Closed Bug 583191 Opened 15 years ago Closed 9 years ago

Untrusted connection error/invalid certificate error on all HTTPS sites (all roots set untrusted, unknown cause)

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
1.9.2 Branch
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: so.now.what, Unassigned)

References

(
URL
)

Details

Attachments

(2 files)

Certificate error related cert8.db fiel
400.00 KB, application/octet-stream
Details
Screenshot_20200112-102800.png
148.75 KB, image/png
Details
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 While attempting to access any secure sites such as gmail, bugzilla reporting or even twitter a certificate error appears. Error is as follows: "www.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer)" Comparing the serial number of the certificate from firefox to Chrome shows a different serial. Reproducible: Always Steps to Reproduce: 1.Open secure page 2.View certificate error... 3.Log bug Actual Results: Failure to access any secure pages. Expected Results: Accessed the pages as normal. No additional information. Standard configuration macbook running OSX 10.6.4.
Is your system time correct ? Do you use a proxy ? Please create a new profile and try it again: http://support.mozilla.com/en-US/kb/Managing+profiles
System time is correct and I don't use a proxy. I've run a virus scan and found no viruses or scripts running. New profile seems to work without issue.
Please open tools/options/advanced/encryption and check that use SSL3.0 with and TLS1.0 is checked. The tools/options part might be different on OS X (edit\preferences ?) and of course run Firefox with your old profile. Open about:support (enter as URL in Firefox URL bar) if both security options are enabled. Click there on Profile Folder:Open containing Folder. Close Firefox (the process must be closed) and move the file cert8.db to a backup location. No start Firefox again and test the SSL sites and report back.
Following these instructions I moved the cert8.db file to the desktop and booted firefox using the default profile which I was having issues with. Now the secure sites are working again without issue. Thanks!
Did you modify any settings under options/advanced/encryption or do you installed an extensions that could have done this ? Do you manually added a new root certificate ? Which extensions do you have installed ? Do you have the Tor extension installed ? You can copy+paste the list from about:support (enter it as URL in Firefox).
Component: General → Security: PSM
Product: Firefox → Core
QA Contact: general → psm
Version: unspecified → 1.9.2 Branch
I haven't changed any settlings that I'm aware of. No new root certificate, no Tor. The only extension I use is Adblock, details below; Name Version Enabled ID Adblock Plus 1.2.1 true {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Here is the modified settings table from the about:support page Name Value accessibility.typeaheadfind.flashBar 0 browser.history_expire_days.mirror 180 browser.places.importBookmarksHTML false browser.places.smartBookmarksVersion 2 browser.startup.homepage http://www.netvibes.com|http://antwrp.gsfc.nasa.gov/apod/archivepix.html browser.startup.homepage_override.mstone rv:1.9.2.8 extensions.lastAppVersion 3.6.8 network.cookie.prefsMigrated true places.last_vacuum 1279024515 privacy.sanitize.migrateFx3Prefs true security.disable_button.openCertManager false security.warn_viewing_mixed false
Matti, thanks for CC'ing me, looks like the issue I have been hunting. Richard, it seems that you have been using this Firefox installation for quite some time - when did these troubles start? Did you use any other extensions that are uninstalled now? Any non-default security applications installed on your system (personal firewall, anti-virus)? Also, could you attach your old cert8.db file to this bug?
Wladimir; The problems have been on and off for a few months, maybe 4 at most. I have only recently begun using AdBlock Plus although I have used "1 click youtube video download" on and off to save videos but I uninstall it after use. I have an antivirus(ClamXAv) running at present as I thought the issue might be a virus. I'll attach the .db file now.
This cert8.db has trust settings removed for all root certificates, as I suspected. But neither Adblock Plus nor 1 click youtube video downloader touch the certificate store. I wonder whether a simple file corruption could have such results?
Summary: Untrusted connection error/invalid certificate error on all HTTPS sites → Untrusted connection error/invalid certificate error on all HTTPS sites (all roots set untrusted, unknown cause)
I have also had this issue on a number of machines recently. We have found that it seems to mainly affect FF on Windows 7 and have also found that it is recreatable. If you go into tools->options->advanced->encryption tab->view certificates and then under the authorities find all the comodo CA's say and remove them all. Then go to https://secure.comodo.com and it should show the error message. Removing the cert8.db file does seem to sort the issue out, although on one machine it happened again an hour later and the file had to be removed again.
Re comment 11, Andrew, if you remove trust for roots, then it's absolutely expected that sites using certs, that have been issued by the removed roots, are then reported as untrusted. The question is in this bug is, how can it happen that roots lose their trust, despite users not having made changes to the trust.
Exactly the same thing has happened - all HTTPS sites return This site is untrusted and there is no option to continue anyway - so Firefox is completely unusable. (This post is being sent via Internet Explorer) As per original report, While attempting to access any secure sites such as gmail, bugzilla reporting or even twitter a certificate error appears. Error is as follows: "www.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer)" Comparing the serial number of the certificate from firefox to Chrome shows a different serial. Reproducible: Always Steps to Reproduce: 1.Open secure page 2.View certificate error... 3.Log bug Actual Results: Failure to access any secure pages. Expected Results: Accessed the pages as normal. System: Low end HP business desktop running HWindows 7. System Time: Site is in Brisbane. Proxy server is in Melbourne. Computer time is set to AEST (no daylight saving), Proxy server is now set to AEST -1 Hr (Daylight Saving Time). That is, all computers are set to their respective correct time. Problem began after first login after introduction of Daylight saving time in Melbourne.
>The certificate is not trusted because the issuer certificate is not trusted. A different serial could be dangerous, it could be a MITM attack ! Please create a new bug report and add me to the CC list. This one is old and a different issue.
It appears to be an identical issue. It is NOT an attack, it is Firefox misunderstanding the certificates. All sites affected (including google, google maps, gmail, and a few other https sites I use continuously) are accessable using Google Chrome and Internet Explorer. If the reason that Firefox is failing to recognise the certificates is different, then I will open a new bug, but as this one is still open, under the rules I am not supposed to duplicates ...
Still having this bug in ff36
My experience has been that whenever a new version of Firefox is installed (the latest being 43.0.4) the problem is resolved. But after a while (it's not clear whether is is time related or number of searches undertaken)the problem recurs. If a fresh version of Firefox is installed which is the same version as the one it replaces, the problem shows up again. However, if the version of the newly installed program is newer than the one it replaces the problem temporarily disappears.
Please note with regard to the above comment, my platform is Windows 10 Home
Does the problem still happen when you disable any add-ons you may have installed? How about with a completely new profile?
Flags: needinfo?(hgruenberg)
Hans indicated via email that the problem still exists after disabling add-ons but that he didn't try with a new profile. He also said he's using Edge now, so I'm going to resolve this as incomplete until/unless someone experiencing this issue can work with us to track down the cause.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(hgruenberg)
Resolution: --- → INCOMPLETE

Security seems to have become a problem. Either using 68.4.1 or updating to 2FA on Mr Firefox account has caused the issue that all sites are disallowed.
I suspect 2FA is the cause as I cannot see other reports of 68.4.1 having problems.
I have removed 2FA from my account and the problem persists. It also persists across all Firefox flavours like Focus.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: