firefox 31 + self-signed certificate = sec_error_ca_cert_invalid

If you are trying to access site with self-signed certificate with Firefox 31 (or later) and get Issuer certificate is invalid error (sec_error_ca_cert_invalid), you have to disable new mozilla::pkix certificate verification.

In about:config set

security.use_mozillapkix_verification = false

To find out more about mozilla::pkix and why your firefox just got so super secure and paranoid, that it doesn’t allows you to access you own site without googling – see https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification. I’m only wondering, why did they renamed it from insanity::pkix to mozilla::pkix – do they confess that ‘mozilla’ is slowly becoming a synonym for ‘insane’ ?-) Throwing such an error without any hint or possiblity to add an exception (as usual) is IMHO insane – but, who cares about power users today…

Update: As noted in comments, this should not work in Firefox 33 (or later).

Update2: As noted by #29 and referenced bugs, there seem to be (at least) 2 major cases, where new insane::pkix will refuse to accept a https site.

  1. Your internal CA certificate doesn’t specifies CA:TRUE in X509v3 Basic Constraints section
  2. You self-signed server certificate (the last one in certificate chain) specifies CA:TRUE – what is default for certificates generated by pkitool script from easy-rsa suite – and you have your CA certificate installed in FF.

See also FF bug #1042889.

Update3: Thanks to the work of Kai Engert, there is a fix for this in Firefox 31 ESR (download from https://www.mozilla.org/en-US/firefox/organizations/) and hopefully the same comes also with Firefox 33.1.

 

71 thoughts on “firefox 31 + self-signed certificate = sec_error_ca_cert_invalid

  1. Firefox has been making me sad lately. We had a customer have issues with the new 5 minute http response timeout ( I think it was added in 29 or 30) and now this. As a Firefox fan from the time I realized Internet Explorer wasn’t the only browser, this is saddening.

  2. Thanks! Just upgraded to FF 31 and ran into that problem too. This blog post saved me a lot of time!

    “…who cares about power users today…” – so sadly true nowadays …

  3. Unfortunately, this fix worked for a little while but now has stopped.

    FF was my favorite but this is forcing me to transition to another browser. Too bad. Why do companies walk away from their customers?

  4. @ RayB
    Same here… but for (companies internal) websites it works and for external it doesnt. Possibly because OCSP protocol is blocked by the companies firewall?

  5. alhamdulillah. it works!… i’ve been searching this out to end this one case and ended here. thank you sam. it’s saving my time a lot!…. ahmad-indonesia.

  6. It really freaks me out… Have a bunch of “internal” websites. Most of them with self-signed certificates. When I set this param to “false”, half of sites work, but it breaks other half. And vice verso. So, now I have to remember, which sites I should access in IE?

  7. I had this problem when I upgraded to Firefox 31 on Linux (CentOS) yesterday. I found that the default setting for security.use_mozillapkix_verification was ‘false’, and that I already had that default setting. For the hell of it, I tried changing the setting to ‘true’ (i.e. the opposite of your advice). Lo and behold, everything then worked OK. Strange or what?

  8. Ed,
    Thanks for the tip, Same thing here, i had the setting at false due to last months patch and now i had to switch it back to true and things work.
    Firefox 32.0.2

  9. struggling with this issue myself, shame on you mozilla, you know, there are some IT professionals out there who rely on your browser to get stuff done and we’d appreciate an “override” option. Ridicolous.

  10. at the moment the only solution is to keep the about:config tab open and toggling that sh***y thing on and off depending on the web server I have to connect to

  11. I personally agree that it should it be possible to override the sec_error_ca_cert_invalid error, for example. The best example is, where one really must access a piece of hardware in your intranet or home network, which uses a bad embedded certificate that cannot be changed.

    For now, it’s good that you found the workaround, but I would like to ask for your help.

    There has been debate by Mozilla developers, if it should be possible to override the error or not. Also, there are multiple scenarios of bad certificates that can trigger this particular error code.

    Apparently one scenario has been fixed in Firefox 33 (currently in Beta, due to be released in about a week), see https://bugzilla.mozilla.org/show_bug.cgi?id=1063315

    Apparently another scenario still hasn’t been fixed in Firefox 33, and the current owner of that code has argued that’s how it should be, see his comment at https://bugzilla.mozilla.org/show_bug.cgi?id=1042889#c32

    Could you please download a Beta/Test version of Firefox 33 from https://www.mozilla.org/en-US/firefox/channel/#beta and test if you it allows you to access your site?

    If it doesn’t work, could you please provide a link to the site, or alternative, could you please provide information what kind of device you still aren’t able to access with Firefox 33? If we can come up with a set of scenarios that still doesn’t work, hopefully it will be convincing to implement the ability to override those scenarios, too.

    Note that in Firefox 33 it’s apprently no longer possible to use the mentioned configuration to use the classic behaviour.

    Thanks for your testing and your feedback. If you find sites or devices that still don’t work, please file a bug at bugzilla.mozilla.org, product Core, component Security:PSM, provide a link to a public site, or provide the name of the incompatible device, and add :keeler and :kaie to the CC list.

  12. Please help me. Please send me example certificates of servers that you cannot connect to. Please also tell me the behaviour with “true” and “false” respectively.

    Also please note, whenever you change the config value, you must restart Firefox for the changed config to reliably take effect.

