attachment #9062708 - Attachment is obsolete: false
Attachment #9062696 - Attachment description: Bug 1549061 - Add intermediate certificate, force signature reverification r?zombie → Bug 1549061 - Add intermediate certificate, force signature reverification

For ESR60

The patch in comment 7 is for ESR60. It is nearly identical to the previous patch, and I verified it on Linux - see https://phabricator.services.mozilla.com/D29947#879074

Assignee: mgoodwin → rob
Priority: -- → P1
Attachment #9062708 - Attachment is obsolete: true
Attachment #9062727 - Attachment description: Bug 1549061 - Add intermediate certificate, force signature reverification → Bug 1549061 - Add intermediate certificate, force signature reverification [ESR60]
Depends on: 1549070

Release note added as:

Repaired certificate chain to re-enable web extensions that had been disabled

If we end up with a new blog post at the time of the release we can change the link to point to it.

Attachment #9062696 - Attachment description: Bug 1549061 - Add intermediate certificate, force signature reverification → Bug 1549061 - Add intermediate certificate, bump DB schema version
Attachment #9062740 - Attachment description: Bug 1549061 - Add intermediate certificate, bump DB schema version [release] → Bug 1549061 - Add intermediate certificate [release]
Attachment #9062727 - Attachment description: Bug 1549061 - Add intermediate certificate, force signature reverification [ESR60] → Bug 1549061 - Add intermediate certificate [ESR60]
Attachment #9062696 - Attachment description: Bug 1549061 - Add intermediate certificate, bump DB schema version → Bug 1549061 - Add intermediate certificate
Duplicate of this bug: 1549116
See Also: → 1549129

Notes:

  • D29947 - The "[ESR60]" patch is for ESR60
  • D29949 - The "[release]" patch is for Release and Beta
  • D29940 - The patch without brackets in the title is for m-c.

The patch for beta landed just now: https://hg.mozilla.org/releases/mozilla-beta/rev/be8cd9575508ce1a95b971ccbfe3a7ceec59bc0b

We're holding off on landing on mozilla-central, for now.

(In reply to Liz Henry (:lizzard) (use needinfo) from comment #13)

The patch from ESR landed earlier today: https://hg.mozilla.org/releases/mozilla-esr60/rev/bfd165fd51ec90777db01c21e3b727328a5ea1a3

This was to the 60.6.2 relbranch. I've also pushed it to default for 60.7 as well:
https://hg.mozilla.org/releases/mozilla-esr60/rev/537700ea54aaceda64e1e5395085e536e1c9d3e3

This was also pushed to release for 66.0.4 earlier:
https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65

Pushed by aswan@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/023dd959512e
Add intermediate certificate r=kmag a=lizzard CLOSED TREE
Depends on: 1549147
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

I can verify that installing today's Firefox Nightly for Android (2019-05-05) from [1] reenabled all extensions.
On desktop Firefox Nightly (2019-05-05 Linux, Build ID 20190505092607), all AddOns remain enabled after manually deleting the hotfix-update-xpi-signing-intermediate-bug-1548973 study and resetting app.update.lastUpdateTime.xpi-signature-verification.

[1] https://www.mozilla.org/en-US/firefox/android/nightly/all/

Edit: now also verified with https://archive.mozilla.org/pub/mobile/candidates/66.0.4-candidates/build3/android-api-16/multi/

I just verified this using [1] and [2]:

  • Creating a new testprofile/prefs.js that only contains the line user_pref("app.shield.optoutstudies.enabled", false);
  • Start with $ ./firefox --profile testprofile --new-instance
  • Verify that about:studies is empty
  • Install any extension from a.m.o
  • WFM

[1] https://archive.mozilla.org/pub/firefox/releases/66.0.4/
[2] https://archive.mozilla.org/pub/firefox/releases/60.6.2esr/

I'm confused. Is this fix supposed to also work on 66.0.4 for Windows 10 desktop? If so, it's not working on either of my two desktops. I've just downloaded and installed 66.0.4 from Firefox Help->About Firefox. Restarted Firefox to complete the install. No joy. Addons that were previously (since yesterday morning for me) flagged as "not verified for use in Firefox" and are still disabled. I even tried removing one (FoxClocks), and reinstalling it. The download failed with a note to check my connection. Nothing wrong with my connection. Streaming audio on another tab continues to stream.

https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/comment-page-6/#comments indicates this release should have solved this issue. What am I missing?

