1549061 - Create patches for add-on signing intermediate certificate dot release

Status: RESOLVED FIXED

(Toolkit :: General, defect, P1)

Comment 1

[Mark Goodwin [:mgoodwin]]

Attachment: Bug 1549061 - Add intermediate certificate

Comment 2

[Mark Goodwin [:mgoodwin]]

Not actually r?keeler - but tooling wants a reviewer in the commit message...

Comment 4

[cacilie]

Since the original issue can't be commented on, is this a reasonable way to apply the hotfix?: https://github.com/NixOS/nixpkgs/issues/60916

Comment 5

[Mark Goodwin [:mgoodwin]]

Attachment: Bug 1549061 - add await to verify call

Depends on D29940

Comment 6

[Brian Grinstead [:bgrins]]

https://hg.mozilla.org/releases/mozilla-release/rev/94eb3f14832dfc714f8bc4044eee043ce61c0299

Comment 7

[Rob Wu [:robwu]]

Attachment: Bug 1549061 - Add intermediate certificate [ESR60]

For ESR60

Comment 8

[Rob Wu [:robwu]]

The patch in comment 7 is for ESR60. It is nearly identical to the previous patch, and I verified it on Linux - see https://phabricator.services.mozilla.com/D29947#879074

Comment 9

[Liz Henry (:lizzard) (relman/hg->git project)]

Release note added as:

Repaired certificate chain to re-enable web extensions that had been disabled

If we end up with a new blog post at the time of the release we can change the link to point to it.

Comment 10

[Rob Wu [:robwu]]

Attachment: Bug 1549061 - Add intermediate certificate [release]

Comment 12

[Rob Wu [:robwu]]

Notes:

• D29947 - The "[ESR60]" patch is for ESR60
• D29949 - The "[release]" patch is for Release and Beta
• D29940 - The patch without brackets in the title is for m-c.

Comment 13

[Liz Henry (:lizzard) (relman/hg->git project)]

The patch from ESR landed earlier today: https://hg.mozilla.org/releases/mozilla-esr60/rev/bfd165fd51ec90777db01c21e3b727328a5ea1a3

Comment 14

[Liz Henry (:lizzard) (relman/hg->git project)]

The patch for beta landed just now: https://hg.mozilla.org/releases/mozilla-beta/rev/be8cd9575508ce1a95b971ccbfe3a7ceec59bc0b

We're holding off on landing on mozilla-central, for now.

Comment 15

[Ryan VanderMeulen [:RyanVM][PTO June 24-28]]

(In reply to Liz Henry (:lizzard) (use needinfo) from comment #13)

The patch from ESR landed earlier today: https://hg.mozilla.org/releases/mozilla-esr60/rev/bfd165fd51ec90777db01c21e3b727328a5ea1a3

This was to the 60.6.2 relbranch. I've also pushed it to default for 60.7 as well:
https://hg.mozilla.org/releases/mozilla-esr60/rev/537700ea54aaceda64e1e5395085e536e1c9d3e3

This was also pushed to release for 66.0.4 earlier:
https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65

Comment 16

[Pulsebot]

Pushed by aswan@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/023dd959512e
Add intermediate certificate r=kmag a=lizzard CLOSED TREE

Comment 17

[sjw]

I can verify that installing today's Firefox Nightly for Android (2019-05-05) from [1] reenabled all extensions.
On desktop Firefox Nightly (2019-05-05 Linux, Build ID 20190505092607), all AddOns remain enabled after manually deleting the hotfix-update-xpi-signing-intermediate-bug-1548973 study and resetting app.update.lastUpdateTime.xpi-signature-verification.

