Firefox loses all trust every CA after while
We do have Firefox running in a corporate environment (Active Directory, Roaming Profiles, GPO Folder Redirections). For a while now Firefox loses all trust in every CA after the Firefox ran idle for a while.
And I do mean this literally: The do get SEC_ERROR_UNKNOWN_ISSUER on every site even though the chain checks out if I test it via:
``` openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt -untrusted chain-from-ff.crt host.crt ```
The test is done on an independent Fedora Linux machine.
If the user restarts Firefox everything works again until the next time. On the machines there is only Windows Defender running no other antivirus software.
Все ответы (5)
Hi, has there been any changes to your firewall at the time this issue started ?
No active changes on the running system. It always happens after the user has the computer running in idle.
PS: Could someone change the tags of this thread? I have checked using Linux but the problem is not related to Linux in any way… The Clients are running on Windows 10
For the poor masses who find this question via search engine.
The problem appears to be the same as can be found in:
https://support.mozilla.org/en-US/questions/1226671 and on Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1479340
How about a actually screen shot of the error? No two same problems are triggered the same.
Did you make sure that the computer time is still correct? Are toy using internet based time servers to ensure a correct time?
Is this a certificate issue or is something else wrong?
You can check if there is more detail available about the issuer of the certificate.
- click the "Advanced" button show more detail
- click the blue SEC_ERROR_UNKNOWN_ISSUER error text to show the certificate chain
- click "Copy text to clipboard" and paste the base64 certificate chain text in a reply
If there is a different error message then please post its content or attach a screenshot.
If clicking the blue error text doesn't provide the certificate chain then try these steps to inspect the certificate.
- open the Servers tab in the Certificate Manager
- Options/Preferences -> Privacy & Security
Certificates: View Certificates -> Servers: "Add Exception"
- Options/Preferences -> Privacy & Security
- paste the URL of the website (https://xxx.xxx) in it's Location field
Let Firefox retrieve the certificate -> "Get Certificate"
- click the "View" button and inspect the certificate
You can see detail like the issuer of the certificate and intermediate certificates in the Details tab.