Error code Error code: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED seems to have started with Firefox upgrade to 60.0.1?
I am receiving the "Your Connection is Not Secure" along with the above error code when I try to access my daughters school
https://www.lauraltonhall.org/students/webnetclassroom
The problem seems to have started about the time Firefox upgraded to version 60.0.1
I had been able to get on the site without any issue up until about 2 weeks ago. Contacted the school IT dept. and they say everything is as it should be and no one else is reporting any issues getting on.
This happens with both my work computer and home computer.
It does not happen on Internet Explorer
Thank You
David
Alle Antworten (18)
Hi David, the MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED error code is usually associated with certain certificates issued by Symantec and I don't think it should affect this site.
Do you recall ever encountering an error using the site before and saving an exception?
If a site is generally known to work in Firefox, these are general suggestions to try when it stops working normally:
Cache and Cookies: When you have a problem with one particular site, a good "first thing to try" is clearing your Firefox cache and deleting your saved cookies for the site.
(1) Clear Firefox's Cache
See: How to clear the Firefox cache
If you have a large hard drive, this might take a few minutes.
(2) Remove the site's cookies (save any pending work first). While viewing a page on the site, try either:
- right-click (on Mac Ctrl+click) a blank area of the page and choose View Page Info > Security > "View Cookies"
- (menu bar) Tools > Page Info > Security > "View Cookies"
- click the padlock or "i" icon in the address bar, then the ">" button, then More Information, and finally the "View Cookies" button
In the dialog that opens, the current site should be pre-filled in the search box at the top of the dialog so you can remove that site's cookies individually.
Then try reloading the page. Does that help?
Double-check content blockers: Firefox's Tracking Protection feature and extensions that counter ads and tracking may break websites that weren't built to operate normally without the blocked components.
Do you see a shield icon toward the left end of the address bar, near the lock icon? More info on managing the Tracking Protection feature in this article: What happened to Tracking Protection?.
Extensions such as Adblock Plus, Blur, Disconnect, Ghostery, NoScript, Privacy Badger, uBlock Origin or uMatrix should provide toolbar buttons to manage blocked content in a page. There may or may not be a number on the icon indicating the number of blocked items; you may need to click the button to see what's going on and test whether you need to make an exception for this site.
Hi,
Thanks for your input to my issue.
I do not recall encountering an error on the site in the past. Parents can access their children's grades so I have been on the site fairly regularly since last September.
I did try clearing the cache and removing the sites cookies but have the same error message.
There is not a shield icon to the left in the address bar.
Thanks
Please provide public link(s) (no password) that we can check out. No Personal Information Please !
Start Firefox in Safe Mode {web link} by holding down the <Shift> (Mac=Options) key, and then starting Firefox.
A small dialog should appear. Click Start In Safe Mode (not Refresh). Is the problem still there?
Sorry, I did not mention initially that the part of the site I am having the issue is one that I have to log into- I am able to access the main page without issue.
This is the login page:
https://www.lauraltonhall.org/login
I tried starting in safe mode and problem still occurs
See "The certificate does not come from a trusted source":
dbrenton said
Sorry, I did not mention initially that the part of the site I am having the issue is one that I have to log into- I am able to access the main page without issue. This is the login page:
https://www.lauraltonhall.org/login
Hmm, there's no reason to get a different result on that page. Could you try extracting the coded version of the certificate Firefox doesn't like. On the error page, click the "Advanced" button then click the error code (it should be styled as a link) to open a panel showing a large block of gibberish. If you see that, try the Copy button and then paste into a reply.
An additional policy constraint failed when validating this certificate.