[1] https://www.mozilla.org/en-US/firefox/android/nightly/all/

Edit: now also verified with https://archive.mozilla.org/pub/mobile/candidates/66.0.4-candidates/build3/android-api-16/multi/

Comment 18

[sjw]

I just verified this using [1] and [2]:

• Creating a new testprofile/prefs.js that only contains the line user_pref("app.shield.optoutstudies.enabled", false);
• Start with $ ./firefox --profile testprofile --new-instance
• Verify that about:studies is empty
• Install any extension from a.m.o
• WFM

[1] https://archive.mozilla.org/pub/firefox/releases/66.0.4/
[2] https://archive.mozilla.org/pub/firefox/releases/60.6.2esr/

Comment 19

[Tim Johnson]

I'm confused. Is this fix supposed to also work on 66.0.4 for Windows 10 desktop? If so, it's not working on either of my two desktops. I've just downloaded and installed 66.0.4 from Firefox Help->About Firefox. Restarted Firefox to complete the install. No joy. Addons that were previously (since yesterday morning for me) flagged as "not verified for use in Firefox" and are still disabled. I even tried removing one (FoxClocks), and reinstalling it. The download failed with a note to check my connection. Nothing wrong with my connection. Streaming audio on another tab continues to stream.

https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/comment-page-6/#comments indicates this release should have solved this issue. What am I missing?

Thanks,
Tim

Comment 20

[Brian Grinstead [:bgrins]]

(In reply to Tim Johnson from comment #19)

I'm confused. Is this fix supposed to also work on 66.0.4 for Windows 10 desktop? If so, it's not working on either of my two desktops. I've just downloaded and installed 66.0.4 from Firefox Help->About Firefox. Restarted Firefox to complete the install. No joy. Addons that were previously (since yesterday morning for me) flagged as "not verified for use in Firefox" and are still disabled. I even tried removing one (FoxClocks), and reinstalling it. The download failed with a note to check my connection. Nothing wrong with my connection. Streaming audio on another tab continues to stream.

https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/comment-page-6/#comments indicates this release should have solved this issue. What am I missing?

Could you check if the extensions.signer.hotfixed pref is set for you? Wondering if certDB.addCertFromBase64 is failing, in which case the pref wouldn't have gotten set (I see it set to true locally on 66.0.4).

Comment 21

[Brian Grinstead [:bgrins]]

(In reply to Brian Grinstead [:bgrins] from comment #20)

(In reply to Tim Johnson from comment #19)

https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/comment-page-6/#comments indicates this release should have solved this issue. What am I missing?

Could you check if the extensions.signer.hotfixed pref is set for you? Wondering if certDB.addCertFromBase64 is failing, in which case the pref wouldn't have gotten set (I see it set to true locally on 66.0.4).

Tim, could you check one more thing as well? If you open about:preferences#privacy -> View Certificates -> Authorities -> Mozilla Corporation do you see signingca1.addons.mozilla.org with SHA-256 Fingerprint="B0:F7:0C:5C:36:3B:59:9B:B8:40:78:A4:35:F8:7E:F4:B8:FB:30:E5:84:18:2E:11:AD:FC:7B:07:AF:02:AE:82"?

Comment 22

[Tim Johnson]

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

Comment 23

[alex_mayorga]

¡Hola Tim!

What are the Serial Number and Fingerprints for the TLS certificate of https://addons.mozilla.org/ please?

¡Gracias!
Alex

Comment 24

[Brian Grinstead [:bgrins]]

(In reply to Tim Johnson from comment #22)

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

You are correct about extensions.signer.hotfixed being in about:config. The fact that this isn't showing up makes me think you must be hitting an exception at this line: https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65#l1.25.

Could you check your Browser Console (Ctrl+Shift+J) after restarting the browser and see if you can find the "failed to add new intermediate certificate" error? It will show Log.jsm as the source. If you see that, could you paste that full error message in here? Thanks in advance.

Comment 25

[Tim Johnson]

(In reply to alex_mayorga from comment #23)

¡Hola Tim!

What are the Serial Number and Fingerprints for the TLS certificate of https://addons.mozilla.org/ please?

¡Gracias!
Alex

Hi Alex. If you can tell me how to get that info, I will gladly provide it. I didn't see anything like what you're asking in the Certificate Manager.

Comment 26

[Tim Johnson]

(In reply to Brian Grinstead [:bgrins] from comment #24)

(In reply to Tim Johnson from comment #22)

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

You are correct about extensions.signer.hotfixed being in about:config. The fact that this isn't showing up makes me think you must be hitting an exception at this line: https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65#l1.25.

