Security certificate no longer valid after upgrading to latest FF.
I upgraded to the very latest version of FF over the weekend and now I can't access a site I had been accessing for the following error: An error occurred during a connection to grdpmgr01.dmz.domainname.com:7799. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)
The certificate is self-signed. We have a similar problem with IE that we've worked around.
Chosen solution
You can try to set security.use_mozillapkix_verification to false on the about:config page as a test to see if that has effect.
Read this answer in context 👍 19All Replies (20)
In order to change your Firefox Configuration please do the following steps :
- In the Location bar, type about:config and press Enter. The about:config "This might void your warranty!" warning page may appear.
- Click I'll be careful, I promise! to continue to the about:config page.
Is this the only site with a problem?
Does the page have the third section (I understand the risks) allowing you to add an exception for this certificate (since you do trust your own self-signed cert)?
Here's the rest of the page: The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
Version is 31.0
I'm not trying to change the config unless that's necessary. What changes would you suggest?
This is likely because you self-signed your certificate rather than having one through a trusted CA. Please read https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/
True enough. Then the question is why did it work on Sunday and not on Monday when the only change made was to upgrade to FF 31.0?
Chosen Solution
You can try to set security.use_mozillapkix_verification to false on the about:config page as a test to see if that has effect.
Thanks, folks! Changing the pkix to false fixed the problem, though I'm not sure if that's a good thing in general.
In Firefox 31 we introduced a new security backend. Leaving it disabled is not a good idea long-term. Please reach out to the Security crypto group, https://groups.google.com/forum/#!msg/mozilla.dev.tech.crypto/EbWse7Ryj8I/mgNRW4yGAwU for help resolving this long term.
That disables the new PKIX implementation and thus should be used with caution.
See also Behavior Changes and Things for CAs to Fix:
Other possible solution that doesn't make Firefox generally unsafer is Deleting or Distrusting the "problematic" certificates from the Authorities and add it again.
Please refer to this post.
Having this problem, I checked that security.use_mozillapkix_verification setting in my Firefox 31 on Linux (CentOS). Its default value was 'false', and it was already set to this value. For the hell of it, I tried changing it to 'true'. Lo and behold, the problem was cured. I suppose the moral is, "whether this setting is 'true' or 'false', try toggling it". Sorry to muddy the waters!
Note that the security.use_mozillapkix_verification pref is only present in Firefox 31 and 32 and that you won't be able to disable PKIX in Firefox 33 and later.
"... you won't be able to disable PKIX in Firefox 33 and later."
On "https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message#w_the-certificate-is-not-trusted-because-it-is-self-signed" is states:
"...uses an invalid security certificate. The certificate is not trusted because it is self signed. (Error code: sec_error_ca_cert_invalid) Self-signed certificates make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly."
With disabling the workaround to access self-signed https sites, Mozilla makes it impossible to access valid websites (like intranet pages, router administration, etc.).
BRAVO !!! That's the first - but major - reason to never ever use Firefox again...
Modified
You can try if it works in the current beta release (33.0 b4 or later).
- Bug 1034124 - mozilla::pkix: the error encountered when a CA certificate is used as an end-entity is not overridable
Hi There,
I have the same issue. After the update all the certificate in my certificate store were wiped. I have certificate from a CA. This is the second time it happen same happened last time after the previous update.
Furthermore Now when I am trying to import the p12 into the your certificate tab I don't get the prompt for the password anymore and I cannot import any certificate.
You're really going down the drain with this updates guys. Fix this as I want to continue working with FF.
tried the proposed solution : You can try to set security.use_mozillapkix_verification to false on the about:config page as a test to see if that has effect.
There is no change.
Is there anyway I can revert the change and go back to the previous version?
Modified
Hi snlpnstslocn, certificates should not be deleted during a routine upgrade. Did Firefox perform a reset during the upgrade? You would notice a new folder on the desktop named Old Firefox Data.
Regarding importing your personal certificate, I think this is a different problem and it would be best to start a new question (particularly since this one already is marked as solved). You can do that using this link:
https://support.mozilla.org/questions/new/desktop/fix-problems
Scroll down past the suggestions if they are not right on target, to continue with the new question form.
My last reply didn't get posted. Just wondering if it's awaiting moderation, or if it didn't go through. (This is my first time posting here.)
Guess it didn't go through.
This is a big deal to me. As in, if this doesn't go away, I'll have to stop using Firefox. As someone else stated, this is a problem on lots of internal "sites" -- such as server IPMI, appliance configuration, etc. These are all things that are only available internally to my company. I don't care if the certs are actually signed or not. I just need to be able to get to them. And now, Firefox is completely useless when dealing with these things. Completely useless to me.
I don't want to turn off security for the whole freaking world just so I can get to my internal sites. Give me an option to click through the error. Give me the "I know the risks" button and let me create an exception for these sites. Without this, I'll be uninstalling Firefox and using Chrome exclusively.
Hi mrwboilers, this old question is already marked as solved. You can start a new question with details about the error you are getting, please include the description from the Technical Details section of the page.
To start a new question here on the support forum, you can use this link:
https://support.mozilla.org/questions/new/desktop/fix-problems
The form is split over several pages, so scroll down past the suggestions to continue with submission.
Or, to give input on changes you want in future versions of Firefox, I suggest these two avenues:
(1) Input site: https://input.mozilla.org/feedback
(2) Bug tracking site, where you can file a new bug report or vote for an existing one to get fixed: https://bugzilla.mozilla.org/ (see: Bugzilla Etiquette, Voting)