Invalid certificate is actually valid - how to prevent?
Using Firefox 3.6.16 and 4.0.1 I've run into a situation where I can't access a web site based on untrusted certificate.
When I first visit a web site that uses self signed certs, I get the usual "This connection is untrusted" warning page. I click "add exception", get the cert, verify it's right and then click "confirm security exception" with "permanently store this exception" selected (someone explain why this is selected by default!??!). Now I'm into the page.
The next time I go to that site, same message. Yup, I save the exception but it still says untrusted site. But this time when I click "add exception" the next windows says "this site provides valid, verified identification. no need to add exception" and "confirm security exception" is grey'ed out. No way to access the page.
The only work around I've found is to delete the cert from the store AND clear all browser history. Without clearing the history, even with the cert removed the same problem exists. I've now resorted to NEVER permanently saving exceptions.
Why does this happen? Why can't I click "confirm..." anyways and just go on to the page? Is there some setting I can tweak to fix this or is this a bug in the cert validation sequence firefox uses? Thanks
所有回覆 (10)
Check the date and time in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
Both/all are within 30 secs of each other. Same timezone, all on DST. And this isn't an issue with just one site or network device. I can reproduce it on just about any website using self signed certs including Windows servers (2003, 2008R2).
Did you check who issued those certificates after you have retrieved them?
It shouldn't be necessary to set exceptions that often.
Do you have security software or a router with a firewall that may be sending their own certificates instead of passing the certificate send by web servers??
They are self signed certificates (should have put that in the 1st sentence, not the 2nd). Nothing is swapping certs. Happens quite a bit when you have devices that use SSL w/out a PKI system in place. Any just about every QNAP, Linksys, Netgear, etc. uses web pages to manage so lots of gear handing out self signed certs.
Thanks for the advice but the problem I'm trying to fix is not why I get untrusted certs. I know why. They are verified as the self signed certs I expect. That's not the problem.
What I'm trying to fix is why FF says it's untrusted the 2nd or 3rd time you go to the site but then when you get to the exception page, it says it is trusted and there is no option to continue. The only way to view the site again is to delete the cert, clear all history, restart FF and go thru the exception page again.
There is clearly a bug in FF. It says it doesn't trust the cert than says that it does. And there's a bug in that you can't get past this conflict.
i too have been having this problem. ironically the worst offender is the addons.mozilla.org.
the FF addons webpage is fine in IE but i can't get any images on that page in FF 3.6.19 and a couple earlier versions as well.
i keep getting 5-6 not secure, can't verify, etc. static.addons.mozilla.net:443 and cdn.
i downloaded the newest FF and it didn't make a difference...and many of my addons weren't compatible....so i went back to 3.6.19. i am going nuts here. i have a similar thing with many emails in TB. i'm beginning to think that FF & TB either have 1. too much security or 2. not enuf instructions so users can change the settings. HELP.
i forgot to mention i've tried ALL the suggestions above and on a few other support pages...and nothing has worked. i've even deleted many of the mozilla.com and mozilla.org certificates hoping that would allow the program to reset them. but that too failed. thanx for reading this. and hopefully mozilla will find the bug and fix it OR give us instructions how to take of it ourselves. hmmmm...i wonder if google chrome has these problems....and all the FF conveniences?
I had the same problem today(couldn't access any secure acc'ts) on either one of our computers. However, I finally noticed the time and date was not accurate-off by a few years and hours!! We had a power outage yesterday and I think a surge reset something in the computer. When I changed the time and date to the correct time and date, both computers were once again able to access all our accounts. PS it took me three hours to find the problem!
I've verified time on all the PCs in question (setup NTP) and that still did not fix the issue. I still think there is a bug here that Mozilla hasn't looked at yet.
The problem is that the certificates I'm running into that cause this problem in FF are self signed by cPanel or WHM, the server control panel software.
I know these certificates are safe, because I created them on a server I have physical access to.
I am having this problem in my job at a web hosting company. Usually I can click "cancel" on a warning that comes up saying they are untrusted. I have to click this "cancel" on the warning at least three times, sometimes more, then I get to accept the certificate.
My complaint is not so much that FireFox doesn't let me to the sites, rather that I deal with at least 200-300 of these same exact issues in an 8 hour period, and the amount of time getting FireFox past these messages is becoming significant, at least 30 minutes to an hour of actually clicking cancel, reopening windows, tabs, and finally getting to the site.
Any suggestions would be fantastic! ^_^
I don't have this problem in Chrome ironically ... I get a single message stating "SSL is untrusted", and a single button to click through to the site ... the button even is set to the first tab focus, so I just click to the site that has the self signed certificate, press enter on the keyboard, and the site is loaded ...
Chrome just doesn't have a plugin or extension yet that allows for a tab bar to be verticle, tree-style, and on the side of the screen of your choice ...
Maybe I'll try FF 4 or higher and see if that gives me the same problem ... btw FF / Mozilla... how's Linux based support coming along? Also, Why do you have to insist that Debian can't use the name FireFox? IceWeasel is so silly :P