Thanks,
Tim

(In reply to Tim Johnson from comment #19)

I'm confused. Is this fix supposed to also work on 66.0.4 for Windows 10 desktop? If so, it's not working on either of my two desktops. I've just downloaded and installed 66.0.4 from Firefox Help->About Firefox. Restarted Firefox to complete the install. No joy. Addons that were previously (since yesterday morning for me) flagged as "not verified for use in Firefox" and are still disabled. I even tried removing one (FoxClocks), and reinstalling it. The download failed with a note to check my connection. Nothing wrong with my connection. Streaming audio on another tab continues to stream.

https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/comment-page-6/#comments indicates this release should have solved this issue. What am I missing?

Could you check if the extensions.signer.hotfixed pref is set for you? Wondering if certDB.addCertFromBase64 is failing, in which case the pref wouldn't have gotten set (I see it set to true locally on 66.0.4).

(In reply to Brian Grinstead [:bgrins] from comment #20)

(In reply to Tim Johnson from comment #19)

https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/comment-page-6/#comments indicates this release should have solved this issue. What am I missing?

Could you check if the extensions.signer.hotfixed pref is set for you? Wondering if certDB.addCertFromBase64 is failing, in which case the pref wouldn't have gotten set (I see it set to true locally on 66.0.4).

Tim, could you check one more thing as well? If you open about:preferences#privacy -> View Certificates -> Authorities -> Mozilla Corporation do you see signingca1.addons.mozilla.org with SHA-256 Fingerprint="B0:F7:0C:5C:36:3B:59:9B:B8:40:78:A4:35:F8:7E:F4:B8:FB:30:E5:84:18:2E:11:AD:FC:7B:07:AF:02:AE:82"?

Flags: needinfo?(tajkkj)

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

Flags: needinfo?(tajkkj)

¡Hola Tim!

What are the Serial Number and Fingerprints for the TLS certificate of https://addons.mozilla.org/ please?

¡Gracias!
Alex

Flags: needinfo?(tajkkj)

(In reply to Tim Johnson from comment #22)

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

You are correct about extensions.signer.hotfixed being in about:config. The fact that this isn't showing up makes me think you must be hitting an exception at this line: https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65#l1.25.

Could you check your Browser Console (Ctrl+Shift+J) after restarting the browser and see if you can find the "failed to add new intermediate certificate" error? It will show Log.jsm as the source. If you see that, could you paste that full error message in here? Thanks in advance.

(In reply to alex_mayorga from comment #23)

¡Hola Tim!

What are the Serial Number and Fingerprints for the TLS certificate of https://addons.mozilla.org/ please?

¡Gracias!
Alex

Hi Alex. If you can tell me how to get that info, I will gladly provide it. I didn't see anything like what you're asking in the Certificate Manager.

Flags: needinfo?(tajkkj)

(In reply to Brian Grinstead [:bgrins] from comment #24)

(In reply to Tim Johnson from comment #22)

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

You are correct about extensions.signer.hotfixed being in about:config. The fact that this isn't showing up makes me think you must be hitting an exception at this line: https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65#l1.25.

Could you check your Browser Console (Ctrl+Shift+J) after restarting the browser and see if you can find the "failed to add new intermediate certificate" error? It will show Log.jsm as the source. If you see that, could you paste that full error message in here? Thanks in advance.

Brain, here's the whole Browser Console output. It's not long.

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896
startup()@resource://gre/modules/addons/XPIProvider.jsm:2144
callProvider()@resource://gre/modules/AddonManager.jsm:203
_startProvider()@resource://gre/modules/AddonManager.jsm:652
startup()@resource://gre/modules/AddonManager.jsm:805
startup()@resource://gre/modules/AddonManager.jsm:2775
observe()@jar:file:///C:/Program%20Files/Mozilla%20Firefox/omni.ja!/components/addonManager.js:66 Log.jsm:679
append resource://gre/modules/Log.jsm:679
log resource://gre/modules/Log.jsm:360
error resource://gre/modules/Log.jsm:368
addMissingIntermediateCertificate resource://gre/modules/addons/XPIProvider.jsm:1899
startup resource://gre/modules/addons/XPIProvider.jsm:2144
callProvider resource://gre/modules/AddonManager.jsm:203
_startProvider resource://gre/modules/AddonManager.jsm:652
startup resource://gre/modules/AddonManager.jsm:805
startup resource://gre/modules/AddonManager.jsm:2775
observe jar:file:///C:/Program Files/Mozilla Firefox/omni.ja!/components/addonManager.js:66
WebExtensions: failed to add new intermediate certificate:
Exception { name: "", message: "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]", result: 2153389925, filename: "jar:file:///C:/Users/tajkkj/AppData/Roaming/Mozilla/Firefox/Profiles/kufxng75.default/extensions/hotfix-update-xpi-intermediate@mozilla.com.xpi!/experiments/skeleton/api.js", lineNumber: 14, columnNumber: 0, data: null, stack: "doTheThing@jar:file:///C:/Users/tajkkj/AppData/Roaming/Mozilla/Firefox/Profiles/kufxng75.default/extensions/hotfix-update-xpi-intermediate@mozilla.com.xpi!/experiments/skeleton/api.js:14:15\ncall/result</<@resource://gre/modules/ExtensionParent.jsm:950:49\nwithPendingBrowser@resource://gre/modules/ExtensionParent.jsm:604:26\ncall/result<@resource://gre/modules/ExtensionParent.jsm:949:16\nwithTiming@resource://gre/modules/ExtensionParent.jsm:916:14\ncall@resource://gre/modules/ExtensionParent.jsm:948:20\n", location: XPCWrappedNative_NoHelper }
api.js:17
WebExtensions: signatures re-verified api.js:23
1557097730606 addons.xpi-utils WARN disabling legacy extension {9BAE5926-8513-417d-8E47-774955A7C60D}
1557097730613 addons.xpi-utils WARN disabling legacy extension {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
1557097730616 addons.xpi-utils WARN disabling legacy extension {19EB90DC-A456-458b-8AAC-616D91AAFCE1}
1557097730624 addons.xpi-utils WARN disabling legacy extension compatibility@addons.mozilla.org
1557097730653 addons.xpi-utils WARN disabling legacy extension {dc572301-7619-498c-a57d-39143191b318}
1557097730668 addons.xpi-utils WARN disabling legacy extension CSTBB@NArisT2_Noia4dev
1557097730727 addons.xpi-utils WARN disabling legacy extension ClassicThemeRestorer@ArisT2Noia4dev
1557097730736 addons.xpi-utils WARN Add-on {b14f4076-e80d-4baa-8c7d-8c65dfd2519c} is not correctly signed.
1557097730741 addons.xpi-utils WARN Add-on pdfsam_enhanced5_conv@pdfsam.com is not correctly signed.
1557097730744 addons.xpi-utils WARN Add-on Tab-Session-Manager@sienori is not correctly signed.
1557097730747 addons.xpi-utils WARN Add-on https-everywhere-eff@eff.org is not correctly signed.
1557097730751 addons.xpi-utils WARN Add-on donottrackplus@abine.com is not correctly signed.
1557097730758 addons.xpi-utils WARN Add-on support@lastpass.com is not correctly signed.
Key event not available on some keyboard layouts: key=“i” modifiers=“accel,alt,shift” id=“key_browserToolbox” browser.xul

(In reply to Tim Johnson from comment #25)

(In reply to alex_mayorga from comment #23)

What are the Serial Number and Fingerprints for the TLS certificate of https://addons.mozilla.org/ please?

Hi Alex. If you can tell me how to get that info, I will gladly provide it. I didn't see anything like what you're asking in the Certificate Manager.

  1. Click on the green slot at the left of the location bar (of https://addons.mozilla.org ).
  2. Click on the > at the right of the "Connection" bar.
  3. Click on "More information" at the bottom of the panel.
  4. Click on the "View certificate" button
  5. The serial number and fingerprints are now visible.

You can try to copy the information, or take a screenshot and share it.

Thanks!

Flags: needinfo?(tajkkj)

(In reply to Tim Johnson from comment #26)

(In reply to Brian Grinstead [:bgrins] from comment #24)

(In reply to Tim Johnson from comment #22)

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

You are correct about extensions.signer.hotfixed being in about:config. The fact that this isn't showing up makes me think you must be hitting an exception at this line: https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65#l1.25.

Could you check your Browser Console (Ctrl+Shift+J) after restarting the browser and see if you can find the "failed to add new intermediate certificate" error? It will show Log.jsm as the source. If you see that, could you paste that full error message in here? Thanks in advance.

Brain, here's the whole Browser Console output. It's not long.

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896
...

Thanks so much Tim. I'm going to forward this to some people who should be able to help track down that error result. Two more things that would be helpful to narrow down further, if you could:

  1. Do you have antivirus software installed?
  2. Could you check with a brand new profile on 66.0.4 and see if you can install addons from there?
Flags: needinfo?(mgoodwin)
Flags: needinfo?(dkeeler)

The error code for that message is SEC_ERROR_TOKEN_NOT_LOGGED_IN, which Dana suggests probably means that a master password is enabled and not logged in. Do you have a master password set?

Depends on: 1549249
Flags: needinfo?(mgoodwin)
Flags: needinfo?(dkeeler)

Hi Tim, just to keep things clear: the pending questions for you are in Comment 27, Comment 28, and Comment 29.

Depends on: 1549344

(In reply to alex_mayorga from comment #23)

¡Hola Tim!

What are the Serial Number and Fingerprints for the TLS certificate of https://addons.mozilla.org/ please?

¡Gracias!
Alex

Alex, thanks for the tip. I should have known that. The serial number is 02:B3:82:58:A3:02:4B:3D:91:0E:DB:57:E7:D2:20:BD
and the fingerprints are

SHA-256 3B:E1:FA:98:FA:68:FD:C3:8D:3F:75:57:09:47:AE:63:1E:58:C1:B9:9A:0B:5E:AC:80:00:89:FE:78:D7:D6:61
SHA-1 52:10:EA:69:8E:B7:4E:F1:D6:4C:EE:4C:CA:CE:F0:52:31:E3:0B:2E

Flags: needinfo?(tajkkj)

(In reply to Kris Maglione [:kmag] from comment #29)

The error code for that message is SEC_ERROR_TOKEN_NOT_LOGGED_IN, which Dana suggests probably means that a master password is enabled and not logged in. Do you have a master password set?

Yes, I do have a master password set, but I have "Ask to save logins and passwords for websites" unchecked. I haven't used that feature in a long time since I now use a password manager for that purpose.

The AMO certificate has the expected values. Based on your report, we found a potential cause in bug 1549249.

A work-around is known, and documented at https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_master-password

Could you give that a try and report whether it fixes your issue?

(In reply to Brian Grinstead [:bgrins] from comment #28)

(In reply to Tim Johnson from comment #26)

(In reply to Brian Grinstead [:bgrins] from comment #24)

(In reply to Tim Johnson from comment #22)

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

You are correct about extensions.signer.hotfixed being in about:config. The fact that this isn't showing up makes me think you must be hitting an exception at this line: https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65#l1.25.

Could you check your Browser Console (Ctrl+Shift+J) after restarting the browser and see if you can find the "failed to add new intermediate certificate" error? It will show Log.jsm as the source. If you see that, could you paste that full error message in here? Thanks in advance.

Brain, here's the whole Browser Console output. It's not long.

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896
...

Thanks so much Tim. I'm going to forward this to some people who should be able to help track down that error result. Two more things that would be helpful to narrow down further, if you could:

  1. Do you have antivirus software installed?
  2. Could you check with a brand new profile on 66.0.4 and see if you can install addons from there?

Brian, I have Nod32 from ESET as my antivirus program. I tried a new profile, and I successfully installed the FoxClocks addon.

From Kris's question about master password set, I wonder if I log in if everything will start working age. Stand-by.

(In reply to Tim Johnson from comment #35)

(In reply to Brian Grinstead [:bgrins] from comment #28)

(In reply to Tim Johnson from comment #26)

(In reply to Brian Grinstead [:bgrins] from comment #24)

(In reply to Tim Johnson from comment #22)

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

You are correct about extensions.signer.hotfixed being in about:config. The fact that this isn't showing up makes me think you must be hitting an exception at this line: https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65#l1.25.

Could you check your Browser Console (Ctrl+Shift+J) after restarting the browser and see if you can find the "failed to add new intermediate certificate" error? It will show Log.jsm as the source. If you see that, could you paste that full error message in here? Thanks in advance.

Brain, here's the whole Browser Console output. It's not long.

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896
...

