Closed Bug 442151 Opened 12 years ago Closed 12 years ago

I can't export or install digital certificates

Categories

(Core :: Security: PSM, defect, major)

x86
Linux
defect
Not set
major

Tracking

()

RESOLVED INVALID

People

(Reporter: facero, Assigned: KaiE)

Details

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9) Gecko/2008052912 Firefox/3.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9) Gecko/2008052912 Firefox/3.0

Dear all:

I have just install Firefox 3, and I have 2 software digital certificates of Spanish FNMT (official certificate) one from my wife and another mine. I have found a problem when I try to export (backup) a certificate or when I try to install another one. 

If I try to install another I get:

Fallo en la recuperación del archivo PKCS #12 por motivos desconocidos.

Fail recovering PKCS #12 file due a unknown cause. (translated more or less) 

And If I try to make a backup I get:

Se produjo un fallo por motivos desconocidos al guardar la copia de seguridad del archivo PKCS #12.

Where was a fail due unknown causes making a backup of a PKCS #12 file (traslated more or less).

I was looking for in Internet and I had founded this procedure:

http://www.pki.gov.ar/index.php?option=com_content&task=view&id=552&Itemid=180

I have followed this procedure step by step, but I get the same all the time. 

I never got those errors messages before using Firefox 2.0 branch. 

At this moment, the solution may be the deletion of .mozilla file and begin to install certificates and complements and configuring all from the beginning. I think that this isn't a good solution indeed. I spent a lot of time doing that (5 times in the last 3 days). 

I think, but I don't sure, that this problem occurs when I open another version of Firefox in my system, as Firefox 2.0.0.11, and don't matter if I do that with another user name. My firefox is installed at /usr/local/firefox3. 

Please said me if you need more information about this problem. 

Best regards from Fernando Acero


Reproducible: Always

Steps to Reproduce:
1.Try to make a backup of a digital certificate
2.Try to install another digital certificate
3.
Actual Results:  
Error messages

Expected Results:  
Backup or installation of digital certificates to a .p12 file o from a .p12 file.
I don't know what is causing this problem, but I will move it to the right component for further investigation.
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
This might be a permission problem of the .mozilla/ folders and their content. Can you check permissions and if the files are owned by the respective user?
Hello Eddy:

I have check permission of .mozilla folders and I think that they are correct. My user is fernando and group fernando, cert8.db has -rw------- permissions. I don't know that is the problem, but I can't export or import certificates. 

Unfortunately information from error message isn't enough for me (remember, error message said "unknown causes" in both cases. I have check also launching firefox from a console but there is no messages.

Please, say me if you need additional information from my system. 

Best regards
Hello Johnathan:

I am very sorry about that, because I thought that this was a security problem, or at least, a problem of the security system. Again, sorry my friend. 

Best regards

Can you attach a screen shot which shows the certificates in your "Your Certificates" tab? Is the CA which issued the certificates a trusted authority?
I have two certificates, and I also have a certificate of CA called NMT (Spanish Current Factory) therefore for Spanish people, this is a official Certification Authority. 

I have checked properties for this CA, are all selected.

A) Internet Site Identification Ok
B) Mail User Identification OK
C) Software developers identification OK

Another data:

If I erase my cert8.db file, this is created again when I launch Firefox (of course is an empty file), but again, I can't install a new certificate. I am sure, the problem is related with a file from .mozilla directory. If I delete all this directory, I can install and export certificates again without any problem. 

Another interesting data, at this point, I can install or delete certificates from CA tab without problems. I only have problems with export or import options from own certificates tab. 

Therefore it can be a problem regarding private keys of my certificates, or with a file storing this information. 

Best regards.
If the certificates chain correctly, check if you have any exception relating this CA in the exceptions store. Remove them if you found any. That's all about I can think of for now...
(In reply to comment #7)
> If the certificates chain correctly, check if you have any exception relating
> this CA in the exceptions store. Remove them if you found any. That's all about
> I can think of for now...
> 

Hello Eddy.

Yes my friend, there was a exception for a Web page related with this CA, I have removed it, reseted Firefox, but unfortunately I have got the same error message when I try import or export a certificate with private key.

I had forgot to say before that certificates work fine. My problem is related whit exportation or importation.  

Best regards, thanks in advance, and a lot of thanks for your help.

