Secure Connection Failed (Error code: sec_error_ca_cert_invalid)
Hello
I'm having troulbes accessing HP iLO with FF 36.0 on Ubuntu 14.04 LTS, getting the following error message:
========================
Secure Connection Failed
An error occurred during a connection to 172.25.X.X. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
========================
It seems to work with other browser such as Chromium, so the problem seems to be FF 36.0. Unfortunately, I don't have an "Add exception" button in FF that would allow me to bypass this warning.
I've already followed the following links: https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/troubleshoot-extensions-themes-to-fix-problems
But I didn't managed to get it work. Any idea how to get it fixed?
Alla svar (11)
Hi hansende,
Is this happening for just this cert connection? Is there a proxy being used? And if you change the Network Settings to "No Proxy"
In order to make sure that the certificate is compatible with the security settings built into Firefox, it is possible to look at the Certificate for the site from the url bar.
- Right Click on the page and select "Page Info"
- Click on Security and "View Certificate"
The CA certificate policy can be referenced: https://www.mozilla.org/en-US/about/g.../policy/
Hi guigs2
I have a bunch of other (newer) HP servers with iLO enabled. Seems to work fine there.
guigs2 said
- Right Click on the page and select "Page Info"
- Click on Security and "View Certificate"
Under the tab security I don't have an option View Certificate (I guess because the SSL connection couldn't get established, so no certificate info could be received?). But this might help:
==============
$ openssl s_client -connect X.X.X.X:443 CONNECTED(00000003) depth=1 /C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain
0 s:/CN=<redacted>/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) 1 s:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust)
--- Server certificate
BEGIN CERTIFICATE-----
<redacted>
END CERTIFICATE-----
subject=/CN=<redacted>/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US issuer=/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) --- No client certificate CA names sent --- SSL handshake has read 1919 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session:
Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: <redacted> Session-ID-ctx: Master-Key: <redacted> Key-Arg : None Start Time: <redacted> Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)
==============
Regardsguigs2 said
The CA certificate policy can be referenced: https://www.mozilla.org/en-US/about/g.../policy/
Not sure what I should do with that. This is default, self-signed SSL certificate that comes out of the box when buying a HP server. Here's the certificate from a working iLO 4 interface:
-> Not working (iLO ? - HP ProLiant DL360 Gen7) -> Working (iLO 4 - HP ProLiant DL360 Gen9)
==============
$ openssl s_client -connect X.X.X.X:443 CONNECTED(00000003) depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain
0 s:/CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US i:/CN=iLO Default Issuer (Do not trust)/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US
--- Server certificate
BEGIN CERTIFICATE-----
<redacted>
END CERTIFICATE-----
subject=/CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US issuer=/CN=iLO Default Issuer (Do not trust)/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US --- No client certificate CA names sent --- SSL handshake has read 852 bytes and written 307 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session:
Protocol : TLSv1 Cipher : RC4-SHA Session-ID: <redacted> Session-ID-ctx: Master-Key: <redacted> Key-Arg : None Start Time: <redacted> Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)
==============
Regards
You can no longer use RC4 cipher suites, these are considered deprecated. So you can't connect to servers that only offer SSL3 and RC4 certificate.
This is now a standard:
- RFC 7465 - Prohibiting RC4 Cipher Suites:
https://tools.ietf.org/html/rfc7465
Hummmm ok, so what should I do with all my HP ProLiant DL360 Gen7 servers that are hosted in a DC 1000 miles away from here? I'm no longer able to administrate them (which means that I'm also not able to generate a new SSL certificate for iLO).
How can I re-enable rc4 in FF?
had to ran update on ubuntu ?
please run these commands in terminal
- apt-get update
- apt-get upgrade -y
Last week there were some updates related to certificates.
Ändrad
@Saurav: Yep, my Ubuntu is up to date. I can't find any way to renable RC4 in FF :-(
Hello
- Go to navigation var and type about:config
- search rc4
Set all to false.
Hopefully it solve your problem.
Ändrad
Saurav said
HelloSet all to false. Hopefully it solve your problem.
- Go to navigation var and type about:config
- search rc4
Done, & restarted FF. Still doesn't work :-(
Ya they are all default set to true, and its not a great experience that you have had to wait this long without being able to administrate the servers.
I do not want to recommend this a a permanent solution, however using a working older version of Firefox in the meantime might be a good way to update the security. Back up and restore information in Firefox profiles and Install an older version of Firefox
I have a better answer, upgrade to version 37 via bug 1138332
I can confirm that upgrading to FF 37 solved this problem. Thanks!