Thanks so much Tim. I'm going to forward this to some people who should be able to help track down that error result. Two more things that would be helpful to narrow down further, if you could:

  1. Do you have antivirus software installed?
  2. Could you check with a brand new profile on 66.0.4 and see if you can install addons from there?

Brian, I have Nod32 from ESET as my antivirus program. I tried a new profile, and I successfully installed the FoxClocks addon.

From Kris's question about master password set, I wonder if I log in if everything will start working age. Stand-by.

I switched back to my original profile, logged in, and I'm still not seeing any change in behavior. I.e., addons still disabled.

I grabbed the Browser Console log again right after opening Firefox with original profile, and not logging in. This is what it now shows (Addons still disabled):

Loading failed for the <script> with source “moz-extension://31f4650b-4bf6-454c-ad62-b0f225a11d0d/background.js”. _generated_background_page.html:5:1
Loading failed for the <script> with source “moz-extension://2302012f-cd5e-40d2-8790-294757a40514/background.js”. _generated_background_page.html:5:1
Loading failed for the <script> with source “moz-extension://e556d76f-bfed-4b70-bf29-e705f11e5bd8/injections.js”. _generated_background_page.html:5:1
Loading failed for the <script> with source “moz-extension://e556d76f-bfed-4b70-bf29-e705f11e5bd8/ua_overrides.js”. _generated_background_page.html:6:1
Loading failed for the <script> with source “moz-extension://96bd9e5d-282e-486d-ab0d-201515ad5259/build/buildSettings.js”. _generated_background_page.html:5:1
Loading failed for the <script> with source “moz-extension://96bd9e5d-282e-486d-ab0d-201515ad5259/background/startBackground.js”. _generated_background_page.html:6:1
Key event not available on some keyboard layouts: key=“i” modifiers=“accel,alt,shift” id=“key_browserToolbox” browser.xul

I did try to add the FoxClocks addon to my original profile. FoxClocks did install, but the locations to monitor did not populate, so there are no locations to select for display.

UPDATE: Installing and enabling FoxClocks seems to have blocked all traffic on all tabs. Removing FoxClocks restores traffic flow.

Also, I have removed the master password, and I'm still not getting the addons restored.

(In reply to Tim Johnson from comment #38)

I did try to add the FoxClocks addon to my original profile. FoxClocks did install, but the locations to monitor did not populate, so there are no locations to select for display.

The fact that it installed at all makes me think the workaround you tried in Comment 36 may have worked, at least to get past this certificate problem (but sounds like there's a new one around FoxClocks not working at runtime). I'd like to confirm if that's true - can you tell me if your other addons in about:addons are also showing up as enabled in your original profile (in addition to FoxClocks)?

Also, just confirming that for Comment 36 you followed these steps: https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_master-password, including restarting Firefox in step 4.

Flags: needinfo?(tajkkj)

(In reply to Brian Grinstead [:bgrins] from comment #39)

(In reply to Tim Johnson from comment #38)

I did try to add the FoxClocks addon to my original profile. FoxClocks did install, but the locations to monitor did not populate, so there are no locations to select for display.

The fact that it installed at all makes me think the workaround you tried in Comment 36 may have worked, at least to get past this certificate problem (but sounds like there's a new one around FoxClocks not working at runtime). I'd like to confirm if that's true - can you tell me if your other addons in about:addons are also showing up as enabled in your original profile (in addition to FoxClocks)?

Also, just confirming that for Comment 36 you followed these steps: https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_master-password, including restarting Firefox in step 4.

Brian, The other addons are still marked as disabled, and show as legacy addons.

And, yes I've removed the master password, and restarted Firefox; actually restarted several times now.

And I'm on Windows 10 v1809 OS Build 177763.437

Flags: needinfo?(tajkkj)

Tim, sorry to hear that it's still not working for you. After all that's changed since Comment 20, I'd like to check if the extensions.signer.hotfixed pref is visible for you in about:config. That'd be the easiest way to confirm if the certificate got installed. If it's not there, could you if confirm you are seeing the same error message in the Browser Console you did earlier? This one, specifically:

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896

If the pref is set, then it's possible you'll need to follow this workaround to re-enable the addons: https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_add-ons-appearing-as-unsupported-or-disappeared-from-your-aboutaddons-page.

