Since this upgrade to Firefox 31 on the mac I can no longer get to any HP iLo.
Since this upgrade to Firefox 31 on the mac I can no longer get to any HP iLo, does anybody know what happened with security certificates with this update? Firefox does not ask to accept the certificate anymore it just says there i an invalid certificate.
Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)
Всички отговори (7)
Firefox 31 upgraded the component that works with SSL certificates. It is possible to disable that, but not desirable, so could we look at a couple other things first:
There used to be a problem where Firefox would detect that a serial number had been re-used. This might be the same issue with a different description. The somewhat complicated support article on that issue is here: Certificate contains the same serial number as another certificate.
Or as a first step, you might try renaming or deleting the cert8.db file, which is Firefox's certificate store that might contain an exception for this server that you saved before. Hopefully hiding this old exception from Firefox will allow you to successfully save a new one. In the following article, search for cert8 to find the steps: Secure connection failed and Firefox did not connect.
For information about disabling the new security component, please see this thread: Security certificate no longer valid after upgrading to latest FF.
Please let us know what you discover.
Hi thank you very much for the reply. I tried to disable cert8.db and restart firefox it did not help. When I disabled the SSL certificate I was then able to get to all of the HP iLO ports. So I also have a co-worker that has a Mac with Firefox also and he has experienced the same issue. So just to be clear when I set the security.use_mozillapkix_verification to false I can get to all the iLo port that do not work when this is set to true.
Please advise on how to proceed.
Thanks! Don
Hi dltate, thank you for reporting back. So with security.use_mozillapkix_verification=false, do you get the option to add an exception for the site, or do you get in automatically without any error message at all??
Since it would be safer to browse with the new security system enabled, it sounds as though we need to figure out how to make an exception for this particular server. Or if the exception already existed, to have it honored. Hmm...
Jeff,
I did asked to add the exception with security.use_mozillapkix_verification=false. I do not get asked when it is true, it just give me the error "Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)"
Thanks for getting back so quick. Don
Jeff, I also forgot to mention on my Mac I have a window 7 virtual and when the Firefox was upgraded to 31 I have the same issue as on the Mac.
Note that if you remove the cert8.db file that this removes all intermediate certificates that Firefox has stored and possible exceptions that you created in the paste as well (see also cert_override.txt).
You will have to leave libPKIX disabled for now if that makes it possible to access these websites. A possibility is to create a button with the PrefBar extension to toggle the security.use_mozillapkix_verification pref when needed, so you can see which sites have issues with PKIX.
What kind of error message do you get when you visit these websites if there is still one?
Can you attach a screenshot of the technical details or possibly post a link if the site is publicly accessible (i.e. no authentication or signing on required)?
OK well removing the cert8.db did not help anyway. I have attached a screenshot. The only think that worked was to change the security.use_mozillapkix_verification to false from true. So this is an interface for HP ProLiant servers that allows us to do bios work console work, etc. Thanks Don