    Please run the following command, and send me the output by email:
    openssl s_client -connect HOSTNAME:443 -showcerts

    (where HOSTNAME is replaced with the real server hostname, and if necessary,
    443 is replaced with the port that is used to connect to web interface of
    the server. 443 is used by default when using https:// )

  13. update: Indeed, there are also sites that cannot be accessed with the preference set to false. At least, now I have access to a test server. You may follow the bugzilla.mozilla.org bugs for updates.

  14. Update 2:

    There are different kinds of bad certificates which can produce the sec_error_ca_cert_invalid. The mentioned preference, security.use_mozillapkix_verification, decides if old or new code is used to validate a certificate. Some certificates produce sec_error_ca_cert_invalid with the old code, other certificates produce sec_error_ca_cert_invalid with the new code.

    This is why some people had success by changing the preference to false, and other people by changing it to true, because the other code might produce a different error code, which was overridable. But no setting guaranteed that you could override sec_error_ca_cert_invalid with any bad certificates.

    In Firefox 31.2 ESR, which will be released in the next few days (tuesday?), it will be possible, again, to always override sec_error_ca_cert_invalid, just like it was in Firefox 30 and older.

    (You can already find 31.2.0esr candidate builds on the Mozilla ftp server, the latest one should work. It can be found at https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/31.2.0esr-candidates/ if you want to do early testing.)

    I don’t know when Firefox 32 and later will be fixed to allow overrides in all scenarios, the discussion about the right approach and timing, and whether or not to include a fix in next week’s Firefox 33.0, is still ongoing.

    But for now, you can use the Enterprise Support Release (ESR) of Firefox 31.2.0 and later.

  15. Wouldn’t it be great if all browsers were designed to _just_suppose_ that localhost:8443 is quite unlikely to be some malicious third party?

    For class A or B private networks, it might be a choice. But for the loopback interface and the port traditionally used by us web developpers? Goodness I shouldn’t have had to waste more than a week trying to do it for the third time, only to discover this insanity. I’ve designed the core structure of my app to accept some actions only on secure, an all links between the two parts specify the scheme; I shall not conduct a small porting just to be able to complete working on it, and then reverse it when I slap it onto hosting with a proper cert. No. I hope it will be enough to downgrade Firefox back to where it was.

  16. This totally stops me from using Firefox, I don’t understand the thinking behind not allowing for an override mechanism.

  17. An error occurred during a connection to u16396725.onlinehome-server.com:8443. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)

    The server is run by 1and1 – this is the plesk install on that server. Using FF 33 I can no longer use FF to manage my clients. Hello chrome.

  18. I work for a VAR. This means I have to connect to all sorts of customers, some who have expired certificates, old equipment, etc. That’s the reality of the business. Is it poor security? Certainly. But it is what it is. I can’t force them to upgrade.

    This makes Firefox USELESS to me.

    I’ll just use Chrome. I don’t need the grief…

  19. I’m working as a system administrator, which means i have to use many iLO and IPMIs, this RUINS Firefox for me.. the guys at mozilla really fucked up this time. I do not have the time or nerves to compile an unstable firefox from a dev mirror in order to be able to do my job !!!

    goodbye Firefox!

  20. Kai, it’s totally FUBAR’d in 33.0 No warning. No “are you sure”, just “this page can not be displayed contact the site owner and go screw.” Page is loaded in chrome just fine. FF has gotten in the way of doing the job it was designed to do, display websites. FF was not designed for any other purpose, just to display HTML, CSS and Javascript according to the rules of the parser.

    It’s simple. They over did it. They don’t give the user the ability to tell FF that they don’t want that level of security. They don’t warn and allow you to continue. NADA. F U B A R.

  21. What total assholes. I have Firefox 33 and can’t connect to my Tomato wifi router on my home LAN. No override?! By day I’m a computer security guy, and this is just insane, even by the paranoid norm of the field.

  22. Read the thread at:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1042889
    Updated and restarted FF.
    FF now at 33.0.1
    Still fails
    An error occurred during a connection to 74.208.163.XXX:8443. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)

    Hell, they knew as early as 2014-07-23 12:15:48 PDT that this was an issue
    Alexei Yuzhakov 2014-09-04 19:30:29 PDT – OVER A MONTH AGO

    Guys, millions of Plesk users may stop using Firefox due to this problem. Plesk goes with default autogenerated SSL certificate. But majority of providers does not change it and continues to use the autogenerated certificates. End-users of these providers will be facing with this problem.

    Clearly, they don’t care that Plesk users are all switching from FF to Chrome. Really, the folks at google should send the FF folks a thank you card.

  23. Firefox, you idiots. Don’t you realize it’s the IT folks who recommend browsers to companies and users? We can’t use FF to do our job anymore! It’s not realistic to not have an override… I have to go back to IE or Chrome now.

    Talk about shooting yourselves in the foot. You’ll be bleeding marketshare until this is fixed. Many may never come back.

  24. Unbelievable…. How can you implement such a ridiculous “feature”???
    This HAS to be overrided sometimes – especially in the IT department.
    Talking about self signed certificates for testing purpose….
    Bye FF, welcome IE

  25. Just noticed I cant access HP ILO sites anymore with FF33 because the workaround for FF31 doesnt work anymore…. LOL!! This is such a joke! incredible! This realy makes me mad. MAD!! This browser is getting worse with every version! To whoever at mozilla invented this “feature”: WHAT THE FUCK ARE YOU SMOKING!?!?!?! you know what? SHOVE YOUR BROWSER UP YOUR BUM!!! