"Invalid security certificate" message for certificates that (I think) are good

RESOLVED DUPLICATE of bug 477186

Status

()

Firefox
Security
--
major
RESOLVED DUPLICATE of bug 477186
9 years ago
9 years ago

People

(Reporter: Jean-Philippe Fleury, Unassigned)

Tracking

3.0 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Workaround in comment 6. Also see bug 479508)

Attachments

(3 attachments)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.8) Gecko/2009033100 Ubuntu/9.04 (jaunty) Firefox/3.0.8 Ubiquity/0.1.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.8) Gecko/2009033100 Ubuntu/9.04 (jaunty) Firefox/3.0.8 Ubiquity/0.1.4

Very recently (maybe since my update to the latest Firefox's version 3.0.8, but I'm not sure), I have problem with certificates. Firefox displays the error below for sites with which I've never had certificate problems and with which I still have no problem with my other web browsers Epiphany 2.24.1 and Konqueror 4.2.00.

For example, I'm no longer able to visit https://www.gandi.net/ without having this error:

Échec de la connexion sécurisée
www.gandi.net utilise un certificat de sécurité invalide.
Le certificat n'est pas sûr car l'autorité délivrant le certificat est inconnue.
(Code d'erreur : sec_error_unknown_issuer)

but I don't have any error with Epiphany and Konqueror, and Gandi's support asserts that its certificate is up-to-date.

Another example: I'm no longer able to visit my AlternC administration section without having the same error:

https://bureau.koumbit.net/admin/index.php

Again, I don't have problem with my other browsers.

Reproducible: Always
When I load https://www.gandi.net, I do see the page normally, no bad cert warning.  It's possible there's a bug here, it's also possible that someone is interfering with your internet connection and trying to masquerade as these sites using forged certificates.

Can you try this:

1) Go to https://www.gandi.net or some other public, known-valid https site (https://www.paypal.com for example)
2) When the error page shows up, click "Add Exception"
3) In the dialog that pops up, click the View button to view the certificate contents
4) Take a screen capture of that dialog and attach it to this bug?

I'll visit the same site, and compare results. If there's a firefox bug, we should be seeing the same certificate, and we'll just need to figure out why you're seeing the error.  If the certificates differ, that will be a good sign that someone is tampering with things.
(Reporter)

Comment 2

9 years ago
Created attachment 373379 [details]
Firefox's freeze trying to view a certificate

Hi Johnathan,

I'm not able to view the certificate, because if I click "Add Exception" and then the View button, Firefox freezes. See the attached screen shot.
Hmm.  Well that's no good.

Do you see this for all SSL sites, or only some?  And in the case of gandi.net, are you able to add a (non-permanent) exception? (Please don't send any sensitive data across, just in case.) 

If you can add an exception and load the site, does the certificate viewer then work, from the Tools->Page Info->Security tab?

It sounds like there might be two bugs here - the hanging and the error page.  Let's try to figure out the error page first, and then we'll tackle the hang.
(Reporter)

Comment 4

9 years ago
Created attachment 373394 [details]
Firefox's freeze trying to view a certificate by page info

(In reply to comment #3)

Hi Johnathan,

> Do you see this for all SSL sites, or only some?

Some SSL sites are OK, some other aren't. I don't know why. Here are 2 examples that aren't ok for me:

https://www.gandi.net/
https://bureau.koumbit.net/

Here are 2 examples ok for me:

https://addons.mozilla.org/
https://groups.google.com/

> And in the case of gandi.net,
> are you able to add a (non-permanent) exception?

Yes.

> If you can add an exception and load the site, does the certificate viewer then
> work, from the Tools->Page Info->Security tab?

No. Firefox still freezes. See the attached screen shot.

Thanks for your help.
This is a duplicate of Bug 477186: Infinite loop in CERT_GetCertChainFromCert

See also Bug 479508: unknown issuer errors from cross certification loops
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 477186
There is a workaround for this problem that may help you until a fix for
bug 479508 is released.  It involves deleting one or more certificates from Firefox's file of stored certificates.  

Here's a brief list of steps for use on Linux.
 1. Restart the browser
 2. At the top of the Firefox windowOn the menu bar, click on the Edit menu, 
    and select Preferences....
 3. Select the Advanced panel.
 4. Click on the Encryption tab.
 5. Click View Certificates to open the Certificate Manager window. 
 6. In the Certificate Manager window click on the Authorities tab
 7. Scroll down until you see a "twisty" followed by the words "AddTrust AB".
 8. Look through the indented names just below "AddTrust AB" for a line that 
    reads: 

    UTN USERFirst-Hardware            Software Security Device

    Note: A line like that one may appear at several places in this list, so 
    be sure you highlight the one below "AddTrust AB", and not another one in 
    the list.
 9. If you don't find it, skip down to step 11 below.  If you DO find it then
    Click on that "UTN USERFirst-Hardware" line once to highlight it.  This 
    will activate a set of buttons, one of which is the Delete button.
10. Press the Delete button to delete the "UTN USERFirst-Hardware" certificate.
    Then continue to step 11.
12. Scroll down until you see a "twisty" followed by the words 
    "The USERTRUST Network". 
13. Look through the indented names just below "The USERTRUST Network" for a
    line that reads:

    AddTrust External CA Root         Software Security Device

    Note: A line like that one may appear at several places in this list, so 
    be sure you highlight the one below "The USERTRUST Network", and not 
    another one in the list.
14. If you don't find it, skip down to step 16 below.  If you DO find it then
    Click on that AddTrust External CA Root line once to highlight it.  This 
    will activate a set of buttons, one of which is the Delete button.
15. Press the Delete button to delete the "AddTrust External CA Root"
    certificate. Then continue to step 16.
16. Click OK close the Certificate Manager window.
17. Click Close to close the Preferences window.

Now your web sites should work OK for you.  If the problem comes back, 
repeat these steps.
Step 11 is missing.  It says:  Continue to step 12.  :)
Created attachment 373448 [details]
screen shot of Certificate Manager window for above instructions
(Reporter)

Comment 9

9 years ago
Hi Nelson,

Thanks a lot for your detailed steps! It worked fine! :-)
(Reporter)

Comment 10

9 years ago
Hi,

Is it possible that I have the same bug with Thunderbird 2.0.0.21 (Ubuntu 9.04)? I'm not able to get my emails by POP without having the same kind of warnings:

##########
Site Web certifié par une autorité inconnue

Impossible de vérifier l'identité de *.koumbit.net comme un site de confiance.

Raisons possibles de cette erreur:
- Votre navigateur ne reconnaît pas l'autorité de certificattion qui a émis le certificat de ce site.
- Le certificat du site est incomplet à cause d'une mauvaise configuration du serveur.
- Vous êtes connecté à un site prétendant être *.koumbit.net, probablement pour obtenir vos informations confidentielles.

Veuilles informer l'administrateur du site de ce problème.

Avant d'accepter ce certificat, vous devriez l'examiner soigneusement. Voulez-vous vraiment accepter ce certificat pour identifier le site Web *.koumbit.net ?

Examiner le certificat...

- Accepter définitivement ce certificat
- Accepter ce certificat temporairement pour la durée de la session
- Ne pas accepter ce certificat et ne pas se connecter à ce site Web

Annuler OK
##########

As for the bug with Firefox and my AlternC administration section (<https://bureau.koumbit.net/admin/index.php>), Koumbit says that there's no problem with the certificate.

Also, Thunderbird doesn't want to accept temporarily the certificate. I always get the warning above for each messages retrieving.
Yes, it's possible to experience this problem with Thunderbird, too.
If you suspect this is your problem, perform the steps given in comment 6
above.  If this is your problem, those steps will fix it.  If you are having 
a different problem, those steps won't hurt anything, but they won't fix 
anything either.
OS: Linux → All
Hardware: x86 → All
Whiteboard: See workaround in comment 6.
Version: unspecified → 3.0 Branch
Also see bug 479508
Depends on: 479508
Whiteboard: See workaround in comment 6. → Workaround in comment 6. Also see bug 479508
(Reporter)

Comment 13

9 years ago
(In reply to comment #11)
> If you suspect this is your problem, perform the steps given in comment 6
> above.

Thanks for the response. Unfortunately, this workaround doesn't work, because there's no line found at the step 8, neither at the 13th.
You need to log in before you can comment on or make changes to this bug.