Could you check your Browser Console (Ctrl+Shift+J) after restarting the browser and see if you can find the "failed to add new intermediate certificate" error? It will show Log.jsm as the source. If you see that, could you paste that full error message in here? Thanks in advance.

Brain, here's the whole Browser Console output. It's not long.

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896
startup()@resource://gre/modules/addons/XPIProvider.jsm:2144
callProvider()@resource://gre/modules/AddonManager.jsm:203
_startProvider()@resource://gre/modules/AddonManager.jsm:652
startup()@resource://gre/modules/AddonManager.jsm:805
startup()@resource://gre/modules/AddonManager.jsm:2775
observe()@jar:file:///C:/Program%20Files/Mozilla%20Firefox/omni.ja!/components/addonManager.js:66 Log.jsm:679
append resource://gre/modules/Log.jsm:679
log resource://gre/modules/Log.jsm:360
error resource://gre/modules/Log.jsm:368
addMissingIntermediateCertificate resource://gre/modules/addons/XPIProvider.jsm:1899
startup resource://gre/modules/addons/XPIProvider.jsm:2144
callProvider resource://gre/modules/AddonManager.jsm:203
_startProvider resource://gre/modules/AddonManager.jsm:652
startup resource://gre/modules/AddonManager.jsm:805
startup resource://gre/modules/AddonManager.jsm:2775
observe jar:file:///C:/Program Files/Mozilla Firefox/omni.ja!/components/addonManager.js:66
WebExtensions: failed to add new intermediate certificate:
Exception { name: "", message: "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]", result: 2153389925, filename: "jar:file:///C:/Users/tajkkj/AppData/Roaming/Mozilla/Firefox/Profiles/kufxng75.default/extensions/hotfix-update-xpi-intermediate@mozilla.com.xpi!/experiments/skeleton/api.js", lineNumber: 14, columnNumber: 0, data: null, stack: "doTheThing@jar:file:///C:/Users/tajkkj/AppData/Roaming/Mozilla/Firefox/Profiles/kufxng75.default/extensions/hotfix-update-xpi-intermediate@mozilla.com.xpi!/experiments/skeleton/api.js:14:15\ncall/result</<@resource://gre/modules/ExtensionParent.jsm:950:49\nwithPendingBrowser@resource://gre/modules/ExtensionParent.jsm:604:26\ncall/result<@resource://gre/modules/ExtensionParent.jsm:949:16\nwithTiming@resource://gre/modules/ExtensionParent.jsm:916:14\ncall@resource://gre/modules/ExtensionParent.jsm:948:20\n", location: XPCWrappedNative_NoHelper }
api.js:17
WebExtensions: signatures re-verified api.js:23
1557097730606 addons.xpi-utils WARN disabling legacy extension {9BAE5926-8513-417d-8E47-774955A7C60D}
1557097730613 addons.xpi-utils WARN disabling legacy extension {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
1557097730616 addons.xpi-utils WARN disabling legacy extension {19EB90DC-A456-458b-8AAC-616D91AAFCE1}
1557097730624 addons.xpi-utils WARN disabling legacy extension compatibility@addons.mozilla.org
1557097730653 addons.xpi-utils WARN disabling legacy extension {dc572301-7619-498c-a57d-39143191b318}
1557097730668 addons.xpi-utils WARN disabling legacy extension CSTBB@NArisT2_Noia4dev
1557097730727 addons.xpi-utils WARN disabling legacy extension ClassicThemeRestorer@ArisT2Noia4dev
1557097730736 addons.xpi-utils WARN Add-on {b14f4076-e80d-4baa-8c7d-8c65dfd2519c} is not correctly signed.
1557097730741 addons.xpi-utils WARN Add-on pdfsam_enhanced5_conv@pdfsam.com is not correctly signed.
1557097730744 addons.xpi-utils WARN Add-on Tab-Session-Manager@sienori is not correctly signed.
1557097730747 addons.xpi-utils WARN Add-on https-everywhere-eff@eff.org is not correctly signed.
1557097730751 addons.xpi-utils WARN Add-on donottrackplus@abine.com is not correctly signed.
1557097730758 addons.xpi-utils WARN Add-on support@lastpass.com is not correctly signed.
Key event not available on some keyboard layouts: key=“i” modifiers=“accel,alt,shift” id=“key_browserToolbox” browser.xul

Comment 27

[Rob Wu [:robwu]]

(In reply to Tim Johnson from comment #25)

(In reply to alex_mayorga from comment #23)

What are the Serial Number and Fingerprints for the TLS certificate of https://addons.mozilla.org/ please?

