Closed Bug 1696840 Opened 4 months ago Closed 1 month ago

Certificate error visiting https://lando.services.mozilla.com/D107388/ on firefox android

Categories

(Conduit :: Lando, defect, P2)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: tnikkel, Assigned: zeid)

References

Details

(Keywords: conduit-triaged)

Attempt to visit https://lando.services.mozilla.com/D107388/ with Firefox on android, I get the cert error page ("Secure connection failed. Someone could be trying to impersonate the site and you should not continue...it's certificate issuer is unknown, the cert is self signed or the server is not sending the correct intermediate certs.")

The same thing happens in release and nightly. Visiting the website on the same wifi network on a laptop works. Turning off wifi and using LTE doesn't change anything.

This works for me, but a caching issue could be the reason you're being affected. Do you have any more detail about this error? Can you include the certificate info viewable when you click on the lock icon / detail? Try clearing site data / cache for Lando and trying again. If you've visited Lando on both browsers in the past, then the same issue could be affecting both.

Flags: needinfo?(tnikkel)

If I tap the lock icon all I get is "Secure Connection Failed, (lando url), (red wireframe globe icon) Insecure Connection". Firefox for Android doesn't seem to have a way to delete saved data for just one website, either all or nothing. So I cleared the cache and that did not work. I've definitely visited lando before in Firefox release on android, but I'm not sure about nightly. I did not have beta installed so I installed that and tried and I had the same error. I don't know how to get more info out of this. If you provide a patch or a try build or something that printf_stderrs to the logcat I can run it and get the output.

Flags: needinfo?(tnikkel)

I tried on two other phones, same error. Three different manufacturers, three different versions of android. Never visited lando on those two other phones.

Assignee: nobody → zeid
Keywords: conduit-triaged
Priority: -- → P2

On a fourth device I had an old version of the orphaned firefox nightly preview from july 2020 and it did not have the bug. Using up to date firefox on that same device shows the bug. So maybe this is a bug in Firefox for Android.

On geckoviewexample I get pretty plain error page with error_category_security::error_security_ssl.

Thanks Timothy -- I am able to reproduce after updating to the latest Firefox for Android on my Android device. This issue did not affect an older version. Hooking this up to the remote debugger, I can see that the issue is due to this error: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE, which in theory should not affect new, first-time requests. I am able to consistently reproduce this issue now even after deleting site data (and app data, for that matter). Will look into this further.

In the meantime, you can temporarily disable key pinning checks on nightly by setting security.cert_pinning.enforcement_level to 0. Obviously this will circumvent some security, but it is a temporary workaround until we get to the bottom of this.

Reproduced on: Firefox Nightly (Nightly 210308 17:04) and Firefox (86.1.1) (Pixel 3a)

Flags: needinfo?(kjacobs.bugzilla)
No longer regressed by: 1677548
Summary: cert error visiting https://lando.services.mozilla.com/D107388/ on firefox android → Certificate error visiting https://lando.services.mozilla.com/D107388/ on firefox android
Duplicate of this bug: 1699162

In bug 1699162 dholbert pointed out:

Sometimes SSL Labs can help show what the issue is; their analysis is here:
https://www.ssllabs.com/ssltest/analyze.html?d=lando.services.mozilla.com
....which does say "Strict Transport Security (HSTS) Invalid Server provided more than one HSTS header" -- I'm not sure if that's the issue that Firefox-for-Android is complaining about or not.

Indeed this is true:

$ wget -O/dev/null -qS https://lando.services.mozilla.com
  HTTP/1.1 200 OK
  Server: nginx/1.15.4
  Date: Wed, 17 Mar 2021 16:45:32 GMT
  Content-Type: text/html; charset=utf-8
  Content-Length: 3560
  Vary: Accept-Encoding
  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff
  Content-Security-Policy: default-src 'self'; font-src 'self' https://code.cdn.mozilla.net; style-src 'self' https://code.cdn.mozilla.net; img-src 'self' *.cloudfront.net *.gravatar.com *.googleusercontent.com; object-src 'none'; frame-ancestors 'none'; manifest-src 'none'; worker-src 'none'; media-src 'none'; frame-src 'none'; base-uri 'none'; report-uri /__cspreport__
  X-Content-Security-Policy: default-src 'self'; font-src 'self' https://code.cdn.mozilla.net; style-src 'self' https://code.cdn.mozilla.net; img-src 'self' *.cloudfront.net *.gravatar.com *.googleusercontent.com; object-src 'none'; frame-ancestors 'none'; manifest-src 'none'; worker-src 'none'; media-src 'none'; frame-src 'none'; base-uri 'none'; report-uri /__cspreport__
  Strict-Transport-Security: max-age=31556926; includeSubDomains
  Referrer-Policy: strict-origin-when-cross-origin
  Vary: Cookie
  Set-Cookie: lando.services.mozilla.com=eyJsYXN0X2xvY2FsX3JlZmVycmVyIjoiaHR0cHM6Ly9sYW5kby5zZXJ2aWNlcy5tb3ppbGxhLmNvbS8ifQ.YFIyLA.ggqUPRJOFZZNvc03UklTymUcTt8; Domain=lando.services.mozilla.com; Secure; HttpOnly; Path=/
  Strict-Transport-Security: max-age=31536000
  Via: 1.1 google
  Alt-Svc: clear

Duplicates:

  Strict-Transport-Security: max-age=31556926; includeSubDomains
  Strict-Transport-Security: max-age=31536000

I'm not sure if it's the same bug, but I'm having a certificate error in Firefox Nightly for Android https://www.autenticacao.gov.pt and https://servicos.min-saude.pt/utente/
When i Access via the stable build i don't get the error.

That seems to be a different problem, please file a new bug.

See Also: → 1701530

:tnikkel - Lets Encrypt has migrated to a longer certificate chain that is more compatible with Android and we've renewed the lando ssl certificate to use this longer certificate chain. Can you test again, it should load now

Flags: needinfo?(tnikkel)

It works for me now! Thanks!

Status: NEW → RESOLVED
Closed: 1 month ago
Flags: needinfo?(tnikkel)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.