搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Secure Connection Failed (Error code: sec_error_ca_cert_invalid)

  • 11 个回答
  • 6 人有此问题
  • 55 次查看
  • 最后回复者为 hansende

more options

Hello

I'm having troulbes accessing HP iLO with FF 36.0 on Ubuntu 14.04 LTS, getting the following error message:

========================

Secure Connection Failed

An error occurred during a connection to 172.25.X.X. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem.
========================

It seems to work with other browser such as Chromium, so the problem seems to be FF 36.0. Unfortunately, I don't have an "Add exception" button in FF that would allow me to bypass this warning.

I've already followed the following links: https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/troubleshoot-extensions-themes-to-fix-problems

But I didn't managed to get it work. Any idea how to get it fixed?

Hello I'm having troulbes accessing HP iLO with FF 36.0 on Ubuntu 14.04 LTS, getting the following error message: ==================================== Secure Connection Failed An error occurred during a connection to 172.25.X.X. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. ==================================== It seems to work with other browser such as Chromium, so the problem seems to be FF 36.0. Unfortunately, I don't have an "Add exception" button in FF that would allow me to bypass this warning. I've already followed the following links: https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/troubleshoot-extensions-themes-to-fix-problems But I didn't managed to get it work. Any idea how to get it fixed?

所有回复 (11)

more options

Hi hansende,

Is this happening for just this cert connection? Is there a proxy being used? And if you change the Network Settings to "No Proxy"

In order to make sure that the certificate is compatible with the security settings built into Firefox, it is possible to look at the Certificate for the site from the url bar.

  1. Right Click on the page and select "Page Info"
  2. Click on Security and "View Certificate"

The CA certificate policy can be referenced: https://www.mozilla.org/en-US/about/g.../policy/

more options

Hi guigs2

I have a bunch of other (newer) HP servers with iLO enabled. Seems to work fine there.

guigs2 said

  1. Right Click on the page and select "Page Info"
  2. Click on Security and "View Certificate"

Under the tab security I don't have an option View Certificate (I guess because the SSL connection couldn't get established, so no certificate info could be received?). But this might help:

==============

$ openssl s_client -connect X.X.X.X:443 CONNECTED(00000003) depth=1 /C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain

0 s:/CN=<redacted>/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US
  i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust)
1 s:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust)
  i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust)

--- Server certificate


BEGIN CERTIFICATE-----

<redacted>


END CERTIFICATE-----

subject=/CN=<redacted>/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US issuer=/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) --- No client certificate CA names sent --- SSL handshake has read 1919 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session:

   Protocol  : TLSv1
   Cipher    : EDH-RSA-DES-CBC3-SHA
   Session-ID: <redacted>
   Session-ID-ctx: 
   Master-Key: <redacted>
   Key-Arg   : None
   Start Time: <redacted>
   Timeout   : 300 (sec)
   Verify return code: 19 (self signed certificate in certificate chain)
==============

Regardsguigs2 said

The CA certificate policy can be referenced: https://www.mozilla.org/en-US/about/g.../policy/

Not sure what I should do with that. This is default, self-signed SSL certificate that comes out of the box when buying a HP server. Here's the certificate from a working iLO 4 interface:

-> Not working (iLO ? - HP ProLiant DL360 Gen7) -> Working (iLO 4 - HP ProLiant DL360 Gen9)

==============

$ openssl s_client -connect X.X.X.X:443 CONNECTED(00000003) depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain

0 s:/CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US
  i:/CN=iLO Default Issuer (Do not trust)/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US

--- Server certificate


BEGIN CERTIFICATE-----

<redacted>


END CERTIFICATE-----

subject=/CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US issuer=/CN=iLO Default Issuer (Do not trust)/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US --- No client certificate CA names sent --- SSL handshake has read 852 bytes and written 307 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session:

   Protocol  : TLSv1
   Cipher    : RC4-SHA
   Session-ID: <redacted>
   Session-ID-ctx: 
   Master-Key: <redacted>
   Key-Arg   : None
   Start Time: <redacted>
   Timeout   : 300 (sec)
   Verify return code: 21 (unable to verify the first certificate)
==============

Regards

more options

You can no longer use RC4 cipher suites, these are considered deprecated. So you can't connect to servers that only offer SSL3 and RC4 certificate.

This is now a standard:

more options

Hummmm ok, so what should I do with all my HP ProLiant DL360 Gen7 servers that are hosted in a DC 1000 miles away from here? I'm no longer able to administrate them (which means that I'm also not able to generate a new SSL certificate for iLO).

How can I re-enable rc4 in FF?

more options

had to ran update on ubuntu ?

please run these commands in terminal

  1. apt-get update
  2. apt-get upgrade -y

Last week there were some updates related to certificates.

由Saurav于修改

more options

@Saurav: Yep, my Ubuntu is up to date. I can't find any way to renable RC4 in FF :-(

more options

Hello

  1. Go to navigation var and type about:config
  2. search rc4

Set all to false.

Hopefully it solve your problem.

由Saurav于修改

more options

Saurav said

Hello
  1. Go to navigation var and type about:config
  2. search rc4
Set all to false. Hopefully it solve your problem.

Done, & restarted FF. Still doesn't work :-(

more options

Ya they are all default set to true, and its not a great experience that you have had to wait this long without being able to administrate the servers.

I do not want to recommend this a a permanent solution, however using a working older version of Firefox in the meantime might be a good way to update the security. Back up and restore information in Firefox profiles and Install an older version of Firefox

more options

I have a better answer, upgrade to version 37 via bug 1138332

more options

I can confirm that upgrading to FF 37 solved this problem. Thanks!