SEC_ERROR_UNKNOWN_ISSUER error, re-open in new tab fixes
Running 5.2 ESR running on Windows 7 and 10. We've got a website with a wildcard cert to our internal PKI and are setting security.enterprise_roots.enabled to True. The issue is, on first going to the site with the wildcard it will show a SEC_ERROR_UNKNOWN_ISSUER error. If you refresh, no effect. If you open a new tab and go to the same website it then works, shows secure. So, it looks like when we go in the new tab, it finally downloads the intermediate cert to complete the chain and in the new tab is happy, but why does it not work initially? I can reproduce by deleting the intermediate, the same behavior then presents itself again. Just trying to figure out why, when it first goes to the site, it does not seem to recognize the intermediate cert, yet just by returning to the site in a new tab it does.
כל התגובות (6)
That's very strange!
One of the main technical changes in Firefox 54 was to enable more individual content processes. In Firefox 48-53, the Firefox multiprocess feature would create one process for the UI and one process for content. Now Firefox will aim for four content processes. Perhaps this is an unexpected side effect of this change??
You could try rolling back the number of content processes to 1. If this doesn't work, you may need to revert to single-process mode. Here's how you can try this:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste ipc and pause while the list is filtered
(3) If the dom.ipc.processCount preference is bolded and "user set" to 4, double-click it and edit the value to 1, then click OK
Presumably that will not take effect until the next startup, at which time you should check it to make sure it hasn't reverted back. Any difference?
Alternately, you can disable multiprocess mode using a different preference:
(4) In the search box above the list, type or paste autos and pause while the list is filtered
(5) Double-click the browser.tabs.remote.autostart.2 preference to switch the value from true to false
Note: the exact name of the preference may vary, but it will start with browser.tabs.remote.autostart
At your next Firefox startup, it should run in the traditional way. Any difference?
So, I'm using ESR 52.2.1 right now. Here is actually the interesting thing: It's only the first "Welcome" tab, that has the donation links, that seems to be the issue. If I open firefix for the first time and hit the url in that tab, it comes up unsecure, then just open a new tab, do nothing in that new tab, go back to the old and refresh, shows as secure. SO it looks like something is buggy with the way the first welcome tab is loaded, because if you just freshly open a newly installed FF with the config in place, then immediately open a new tab, that new tab goes right into the website and downloads and installs the intermediate cert like it should.
If security.enterprise_roots.enabled was not enabled, and the intermediate cert was not previously saved in that profile (in cert8.db), would you get the error every time? Just wondering if this is a delay or glitch with the initialization of security.enterprise_roots.enabled.
I am not sure, we were deploying using the enterprise roots config in order to avoid having to manage yet another cert store (much simpler to drop Mozilla.cfg files than deploy certs), but I know users that had manually installed the root nad intermediate were of course not experiencing the issue. Of note, if it's an intialization issue, it appears to only initialize on site load as loading FF and letting site there for several minutes makes no difference. Also, there is another site without a wildcard cert that properly loads and dl's the intermediate when using the first tab w/enterprise roots. just weird, but I'm starting to think I've found a bug.
Just to be clear: it is Firefox's default behavior not to seek out intermediate certificates from sources other than the server itself. Firefox expects the server to send all certificates necessary to chain up to a trusted root.
Yes, but that works with this server......but only in a tab that is not the "welcome" tab.