One last test we can do before pinging the NSS developers is, what happens with certificates from other providers. Can you get a client certificate from https://www.startssl.com/ or any other CA which issues client certificates? CAn you tell us what happens with such a certificate (installation, backup, import)?
Helo Eddy:

As you asked to me, I have create a new certificate from another CA, in this case is from https://www.startssl.com/. Well this certificate has been created without problem, private key and public key are ok and installed from the web in my browser. 

But again when I try to export, i get this error message, as yo can see in the screenshot attached. 

This is very strange because if a private key is created, there is no problem, but when you try to install one from a certificate file, error message occurs. 

Best regards.
OK, that's as much testing I could do I think. Referring this to Kai and Nelson.
Sorry, as a matter of principle, I don't work on bugs about failures that
PSM reports as "for an unknown reason".  NSS reports specific error codes
that say what the reason is.  For some reason, PSM decides to discard that
information and report "for an unknown reason".  That PSM choice has the 
effect that when users experience failures, instead of taking simple 
corrective actions idicated by specific error codes, they file bugs.  The 
NSS and PSM developers get asked to diagnose a problem that was already 
diagnosed by NSS, but that diagnosis was discarded by PSM.

Years ago, when PSM was being first developed, the developer responsible
for doing the error code UI was not up to the job, and the display of 
error codes became the last thing to be completed.  The manager of the
project, desiring to get it done more quickly, decided to just take all
the remaining error codes and report them "for an unknown cause".  
That was 8 years ago, and from that to do this, no person responsible for
the PSM UI has thought it important to fix that utterly useless UI.

My position is this: There is no reason that the NSS team should do extra
work to diagnose problems whose diagnosis has already been given by NSS, 
but was discarded by Firefox.  UI is Firefox's responsibility, not NSS's.  
If it is not important to the Mozilla/Firefox/UI community to report those 
error codes, then it certainly is not worthy of the NSS team's time either.  
Hello Nelson:

Thanks for your information, but I am worried about this, because it will be a handicap for Firefox at this time. A lot of countries of Europe are implementing electronic administration procedures and we can work with electronic certificates (software or smart cards) if we get "unknown error codes" and we can solve our problems. This is a very big problem for citizens and for administrative technical services who support administrative services. When I got a "unknown error code" I was surprised because it isn't a normal with open source programs. If something is good for me is the capability of control, logging facility and diagnose of open source programs.   

I understand your position, as matter or principle, is Ok for me, indeed. But I think that it is a problem for mozilla/firefox community. I am very implied with others open source projects in Spain (some of them are electronic administration related), and I know very well what happen with bads developing time decisions. But I am realize about this, if an user open a bug and he only gets complaints and information about inner problems of the project, is time to think, because something is wrong. 

Please Nelson, don't misunderstand me, this is only a loud speak thinking. I am not trying to change your mind about your position. Remember me, as I said before I understand your position.  

At his point I only need a person of contact or component of mozilla/firefox to report this bug and If I can, change his mind about error codes display. 

Best regards
Hello:

Another test performed, I can change, without problems, the password of my certificates container, but this change don't resolve exportation or importation problems. 

Best regards.
I am sorry, when I said:
> 
> Thanks for your information, but I am worried about this, because it will be a
> handicap for Firefox at this time. A lot of countries of Europe are
> implementing electronic administration procedures and we can work with
> electronic certificates (software or smart cards) if we get "unknown error
> codes" and we can solve our problems. 

I want to say:

>Thanks for your information, but I am worried about this, because it will be a
> handicap for Firefox at this time. A lot of European countries are
> implementing electronic administration procedures and we can't work with....

I want apologize about any inconvenience.

Best regards
The bug is assigned to Kai who will hopefully look into this issue. Just wait for him to respond.
(In reply to comment #16)
> The bug is assigned to Kai who will hopefully look into this issue. Just wait
> for him to respond.
> 

Hello Eddy:

Thank you very much, I will wait for his response, but I want to say that this issue is creating some kind of alarm among Spanish security communities.

http://www.kriptopolis.org/problema-firefox-3-certificados-digitales

http://preguntas.barrapunto.com/preguntas/08/06/28/1933249.shtml

This kind of issues is feasible to be used against Firefox by detractors. 

I would like to help you to resolve this issue as soon as possible. Let me know if yo need another test or information about this problem. 