Hi Alex. If you can tell me how to get that info, I will gladly provide it. I didn't see anything like what you're asking in the Certificate Manager.

1. Click on the green slot at the left of the location bar (of https://addons.mozilla.org ).
2. Click on the > at the right of the "Connection" bar.
3. Click on "More information" at the bottom of the panel.
4. Click on the "View certificate" button
5. The serial number and fingerprints are now visible.

You can try to copy the information, or take a screenshot and share it.

Thanks!

Comment 28

[Brian Grinstead [:bgrins]]

(In reply to Tim Johnson from comment #26)

(In reply to Brian Grinstead [:bgrins] from comment #24)

(In reply to Tim Johnson from comment #22)

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

You are correct about extensions.signer.hotfixed being in about:config. The fact that this isn't showing up makes me think you must be hitting an exception at this line: https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65#l1.25.

Could you check your Browser Console (Ctrl+Shift+J) after restarting the browser and see if you can find the "failed to add new intermediate certificate" error? It will show Log.jsm as the source. If you see that, could you paste that full error message in here? Thanks in advance.

Brain, here's the whole Browser Console output. It's not long.

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896
...

Thanks so much Tim. I'm going to forward this to some people who should be able to help track down that error result. Two more things that would be helpful to narrow down further, if you could:

1. Do you have antivirus software installed?
2. Could you check with a brand new profile on 66.0.4 and see if you can install addons from there?

Comment 29

[Kris Maglione [:kmag]]

The error code for that message is SEC_ERROR_TOKEN_NOT_LOGGED_IN, which Dana suggests probably means that a master password is enabled and not logged in. Do you have a master password set?

Comment 30

[Brian Grinstead [:bgrins]]

Moved needinfos to https://bugzilla.mozilla.org/show_bug.cgi?id=1549249#c1

Comment 31

[Brian Grinstead [:bgrins]]

Hi Tim, just to keep things clear: the pending questions for you are in Comment 27, Comment 28, and Comment 29.

Comment 32

[Tim Johnson]

(In reply to alex_mayorga from comment #23)

¡Hola Tim!

What are the Serial Number and Fingerprints for the TLS certificate of https://addons.mozilla.org/ please?

¡Gracias!
Alex

Alex, thanks for the tip. I should have known that. The serial number is 02:B3:82:58:A3:02:4B:3D:91:0E:DB:57:E7:D2:20:BD
and the fingerprints are

SHA-256 3B:E1:FA:98:FA:68:FD:C3:8D:3F:75:57:09:47:AE:63:1E:58:C1:B9:9A:0B:5E:AC:80:00:89:FE:78:D7:D6:61
SHA-1 52:10:EA:69:8E:B7:4E:F1:D6:4C:EE:4C:CA:CE:F0:52:31:E3:0B:2E

Comment 33

[Tim Johnson]

(In reply to Kris Maglione [:kmag] from comment #29)

The error code for that message is SEC_ERROR_TOKEN_NOT_LOGGED_IN, which Dana suggests probably means that a master password is enabled and not logged in. Do you have a master password set?

Yes, I do have a master password set, but I have "Ask to save logins and passwords for websites" unchecked. I haven't used that feature in a long time since I now use a password manager for that purpose.

Comment 34

[Rob Wu [:robwu]]

The AMO certificate has the expected values. Based on your report, we found a potential cause in bug 1549249.

A work-around is known, and documented at https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_master-password

Could you give that a try and report whether it fixes your issue?

