Unable to access addons due to "invalid security certificate" (two GlobalSign Root CA certificates?)

NEW
Unassigned

Status

()

Firefox
Security
10 years ago
3 years ago

People

(Reporter: Henrik Gemal, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(5 attachments)

(Reporter)

Description

10 years ago
Created attachment 345337 [details]
my certificates

I'm using a nightly build and for the last week I've been getting:

"addons.mozilla.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
(Error code: sec_error_untrusted_issuer)"

when I try to access
https://addons.mozilla.org/

It's weird since I haven't changed anything. It just happen
Henrik - does this happen with other sites, too?  https://www.paypal.com

I'm wondering if you're being Man-in-the-Middle'd, or if it's just a vanilla certificate problem.

It would also help if you could view the certificate (via the "Add Exception" dialog) and paste the details
(Reporter)

Comment 2

10 years ago
https://www.paypal.com/ works just fine
(Reporter)

Comment 3

10 years ago
Created attachment 345344 [details]
cert detailed
I've heard this a number of times, I think there might be an AMO bug somewhere
Created attachment 345347 [details]
Correct chain for AMO

Your cert details and fingerprints match what I see, and it loads for me, so now it does appear to be a chain-validation issue, not any obvious kind of attack.

This is what my chain looks like, and the serial number of the root "GlobalSign Root CA" is: 04:00:00:00:00:01:15:4B:5A:C3:94

Does that match your chain?  Do you have a cert with that name and serial number in your root store?
(Reporter)

Comment 6

10 years ago
If you look at the certs listed in the first attached screenshot I actually have two "globalsign root ca".
I think that's the problem. But I didn't change anything. I download a new nightly build every night and the bug started sometime last week I think.
I'll attach the two globalsign details
(Reporter)

Comment 7

10 years ago
Created attachment 345350 [details]
globalsign root ca 1
(Reporter)

Comment 8

10 years ago
Created attachment 345351 [details]
globalsign root ca 2
(Reporter)

Comment 9

10 years ago
If I delete the GlobalSign Root CA certificate that's listed as "Could not verify this certificate for unknown reasons" using the Certificate Manager and then restart the browser it reappears!

Comment 10

10 years ago
GlobalSign's roots were updated recently, see bug 406794. The one sent with the server is most likely the older root which has been updated/re-rolled, whereas the NSS store has now the new root(s) including roll-over of one of them.

Comment 11

10 years ago
BTW, I suggest *not* to change the CA certificates at the addons.mozilla.org server until a new release with the updated NSS is shipped.

Comment 12

10 years ago
(In reply to comment #9)
> If I delete the GlobalSign Root CA certificate that's listed as "Could not
> verify this certificate for unknown reasons" using the Certificate Manager and
> then restart the browser it reappears!

CA certificates can't be really deleted without removing the library.
(Reporter)

Comment 13

10 years ago
Now I deleted all of the *.db files in my profile and restarted and it works.

Updated

10 years ago
Summary: Unable to access addons due to "invalid security certificate" → Unable to access addons due to "invalid security certificate" (two GlobalSign Root CA certificates?)
Related to Bug 448772.
You need to log in before you can comment on or make changes to this bug.