Best regards.
(In reply to comment #17)
> http://www.kriptopolis.org/problema-firefox-3-certificados-digitales

This seems to be a specific issue for you, since you aren't able to export the StartSSL certificate either, which rather suggests that it has nothing to do with the CA that issued the certificate. Hence there is no conspiracy against Spanish CAs or users of Firefox ;-)

> http://preguntas.barrapunto.com/preguntas/08/06/28/1933249.shtml

This is nothing to do with this bug. This is a deliberate design decision by Mozilla. 
(In reply to comment #18)

Hello:

> This seems to be a specific issue for you, since you aren't able to export the
> StartSSL certificate either, which rather suggests that it has nothing to do
> with the CA that issued the certificate. Hence there is no conspiracy against
> Spanish CAs or users of Firefox ;-)

This is true, I have problems with all my certificates, I can't export or import to o from a file. We are worried about problems of diagnostic or support of electronic administration sites who don't work properly with mozilla / firefox. Nobody said nothing about conspiracy in this case. 

> 
> This is nothing to do with this bug. This is a deliberate design decision by
> Mozilla. 
> 

Yes my friend, this unfortunate decision is the source of all our problems and worries indeed. At this moment, our main goal should be the change of this decision from Mozilla. Without a correct diagnostic of problems certificates related, we can't claim for the use of Firefox in administrative relations using our national system of certification. 

We have been fighting for years claim for use of open source software in our administration and in relations of citizens with our administration, an this problem is like a cold water jar over us. This decision of design is giving to our detractors, some very good arguments about lack of support of the open source software, or about difficulties for provide it.

Eddy Please, tell me the name of the person with whom I have to contact to solve this problem, I don't speak at this moment about export or import my certificates, I am talking about solve the design problem.

Best regards.
His name is Johnathan and he is CC to this bug :-)

However I suggest to search the Bugzilla database a little bit since there are already bugs (most of them already closed) which covers this subject. For example see bug 433324. BTW, the claim made in that post isn't correct as also Johnathan states in bug 433324 because there are CAs which provide free digital certificates, for example the one you visited already at https://www.startssl.com/
> This is nothing to do with this bug. This is a deliberate design decision by
> Mozilla. 
> 

Hello Eddy, someone had warned me that I had misunderstand you, and I have to say that it is true.

Ok, I am talking about the decision of don't withstand error messages related
with certificates stored, not about the decision regarding the alerts when
there are problems with the certificate page, which I agree, and I feel very
good.

Sorry my friend.
(In reply to comment #20)
> His name is Johnathan and he is CC to this bug :-)
> 
> However I suggest to search the Bugzilla database a little bit since there are
> already bugs (most of them already closed) which covers this subject. 

Hello Johnathan, thank you for your informations but, as said Eddy before "This is nothing to do with this bug. This is a deliberate design decision by Mozilla". 

My problem is related with exportation and importation of certificates (I can't do that at this moment), and it is related with a decision of no support all error messages. 

As Melson said before "I don't work on bugs about failures that PSM reports as "for an unknown reason".
	
I think that I should not have linked the page that talks about the problems with the root certificates. This unfortunate decision has led us to matters other than that I initially tried, I'm sorry.

Best regards.



Hello Fernando,

Eddy is a touch confused - I work on a lot of security UI stuff, but I don't own the code here, Kai Engert does - who will respond to this bug as soon as he's able.  But I also don't want to keep bouncing you between people, so let me mention one other thing:

(In reply to comment #6)
> Another data:
> 
> If I erase my cert8.db file, this is created again when I launch Firefox (of
> course is an empty file), but again, I can't install a new certificate. I am
> sure, the problem is related with a file from .mozilla directory. If I delete
> all this directory, I can install and export certificates again without any
> problem. 

This piece of information caught my eye, as did your screenshot in attachment 327237 [details] -- you have add-ons installed that are changing the certificate viewer (I suspect CertViewer Plus or something similar?)  The "View PEM" and "Export" buttons on the general tab of the certificate viewer are not present in a default install.

I don't know of any standing problems with addons breaking the ability to export, but the fact that you can "fix" the problem by deleting your ~/.mozilla directory (this is your firefox profile, and deleting it would also delete any extensions) makes me suspect that this might be the cause.

There is more information about profiles here: http://support.mozilla.com/en-US/kb/Profiles

If I'm right, and the add-on is responsible here, then creating a new profile should allow this to work, as should uninstalling the addons from your old profile.

Can you test this and confirm?
Johnathan, the issue which for which I related to you was in comment 17 and the URL http://preguntas.barrapunto.com/preguntas/08/06/28/1933249.shtml

I know that you aren't the PSM guy ;-)
(In reply to comment #23)

Hello Jhonathan, thanks for your interest. 
 