Comment 35

[Tim Johnson]

(In reply to Brian Grinstead [:bgrins] from comment #28)

(In reply to Tim Johnson from comment #26)

(In reply to Brian Grinstead [:bgrins] from comment #24)

(In reply to Tim Johnson from comment #22)

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

You are correct about extensions.signer.hotfixed being in about:config. The fact that this isn't showing up makes me think you must be hitting an exception at this line: https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65#l1.25.

Could you check your Browser Console (Ctrl+Shift+J) after restarting the browser and see if you can find the "failed to add new intermediate certificate" error? It will show Log.jsm as the source. If you see that, could you paste that full error message in here? Thanks in advance.

Brain, here's the whole Browser Console output. It's not long.

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896
...

Thanks so much Tim. I'm going to forward this to some people who should be able to help track down that error result. Two more things that would be helpful to narrow down further, if you could:

1. Do you have antivirus software installed?
2. Could you check with a brand new profile on 66.0.4 and see if you can install addons from there?

Brian, I have Nod32 from ESET as my antivirus program. I tried a new profile, and I successfully installed the FoxClocks addon.

From Kris's question about master password set, I wonder if I log in if everything will start working age. Stand-by.

Comment 36

[Tim Johnson]

(In reply to Tim Johnson from comment #35)

(In reply to Brian Grinstead [:bgrins] from comment #28)

(In reply to Tim Johnson from comment #26)

(In reply to Brian Grinstead [:bgrins] from comment #24)

(In reply to Tim Johnson from comment #22)

Brian, I assume extensions.signer.hotfixed is in about:config. The closest entry is extensions.hotfix.lastVersion.
Re your second question, there is no entry for Mozilla Corporation. I have an entry for Microsec Ltd, and MSIT Machine Auth CA 2.

You are correct about extensions.signer.hotfixed being in about:config. The fact that this isn't showing up makes me think you must be hitting an exception at this line: https://hg.mozilla.org/releases/mozilla-release/rev/848b15028562c6757748070f637e0e4f0bbb5f65#l1.25.

Could you check your Browser Console (Ctrl+Shift+J) after restarting the browser and see if you can find the "failed to add new intermediate certificate" error? It will show Log.jsm as the source. If you see that, could you paste that full error message in here? Thanks in advance.

Brain, here's the whole Browser Console output. It's not long.

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896
...

Thanks so much Tim. I'm going to forward this to some people who should be able to help track down that error result. Two more things that would be helpful to narrow down further, if you could:

1. Do you have antivirus software installed?
2. Could you check with a brand new profile on 66.0.4 and see if you can install addons from there?

Brian, I have Nod32 from ESET as my antivirus program. I tried a new profile, and I successfully installed the FoxClocks addon.

From Kris's question about master password set, I wonder if I log in if everything will start working age. Stand-by.

I switched back to my original profile, logged in, and I'm still not seeing any change in behavior. I.e., addons still disabled.

Comment 37

[Tim Johnson]

I grabbed the Browser Console log again right after opening Firefox with original profile, and not logging in. This is what it now shows (Addons still disabled):

Loading failed for the <script> with source “moz-extension://31f4650b-4bf6-454c-ad62-b0f225a11d0d/background.js”. _generated_background_page.html:5:1
Loading failed for the <script> with source “moz-extension://2302012f-cd5e-40d2-8790-294757a40514/background.js”. _generated_background_page.html:5:1
Loading failed for the <script> with source “moz-extension://e556d76f-bfed-4b70-bf29-e705f11e5bd8/injections.js”. _generated_background_page.html:5:1
Loading failed for the <script> with source “moz-extension://e556d76f-bfed-4b70-bf29-e705f11e5bd8/ua_overrides.js”. _generated_background_page.html:6:1
Loading failed for the <script> with source “moz-extension://96bd9e5d-282e-486d-ab0d-201515ad5259/build/buildSettings.js”. _generated_background_page.html:5:1
Loading failed for the <script> with source “moz-extension://96bd9e5d-282e-486d-ab0d-201515ad5259/background/startBackground.js”. _generated_background_page.html:6:1
Key event not available on some keyboard layouts: key=“i” modifiers=“accel,alt,shift” id=“key_browserToolbox” browser.xul

Comment 38

[Tim Johnson]

I did try to add the FoxClocks addon to my original profile. FoxClocks did install, but the locations to monitor did not populate, so there are no locations to select for display.