HTTP Strict Transport Security: false HTTP Public Key Pinning: false
Certificate chain:
BEGIN CERTIFICATE-----
MIIGgTCCBWmgAwIBAgIQZUKEpAbSwW64NXMzPCvmHjANBgkqhkiG9w0BAQsFADBG MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEfMB0GA1UEAxMW R2VvVHJ1c3QgU0hBMjU2IFNTTCBDQTAeFw0xNjAzMzEwMDAwMDBaFw0xODA2MzAy MzU5NTlaMIGDMQswCQYDVQQGEwJVUzEUMBIGA1UECBMLQ29ubmVjdGljdXQxEDAO BgNVBAcUB01pbGZvcmQxFzAVBgNVBAoUDkxhdXJhbHRvbiBIYWxsMRAwDgYDVQQL FAdIb3N0aW5nMSEwHwYDVQQDFBhlbnJvbGwubGF1cmFsdG9uaGFsbC5vcmcwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyV8+qmc5siQAswdSyKSw+lSTb Pt5UNKwHzozxFvoYqeIMFYLGahaNST5jcPsD9GK84mO9Tjee0iBCuX2EkJB8bC1T Mta6PQic/T1kwear/HIsR753yi2OJ3gAwzwpcnktM79ex1go6T8YadGAJMAEe/Uq tOaLbBK66KxQWuaz0ZZ6GAkmpezmQXQkGVl4BPcv73DhM1edDatgp8kb1jdGCFi8 mOgB8fBzsNQpmViPip70Kg39q6v13tFXErKM99nrCHo42rvB8jPdZtAS3E5zKKyE 6GZWeicD7coeNXrVpclzhlWhEqjgh2bCsEi80iPgxAKZSJrLEzlYdkp6RUcHAgMB AAGjggMrMIIDJzAjBgNVHREEHDAaghhlbnJvbGwubGF1cmFsdG9uaGFsbC5vcmcw CQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0 cDovL2dqLnN5bWNiLmNvbS9nai5jcmwwgZ0GA1UdIASBlTCBkjCBjwYGZ4EMAQIC MIGEMD8GCCsGAQUFBwIBFjNodHRwczovL3d3dy5nZW90cnVzdC5jb20vcmVzb3Vy Y2VzL3JlcG9zaXRvcnkvbGVnYWwwQQYIKwYBBQUHAgIwNQwzaHR0cHM6Ly93d3cu Z2VvdHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5L2xlZ2FsMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQUZ47tg0/WHp1ABAwE RqFwNLIPcjBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9nai5z eW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9nai5zeW1jYi5jb20vZ2ouY3J0 MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdQDd6x0reg1PpiCLga2BaHB+Lo6d AdVciI09EcTNtuy+zAAAAVPNK6GFAAAEAwBGMEQCIBtsg8SGYxkJnhqUQfaSw2Nh pqNoQypl/OfAnvZHsoi0AiA1mGP+yP9Aj7A4mVDqJqPr4XWFdzChMBAX9Tx6BTI3 LwB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABU80rocMAAAQD AEcwRQIhAOP0JwAM/tNTS8S5aV/2tgoubwJwTxXJq1jC/aOk2CrvAiAEdzE2xr90 laWdqCjftqPDiVl3ZIhxI36tPf9MFI4d7wB2AGj2mPgfZIK+OozuuSgdTPxxUV1n k9RE0QpnrLtPT/vEAAABU80roaYAAAQDAEcwRQIhAPOuyB3Yxq9dBvOZWRMspayR An9gsocEGc/5bQQrbBRtAiAWPtt8iw7ESs6zWFM1SD8HMl6IN2RDZA5iJ4NS/Ylf /TANBgkqhkiG9w0BAQsFAAOCAQEAGuRDG5XrV80ivsg8WG4hf3dq7Hpa35GtOWni PNNi6MwM8sSCfMYH7ytShVdMs4iCNc5/DkHc+SvtqX+dvfhQCam2EBIHg8vSaoNn CGWAlp4KQ6YRCejHBWyk/p3R0vmwuL2HxX07Csz7hMGoAAKuoIqGF+DDbIKITtVa /VLFAgwPmD5vW7U+d4g65n6wHBdWk53BrJI8j+IymYnhaJb8W6cyPqBeKGvNAzaE kxjtl0wcOkTviJFozY2dhqZVd6mOrZDl3qME1uFsfKkC2dfKNr62b/s6tphv5ph6 OXJ4YbaGIiSp6CuxiylX8WIuYYLUtGyWJzIkRZKzs74eJy2LTA==
END CERTIFICATE-----
BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIQQYISfRLZxrMhOUMSVmQAuDANBgkqhkiG9w0BAQsFADCB mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSAtIEczMB4XDTEzMDUyMzAwMDAwMFoXDTIzMDUyMjIzNTk1OVowRjELMAkG A1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xHzAdBgNVBAMTFkdlb1Ry dXN0IFNIQTI1NiBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDGqQtdF6V9xs8q78Zm0UIeX4N4aJGv5qeL8B1EAQoZypzUix3hoZCjwVu011tq i/wOSR7CYin+gBU5i4EqJ7X7EqgFIgvFLPXZmN0WLztm52KiQzKsj7WFyFIGLFzA d/pn94PoXgWNyKuhFjKK0kDshjocI6mNtQDecr2FVf4GAWBdrbPgZXOlkhSelFZv k+6vqTowJUqOCYTvt9LV15tJzenAXmdxIqxQkEMgXaGjFYP9/Kc5vGtlSBJg/90j szqq9J+cN1NBokeTgTMJ5SLGyBxJoW6NzIOzms3qQ/IZ0yTLqCmuUsz0CCewhOrO J7XhNBNzklyHhirGsGg2rcsJAgMBAAGjggFcMIIBWDA7BggrBgEFBQcBAQQvMC0w KwYIKwYBBQUHMAGGH2h0dHA6Ly9wY2EtZzMtb2NzcC5nZW90cnVzdC5jb20wEgYD VR0TAQH/BAgwBgEB/wIBADBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczA7 BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9HZW9UcnVz dFBDQS1HMy5jcmwwDgYDVR0PAQH/BAQDAgEGMCoGA1UdEQQjMCGkHzAdMRswGQYD VQQDExJWZXJpU2lnbk1QS0ktMi00MTYwHQYDVR0OBBYEFBRnju2DT9YenUAEDARG oXA0sg9yMB8GA1UdIwQYMBaAFMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3 DQEBCwUAA4IBAQAQEOryENYIRuLBjz42WcgrD/5N7OP4tlYxeCXUdvII3e8/zYsc fqp//AuoI2RRs4fWCfoi+scKUejOuPYDcOAbWrmxspMREPmXBQcpbG1XJVTo+Wab Dvvbn+6Wb2XLH9hVzjH6zwL00H9QZv8veZulwt/Wz8gVg5aEmLJG1F8TqD6nNJwF ONrP1mmVqSaHdgHXslEPgWlGJhyZtoNY4ztYj9y0ccC5v0KcHAOe5Eao6rnBzfZb qTyW+3mkM3Onnni5cNxydMQyyAAbye9I0/s6m/r+eppAaRzI2ig3C9OjuX6WzCso w1Zsb+nbUrH6mvvnr7WXpiLDxaiTsQDJB7J9
END CERTIFICATE-----
ok, so it's just the https://enroll.lauraltonhall.org domain thats troublesome & serving an outdated symatec certificate, that will no longer be trusted by firefox & chrome: https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
ultimately you should report that to the site's admin for them to fix the issue.
you can locally work around the issue in your firefox though by enteringabout:config into the firefox address bar (confirm the info message in case it shows up) & searching for the preference named security.pki.distrust_ca_policy. double-click it and change its value to 0.
So is the certificate no longer trusted a result of the Firefox upgrade to 60.0.1?
My wife also logs into the same site (with different credentials) so she tried when we were home tonight and she is able to log right in, does not get the error messages that I get.
One difference is that she is still running Firefox 59.0.3
Yes, Firefox 60 is intentionally no longer trusting these kinds of certificates.
I have started getting the "Your Connection is not secure" error message this week. I'm getting it occasionally and on websites that I have accessed numerous times in the past.
It is a pain, because there's not always a way to 'fix' it or work around it. Although when I got it earlier today, I did manage to find the work around by clicking on the 'advance' button and then 'exception'. When that box came up I clicked on the tab that said 'get certificate' and the website was accessible again. BUT not all error messages give you the 'exception' box, so then you're stuck and can do nothing after that.
Can I assume from other comments here, that Firefox version 60.0 is the reason this error message has started to pop up?
Thanks for those who posted about having the same issue, because now I don't feel totally lost as to why it is all of a sudden happening.
Hi Kyli902
You should never make a permanent exception without thoroughly investigation what is wrong, especially in case you connect to reputable web pages.
What is the exact error message and is there a blue error code link present?
The error message is:
Secure Connection Failed
An error occurred during a connection to bad.example.com
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
There is a box that says 'try again', with a message underneath that says "Report errors like this to help Mozilla identify and block malicious sites" with a check mark in the box.
At the bottom of that error message window is a tab that says 'add exception'. If you click on that, it opens another window where you can add a website as an exception......... or at the very top of that box you can also click on a tab that says 'get certificate'.
The only blue link says 'Learn more', which then takes you to a Firefox trouble shooting page that explains more about the error message.
The error message does have to do with secure website certificates or 'key pinning'. At least that's what I found on Firefox's help page.
Hope this additional information gives a clearer idea of what's happening. But from what I've been reading here, it sounds like this issue started when Firefox upgraded to version 60.0. Is that a correct assumption?
I attached two screen shots of the error messages, one from 6/19 and one from 6/21.
Thanks!
Hi Kyli902, thank you for the screenshots.
The FB error refers to a key pinning problem. I don't know what causes that; possibly some intermediary??
The AOL error refers to the certificate being for the wrong site, and mentions security.frontier.com. Is that possibly your service provider? I wonder what they are doing intercepting your AOL request. Could you try a non-secure address like http://www.example.com/ to see whether they have some kind of message?
I saw the reference to my service provider yesterday, when I was blocked from loading out another website (that I have accessed numerous times in the past). I called Frontier to ask if there had been any changes to my service or their servers. The tech I talked to checked into my issue thoroughly and even talked to one of her supervisors. They could not find any reason why it says "this certificate is only valid for Frontier.com".
I received another error message this morning while loading out Firefox. It wouldn't load out my homepage, so I clicked the tab 'add an exception' and at the top of the next window clicked don 'get certificate'. And the page was allowed to load out. I am becoming rather frustrated at this point, because I never know 'when' I will be blocked by Firefox.
Now I appreciate Firefox keeping me safe (it's the main reason I use only Firefox for a browser), but I want to know 'why' this started happening this week. I never had an issue with key pinning / certificates before this week.
I called my service provider in case the loss of net neutrality could have caused them to make changes to their servers. But again, the tech could not find anything that could have changed. So here I am, wondering 'why' this continues to happen randomly.
I am including a screen shot from example.com and the message that came up...... and it was not an error message from Firefox.
Thanks for your feedback, but it still doesn't answer my question of 'why' this is happening.
Hi Kyli902, you should never need to add exceptions to access well-run sites, and I suggest you not do that until we determine why your access is being intercepted and/or redirected.
Have you already ruled out the following:
(1) Modified Connection Settings
You can check that here:
- Windows: "3-bar" menu button (or Tools menu) > Options
- Mac: "3-bar" menu button (or Firefox menu) > Preferences
- Linux: "3-bar" menu button (or Edit menu) > Preferences
- Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box at the top of the page, type proxy and Firefox should filter to the "Settings" button, which you can click.
The default of "Use system proxy settings" piggybacks on your Windows/IE "LAN" setting. "Auto-detect" can lead to a flaky connection. You may want to try "No proxy".
Any difference?
(2) Add-ons
One possible culprit would be an extension. You can view, disable, and often remove unwanted or unknown extensions on the Add-ons page. Either:
- Ctrl+Shift+a (Mac: Command+Shift+a)
- "3-bar" menu button (or Tools menu) > Add-ons
- type or paste about:addons in the address bar and press Enter/Return
In the left column of the Add-ons page, click Extensions.
Then cast a critical eye over the list on the right side. Any extensions Firefox installs for built-in features are hidden from this page, so everything listed here is your choice (and your responsibility) to manage. Anything suspicious or that you just do not remember installing or why? If in doubt, disable (or remove).
Any improvement?
Next time you run into a problem site, could you compare what happens loading the same address in another browser.
I called my service provider again on Thursday and talked to a higher level tech. She did a remote session on my system and could find nothing wrong regarding the message that some times says :This certificate is only valid for security.________.com (name of my service provider shows in the underlined area.
So after she checked settings, etc., her suggestion to resolve my issue is to uninstall and re-install Firefox. She stated that when this issue had occurred to someone else using them as a provider, that was the same solution she had recommended. And apparently it did resolve the other person's issue.
I have not had time to resort to that as a permanent fix, but first I did a complete scan using RogueKiller to ensure that there wasn't something else causing issues (malware, etc.). RogueKiller DID find 4 malicious links (one was an error message and did not need to be deleted) and they were deleted/removed from my system.
Since then I have not had as many error messages, only the occasional one from the same website (a game that is played through Facebook). Usually if I leave it and go back in a few minutes, it will load out the webiste/game. I want to continue monitoring my system to see IF those malicious items that were deleted, could have been the cause of the certificate error messages.
I am hoping that if the error messages either stop or are very very occasional, I won't have to go through the process of re-installing Firefox and customize everything again (book marks have been saved and would be imported).
I will also try the suggestions you posted in your last comment IF the issue continues (but less often) before resorting to an uninstall and re-install. I would rather try anything else to resolve the issue first.
Thanks for your helpful feed-back. And hope it has or can be resolved without the re-install.
You can check the connection settings.
- Options/Preferences -> General -> Network: Connection -> Settings
If you do not need to use a proxy to connect to internet then try to select "No Proxy" if "Use the system proxy settings" or one of the others do not work properly.
See "Firefox connection settings":