> I don't know of any standing problems with addons breaking the ability to
> export, but the fact that you can "fix" the problem by deleting your ~/.mozilla
> directory (this is your firefox profile, and deleting it would also delete any
> extensions) makes me suspect that this might be the cause.

You are right, I had installed CertViewer Plus add-on, but I had installed it, after I got the referred error code. I thought that this add-on could help me to resolve my imports and exports problems. As I said before, installing it has no effect to resolve this problem and I think, that it isn't cause of it.

> 
> There is more information about profiles here:
> http://support.mozilla.com/en-US/kb/Profiles

Thanks for your information, I will see it. 

> 
> If I'm right, and the add-on is responsible here, then creating a new profile
> should allow this to work, as should uninstalling the addons from your old
> profile.

For your information, I have uninstalled the add-on CertViewer Plus and I have reloaded Firefox and this had no effect over the problem.

> 
> Can you test this and confirm?

Let me know if you need more information about this.

Best regards. 

(In reply to comment #25)
> (In reply to comment #23)
> 
> Hello Jhonathan, thanks for your interest. 
> 
> > I don't know of any standing problems with addons breaking the ability to
> > export, but the fact that you can "fix" the problem by deleting your ~/.mozilla
> > directory (this is your firefox profile, and deleting it would also delete any
> > extensions) makes me suspect that this might be the cause.

> For your information, I have uninstalled the add-on CertViewer Plus and I have
> reloaded Firefox and this had no effect over the problem.

I would have been *very* surprised if Cert Viewer Plus had *any* effect on the PKCS#12 export functionality. The PKCS#12 export feature (or more specifically, its JS wrapper) lives in certManager.js, which is completely separate from Cert *Viewer*. I don't add any overlays to certManager.xul either, so Cert Viewer Plus has absolutely no effect on Cert *Manager*.

The problem Fernando is experiencing (see also his explanation in bug 440033 comment 9) happens when JS calls nsNSSCertificateDB::ExportPKCS12File - that's C++ land, and definitely not something Cert Viewer Plus has any impact on (the extension has no binary components, really).
I don't know if this is related with the problem, but when I launch Mozilla / Firefox 2.0.11, using the same profile I get this error message:

Error sanitizing sessions: TypeError: Components.classes['@mozilla.org/security/sdr;1'] has no properties.

Although I have three certificates installed in my default profile, in this case, I can't see none of them in my Personal Certificates View. 

I didn't get this message if launch Firefox 3 from a console.

It would be good if error messages related with that, were more "self explained" and not "unknown causes".

Best regards. 
I have installed into my user directory at /home/ Netscape 9.0.0.6 English for Linux. In this case, Netscape stores my default profile at directory .netscape directory, instead to use .mozilla. This versión is available at: http://browser.netscape.com/releases

I have copied my certificate's databases from .mozilla to this new profile from Netescape and, I can export or import all my cetrtificates from Nestape without problems. Therefore, this problem isn't related with databases or with stored certificates.

This can be a emergency solution for those users than want export or import their certificates and they cannot do this using Firefox 3. Now the main advantage, is the use of a different directory to store your default profile, profile that doesn't interfere with your default profile for Firefox 3. 

Now I am thinking about the posibility of bad interactions among diferent versions of Firefox installed in my system. Mainly among versions installed at directory /bin/ (in my case Firefox 2.0.0.11) and independent ones, installed at /usr/local/firefox (in my case Firefox 3). It is possible that Firefox 3 is using files from other versions included in my path.

Best regards.
You say you are starting Firefox 2 and Firefox 3 with the same profile.
You are not able to start them at the same time, right?

Firefox 2 and Firefox 3 should detect that a profile is already open. When you have one running, and try to start the other, you should get an error message (or the profile manager starting up).

(If you are able to run both FF 2 and FF 3 at the same time using the same profile, then that would explain it.)


a) What is your Linux version? (like Fedora, Ubuntu, SuSE, RHEL)

b) How did you get Firefox 3?

c) Are you using a smartcard on your system? (hardware card or special usb stick that can store a certificate, in a reader device)

d) in a terminal (command line), try this sequence of commands:
# touch /tmp/test.p12
# ls -l --full-time /tmp/test.p12
You should a listing showing your test.p12 with a current timestamp and a size of zero.
This confirms that you can write there.
Now remove the file:
# rm /tmp/test.p12

e) Go to certificate manager and your certificates. Select the certificate you want to export. Click view. Does this work? Does this show all details of your cert? Then Firefox is able to read.