Depends on: 1549310

(In reply to Brian Grinstead [:bgrins] from comment #41)

Tim, sorry to hear that it's still not working for you. After all that's changed since Comment 20, I'd like to check if the extensions.signer.hotfixed pref is visible for you in about:config. That'd be the easiest way to confirm if the certificate got installed. If it's not there, could you if confirm you are seeing the same error message in the Browser Console you did earlier? This one, specifically:

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896

If the pref is set, then it's possible you'll need to follow this workaround to re-enable the addons: https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_add-ons-appearing-as-unsupported-or-disappeared-from-your-aboutaddons-page.

Yes, this pref is set: extensions.signer.hotfixed;true

I have one addon, ColorfulTabs, which is working. All the rest are under the legacy category, and I'm not able to enable them. Each one says find a replacement. Some I've configured, and if I remove and re-add, I'll have to restore the configurations, which I have no way of knowing what those configuration settings are at this point.

I just removed LastPass, and re-added it. That one does not require any configuration, and it's working. I also removed and re-added FoxClocks. This time, it found the locations I'd been monitoring before this bug, and it's now working. And, more importantly, traffic on all tabs appears to flow normally now.

Do you think if I remove and re-add my other legacy addons, their configurations will remain what I had?

Brian, here's an interesting, and somewhat confusing, data point. On my other computer, which also has the same Firefox profile as the one I normally use (the computer which I've been reporting about I've only had since Feb 2, 2019, and it's profile was copied from my older computer), I removed the master password, restarted Firefox, and all add-ons were re-enabled and seem to be working properly. Weird, huh?

(In reply to Tim Johnson from comment #42)

Yes, this pref is set: extensions.signer.hotfixed;true

I have one addon, ColorfulTabs, which is working. All the rest are under the legacy category, and I'm not able to enable them. Each one says find a replacement. Some I've configured, and if I remove and re-add, I'll have to restore the configurations, which I have no way of knowing what those configuration settings are at this point.

I just removed LastPass, and re-added it. That one does not require any configuration, and it's working. I also removed and re-added FoxClocks. This time, it found the locations I'd been monitoring before this bug, and it's now working. And, more importantly, traffic on all tabs appears to flow normally now.

That's great, glad things are starting to work for you again! Sounds like you must have hit both the Master Password issue and the secondary "unsupported" issue at the same time.

Do you think if I remove and re-add my other legacy addons, their configurations will remain what I had?

Based on all of our analysis that led to the workaround at https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_add-ons-appearing-as-unsupported-or-disappeared-from-your-aboutaddons-page, yes your addon data should remain. That said, you could make a temporary backup of the profile just in case (it sounds like you already have a working backup in Comment 43 that probably contains all your data so you could skip this if you are comfortable with it).

(In reply to Brian Grinstead [:bgrins] from comment #44)

(In reply to Tim Johnson from comment #42)

Yes, this pref is set: extensions.signer.hotfixed;true

I have one addon, ColorfulTabs, which is working. All the rest are under the legacy category, and I'm not able to enable them. Each one says find a replacement. Some I've configured, and if I remove and re-add, I'll have to restore the configurations, which I have no way of knowing what those configuration settings are at this point.

I just removed LastPass, and re-added it. That one does not require any configuration, and it's working. I also removed and re-added FoxClocks. This time, it found the locations I'd been monitoring before this bug, and it's now working. And, more importantly, traffic on all tabs appears to flow normally now.

That's great, glad things are starting to work for you again! Sounds like you must have hit both the Master Password issue and the secondary "unsupported" issue at the same time.

Do you think if I remove and re-add my other legacy addons, their configurations will remain what I had?

Based on all of our analysis that led to the workaround at https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_add-ons-appearing-as-unsupported-or-disappeared-from-your-aboutaddons-page, yes your addon data should remain. That said, you could make a temporary backup of the profile just in case (it sounds like you already have a working backup in Comment 43 that probably contains all your data so you could skip this if you are comfortable with it).

Thanks, Brian, for all your help. I believe I've got all addons working again on both of my computers. I hope all related issues are soon fixed for everyone. I've been with Firefox since the days when Netscape couldn't provide a fix for a banking account issue I had. When I learned Firefox used the same base code, I switched, submitting my problem to Bugzilla, and started installing the nightly builds to test the fix when it arrived shortly afterward. It's been my goto browser ever since. Tab handling is so much better than Chrome.

Whiteboard: cert2019
You need to log in before you can comment on or make changes to this bug.