Closed Bug 688822 Opened 10 years ago Closed 6 years ago

SSL Certificate warning confirm exception button does not do anything


(Core :: Security: PSM, defect, P1)






(Reporter: barnett.thomas, Unassigned)


(Depends on 1 open bug, )


(Keywords: regression, Whiteboard: [psm-cert-exceptions][psm-roadblock])


(1 file) is a domain hosted on WHM/cPanel. cPanel provides a control panel accessed via with a self-signed certificate. also has a valid SSL certificate from a CA recognized by Firefox.

Using Firefox, user visits and accesses cPanel after usual certificate warning, adding exception, permanently storing and confirming the exception. 

This works as long as user does not visit the actual site Once the domain itself is visited does not work anymore and access to cPanel control panel is not possible. The usual certificate warning is given, but "Confirm exception" button does not do anything.

These are the steps followed to repeat the problem
1- Create a new profile, no add-ons
2- Visit (cPanel, cert warning)
3- Add exception
4- Confirm exception, permanently store
5- cPanel control panel is displayed
6- Visit (actual site with valid SSL cert)
7- Repeat steps 2-4, "Confirm exception" does nothing, staying in "This Connection is Untrusted" page
9- Remove stored exceptions from "Options...> Servers and Authorities
10- Delete cert8.db and cert_override.txt in the profile
11- Restart and try step 7, with the same result.

This does not happen in Internet Explorer 8,9 or Chrome 13,14
Can you provide a minimized testcase or URL which reproduces this bug?
Keywords: testcase-wanted
Also, is the certification self-signed? If so, this is likely a duplicate of bug 552976.
It turns out that this is due to caching by a downstream proxy.
Closed: 10 years ago
Resolution: --- → INVALID
oops, no. after access to actual domain, the problem is still there.

Here is the URL you can try.

1- Visit -> cert warning, perm. store and confirm exception. cPanel login page displays.
2- Visit
3- Try step 1 again. "Confirm exception"  button does not do anything
Resolution: INVALID → ---
I just tried your steps in comment 4 in Firefox 8.0b1 and I cannot reproduce this bug.

1) Visit 

Connection is Untrusted page because...
"The certificate is not trusted because it is self-signed"
"The certificate is only valid for"
"Error code: sec_error_untrusted_issuer"

2) "I Understand the Risks" > "Add Exception" > "Confirm Security Exception" and check "Permanently store this exception"

cPanel login page appears

3) Visit

Page loads with a BLUE site identity background displaying the following identity info:
"You are connected to which is run by (unknown) Verified by Starfield Technologies Inc."

4) Click the BACK button

Popup notification displaying the same information in step 1.

5) Visit 

Connection Untrusted page displays with the same information as step 1. However, this time the "I Understand the Risks" section is non-existent.
Ever confirmed: true
Keywords: testcase-wanted
OS: Windows 7 → All
Hardware: x86 → All
Version: 6 Branch → unspecified
Thomas, would you kindly use our mozregression tool to see if this is a regression?
Tested with STR in comment#5.

Regression window(cached m-c hourly),
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b5pre) Gecko/20100824 Minefield/4.0b5pre ID:20100824084651
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b5pre) Gecko/20100824 Minefield/4.0b5pre ID:20100824110352

Triggered By:
5dc3c2d2dd4f	Sid Stamm — Bug 495115 - Implement Strict-Transport-Security to allow sites to specify HTTPS-only connections, r=kaie+honzab+bjarne, a=betaN+
Blocks: 495115
Component: Security → Security: PSM
Priority: -- → P1
Product: Firefox → Core
QA Contact: firefox → psm
Whiteboard: [psm-cert-exceptions][psm-roadblock]
This might be related to bug 660749, but it sounds sufficiently different to keep it as a separate bug.
Depends on: CVE-2011-0082
Given comment 8 this is almost certainly bug 1092243.
Closed: 10 years ago6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1092243
You need to log in before you can comment on or make changes to this bug.