f) close the window that you opened in step e). You are now back at cert manager. The same certificate is still selected. Now click Backup. When prompted for the filename, enter /tmp/test.p12
Do you get an error message?

g) Go back to the terminal.
# ls -l --full-time /tmp/test.p12
What do you see now, same or different output than from step d) ?

h) Repeat the tests from steps d), f), g), but now use a different filename.
Use a filename in your home directory, for example: /home/myname/test.p12

i) is your home directory on a remote filesystem, like "nfs" or "smb/samba"?
j) Have you explicitly enabled FIPS mode? (If you don't know what this is, skip this quesiton)
You say you have multiple versions of Firefox installed, and it sounds like you are using "special" locations. Using /bin for one and /usr/local/firefox sounds like you have installed manually.

I wonder if you are indeed mixing up files from different versions at runtime. Such a mix would explain problems.

Your comment 27 does not sound like a clean environment.
Maybe you should try to remove all mozilla software from your default search path.

in other words, change your system so that commands:
# firefox
# thunderbird
# seamonkey
# certutil 

all give error messages about "not found"

Then cd into a directory that has ONLY one mozilla version and start it with ./firefox (for example)

(In reply to comment #29)

Hello Kai:

> You say you are starting Firefox 2 and Firefox 3 with the same profile.
> You are not able to start them at the same time, right?

As you said, I cannot start two versions of Firefox at the same time with the same profile. But I can use one version, close it and start the other one. 

> 
> Firefox 2 and Firefox 3 should detect that a profile is already open. When you
> have one running, and try to start the other, you should get an error message
> (or the profile manager starting up).

It is true, as you said. 

> 
> (If you are able to run both FF 2 and FF 3 at the same time using the same
> profile, then that would explain it.)

No, I cannot do that. My problem starts when I started FF2 closed it and then I started FF3, after that, I cannot make a backup or install a new one from a file. 

> 
> a) What is your Linux version? (like Fedora, Ubuntu, SuSE, RHEL)

Mandriva 2007

> 
> b) How did you get Firefox 3?

From official Mozilla Firefox page (Europa)

http://www.mozilla-europe.org/es/firefox/

> 
> c) Are you using a smartcard on your system? (hardware card or special usb
> stick that can store a certificate, in a reader device)

No, I aren't.

> 
> d) in a terminal (command line), try this sequence of commands:
> # touch /tmp/test.p12
> # ls -l --full-time /tmp/test.p12
> You should a listing showing your test.p12 with a current timestamp and a size
> of zero.

I get this:

-rw-r--r-- 1 fernando fernando 0 2008-07-01 18:36:15.000000000 +0200 /tmp/test.p12

> This confirms that you can write there.
> Now remove the file:
> # rm /tmp/test.p12

Done

> e) Go to certificate manager and your certificates. Select the certificate you
> want to export. Click view. Does this work? Does this show all details of your
> cert? Then Firefox is able to read.

Yes I can do that without problems, FF3 can read it and window shows all details of my certificate, If I select General o Details tabs I can see all details.

> 
> f) close the window that you opened in step e). You are now back at cert
> manager. The same certificate is still selected. Now click Backup. When
> prompted for the filename, enter /tmp/test.p12


> Do you get an error message?

When I do that I get this message after enter my master password:

Se produjo un fallo por motivos desconocidos al guardar la copia de seguridad del archivo PKCS #12.

> 
> g) Go back to the terminal.
> # ls -l --full-time /tmp/test.p12
> What do you see now, same or different output than from step d) ?

ls: /tmp/test.p12: No existe el fichero o el directorio

The file was not created, there is no file (remember I had deleted before at point d.
> 
> h) Repeat the tests from steps d), f), g), but now use a different filename.
> Use a filename in your home directory, for example: /home/myname/test.p12

The output is the same in all cases, I cannot export any certificate, and don't mind the directory that I choose.

> i) is your home directory on a remote filesystem, like "nfs" or "smb/samba"?

Yes it is my home directory, I haven't remote filesystems, like samba o nfs. But remember that I could do that before using FF2 with the same profile. 

Remember also, that I cannot import certificates from a p12 file, when I try it, I get:

Fallo en la recuperación del archivo PKCS #12 por motivos desconocidos.

I had imported all my certificates from a file at the beginning, after install FF3, because I had to delete my .mozilla directory because FF3 hangs (probably due an unsupported plug-in or something like that).