UPDATE: Installing and enabling FoxClocks seems to have blocked all traffic on all tabs. Removing FoxClocks restores traffic flow.

Also, I have removed the master password, and I'm still not getting the addons restored.

Comment 39

[Brian Grinstead [:bgrins]]

(In reply to Tim Johnson from comment #38)

I did try to add the FoxClocks addon to my original profile. FoxClocks did install, but the locations to monitor did not populate, so there are no locations to select for display.

The fact that it installed at all makes me think the workaround you tried in Comment 36 may have worked, at least to get past this certificate problem (but sounds like there's a new one around FoxClocks not working at runtime). I'd like to confirm if that's true - can you tell me if your other addons in about:addons are also showing up as enabled in your original profile (in addition to FoxClocks)?

Also, just confirming that for Comment 36 you followed these steps: https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_master-password, including restarting Firefox in step 4.

Comment 40

[Tim Johnson]

(In reply to Brian Grinstead [:bgrins] from comment #39)

(In reply to Tim Johnson from comment #38)

I did try to add the FoxClocks addon to my original profile. FoxClocks did install, but the locations to monitor did not populate, so there are no locations to select for display.

The fact that it installed at all makes me think the workaround you tried in Comment 36 may have worked, at least to get past this certificate problem (but sounds like there's a new one around FoxClocks not working at runtime). I'd like to confirm if that's true - can you tell me if your other addons in about:addons are also showing up as enabled in your original profile (in addition to FoxClocks)?

Also, just confirming that for Comment 36 you followed these steps: https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_master-password, including restarting Firefox in step 4.

Brian, The other addons are still marked as disabled, and show as legacy addons.

And, yes I've removed the master password, and restarted Firefox; actually restarted several times now.

And I'm on Windows 10 v1809 OS Build 177763.437

Comment 41

[Brian Grinstead [:bgrins]]

Tim, sorry to hear that it's still not working for you. After all that's changed since Comment 20, I'd like to check if the extensions.signer.hotfixed pref is visible for you in about:config. That'd be the easiest way to confirm if the certificate got installed. If it's not there, could you if confirm you are seeing the same error message in the Browser Console you did earlier? This one, specifically:

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896

If the pref is set, then it's possible you'll need to follow this workaround to re-enable the addons: https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_add-ons-appearing-as-unsupported-or-disappeared-from-your-aboutaddons-page.

Comment 42

[Tim Johnson]

(In reply to Brian Grinstead [:bgrins] from comment #41)

Tim, sorry to hear that it's still not working for you. After all that's changed since Comment 20, I'd like to check if the extensions.signer.hotfixed pref is visible for you in about:config. That'd be the easiest way to confirm if the certificate got installed. If it's not there, could you if confirm you are seeing the same error message in the Browser Console you did earlier? This one, specifically:

1557097728294 addons.xpi ERROR failed to add new intermediate certificate:: [Exception... "Component returned failure code: 0x805a1f65 [nsIX509CertDB.addCertFromBase64]" nsresult: "0x805a1f65 (<unknown>)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: addMissingIntermediateCertificate :: line 1896" data: no] Stack trace: addMissingIntermediateCertificate()@resource://gre/modules/addons/XPIProvider.jsm:1896

If the pref is set, then it's possible you'll need to follow this workaround to re-enable the addons: https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_add-ons-appearing-as-unsupported-or-disappeared-from-your-aboutaddons-page.

Yes, this pref is set: extensions.signer.hotfixed;true

I have one addon, ColorfulTabs, which is working. All the rest are under the legacy category, and I'm not able to enable them. Each one says find a replacement. Some I've configured, and if I remove and re-add, I'll have to restore the configurations, which I have no way of knowing what those configuration settings are at this point.