Best regards. 
> 

(In reply to comment #32)
> Maybe you should try to remove all mozilla software from your default search
> path.
> 
> in other words, change your system so that commands:
> # firefox
> # thunderbird
> # seamonkey
> # certutil 
> 
> all give error messages about "not found

Done, I have desinstalled all rpm's with files at /usr/bin, now all those programs show "not found". 

> 
> Then cd into a directory that has ONLY one mozilla version and start it with
> ./firefox (for example)

Done, but I get the same error message.

Best regards
> 

Thanks for performing all the tests, it's unfortunate that it did not help us yet...


> I had imported all my certificates from a file at the beginning, after install
> FF3, because I had to delete my .mozilla directory because FF3 hangs (probably
> due an unsupported plug-in or something like that).


Ok, I hear you did this:

- used FF2 to create a backup of all your personal certificates
- deleted ~/.mozilla


What software did you use to create your new profile? FF2 or FF3?

What software did you use to import your old backup p12 file? FF2 or FF3?


I think you said, you were able to import once, it worked, and then the problems started. Right?
(In reply to comment #35)

Hello Kai
 
> Ok, I hear you did this:
> 
> - used FF2 to create a backup of all your personal certificates

Yes, but I had this backups long time ago.

> - deleted ~/.mozilla

Yes, because I had problems starting FF3, program was hanged when I tried to start it.

> 
> 
> What software did you use to create your new profile? FF2 or FF3?

I am sure, my new profile was created with FF3

> 
> What software did you use to import your old backup p12 file? FF2 or FF3?

Again, once I started FF3 I began to install plug-ins and certificates. At this point I was able to export and import certificates. 

> 
> 
> I think you said, you were able to import once, it worked, and then the
> problems started. Right?
> 

Yes once all was installed and working fine, I started FF2 for a test with a page who doesn't work with FF3, and the next time that I started FF3, I wasn't able to export or import any certificate.

I have done another test this afternoon. I had installed my FF3 at /usr/local/firefox and files was owned by root. I have copied this directory to my /home/ directory, I have changed the owner to fernando:fernando, and I have started FF3 from there. Again I have gotten the same error message. 

Then I have deleted this directory and without modify my .mozilla directory I have installed FF3 from scratch, and I have gotten the same error message.

As I had deleted all my instances of FF from my path, I have installed FF2 in my user directory, and I have started FF2 from here, in this case, I haven't got any error message and my certificates was exported without problems.

At this point, error must be a problem of .mozilla directory and is produced when someone start FF2 with a default profile created with FF3. This error only affect a FF3. 

I don't have another explication for that issue, because if I delete my .mozilla directory and I start FF3, configuring and installing all again, I have no problem for export or import my digital certificates.

As I said before, it would be good that error message were more clear for us, instead of "unknown causes". At the end, it may be the ultimate problem for debugging this error. 

Best regards.
Last test done:

I have started FF3 from a console using ./firefox -P option. Then I have created a new profile called fernando. 

Then, I have copied my cert8.db and key3.db files to my new profile, and I have started FF3 using this new profile. As result, I can import or export any certificate to o from the new profile without any problem. 

Therefore there is something that is different between the old profile and the new one, and it is something different than those .db files indeed. 

Is there any suggestion for beginning?

Best regards.
I have founded the origin of error, it was the plug-in Torbutton 1.2.0rc1. I have deactivated all plug-in and then I could import and export certificates without problems.  

I have founded the origin of error, it was the plug-in Torbutton 1.2.0rc1. I have deactivated all plug-in and then I was able of import and export certificates without problems.

Then I was activating one by one and reinitializing FF3 until I have found to the guilty one. It was Torbutton. 

Torbutton works fine and this seems a feature not a bug:

http://torbutton.torproject.org/dev/design/#id2951083

But, I insist we need better error messages support in FF, "unknown reasons" isn't a good option. 

Thank you very much for your help.

Best regards.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Resolution: FIXED → INVALID
Fernando: The option you are referring to should be disabled by default. Another firefox bug (Bug 435149) prevents it from being functional. Check your about:config to make sure those two jar_cert prefs are false.

If they are false, I am still interested in a test certificate that reproduces this issue, if you can provide one.
Err, that's Bug Bug 435159. Sorry.
Hello Mike:

extensions.torbutton.jar_ca_certs;false
extensions.torbutton.jar_certs;false

I cannot provide you a certificate because they are real certificates from our government for electronic access to administration.

But I can confirm you that it isn't a problem about certificates. If I disable or delete Torbutton, I have no problems importing or exporting my certificates. 

Best regards. 
You need to log in before you can comment on or make changes to this bug.