I just removed LastPass, and re-added it. That one does not require any configuration, and it's working. I also removed and re-added FoxClocks. This time, it found the locations I'd been monitoring before this bug, and it's now working. And, more importantly, traffic on all tabs appears to flow normally now.

Do you think if I remove and re-add my other legacy addons, their configurations will remain what I had?

Comment 43

[Tim Johnson]

Brian, here's an interesting, and somewhat confusing, data point. On my other computer, which also has the same Firefox profile as the one I normally use (the computer which I've been reporting about I've only had since Feb 2, 2019, and it's profile was copied from my older computer), I removed the master password, restarted Firefox, and all add-ons were re-enabled and seem to be working properly. Weird, huh?

Comment 44

[Brian Grinstead [:bgrins]]

(In reply to Tim Johnson from comment #42)

Yes, this pref is set: extensions.signer.hotfixed;true

I have one addon, ColorfulTabs, which is working. All the rest are under the legacy category, and I'm not able to enable them. Each one says find a replacement. Some I've configured, and if I remove and re-add, I'll have to restore the configurations, which I have no way of knowing what those configuration settings are at this point.

I just removed LastPass, and re-added it. That one does not require any configuration, and it's working. I also removed and re-added FoxClocks. This time, it found the locations I'd been monitoring before this bug, and it's now working. And, more importantly, traffic on all tabs appears to flow normally now.

That's great, glad things are starting to work for you again! Sounds like you must have hit both the Master Password issue and the secondary "unsupported" issue at the same time.

Do you think if I remove and re-add my other legacy addons, their configurations will remain what I had?

Based on all of our analysis that led to the workaround at https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_add-ons-appearing-as-unsupported-or-disappeared-from-your-aboutaddons-page, yes your addon data should remain. That said, you could make a temporary backup of the profile just in case (it sounds like you already have a working backup in Comment 43 that probably contains all your data so you could skip this if you are comfortable with it).

Comment 45

[Tim Johnson]

(In reply to Brian Grinstead [:bgrins] from comment #44)

(In reply to Tim Johnson from comment #42)

Yes, this pref is set: extensions.signer.hotfixed;true

I have one addon, ColorfulTabs, which is working. All the rest are under the legacy category, and I'm not able to enable them. Each one says find a replacement. Some I've configured, and if I remove and re-add, I'll have to restore the configurations, which I have no way of knowing what those configuration settings are at this point.

I just removed LastPass, and re-added it. That one does not require any configuration, and it's working. I also removed and re-added FoxClocks. This time, it found the locations I'd been monitoring before this bug, and it's now working. And, more importantly, traffic on all tabs appears to flow normally now.

That's great, glad things are starting to work for you again! Sounds like you must have hit both the Master Password issue and the secondary "unsupported" issue at the same time.

Do you think if I remove and re-add my other legacy addons, their configurations will remain what I had?

Based on all of our analysis that led to the workaround at https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox#w_add-ons-appearing-as-unsupported-or-disappeared-from-your-aboutaddons-page, yes your addon data should remain. That said, you could make a temporary backup of the profile just in case (it sounds like you already have a working backup in Comment 43 that probably contains all your data so you could skip this if you are comfortable with it).

Thanks, Brian, for all your help. I believe I've got all addons working again on both of my computers. I hope all related issues are soon fixed for everyone. I've been with Firefox since the days when Netscape couldn't provide a fix for a banking account issue I had. When I learned Firefox used the same base code, I switched, submitting my problem to Bugzilla, and started installing the nightly builds to test the fix when it arrived shortly afterward. It's been my goto browser ever since. Tab handling is so much better than Chrome.

Comment 47

[Firefox Bug Husbandry Bot]

Please specify a root cause for this bug. See :tmaity for more information.

Comment 48

[Rob Wu [:robwu]]

Root Cause - Communication issues.

This bug is part of bug 1548973. The results of the RCA are available at:

• https://hacks.mozilla.org/2019/07/add-ons-outage-post-mortem-result/
• https://wiki.mozilla.org/Add-ons/Expired-Certificate-Technical-Report#Root_Causes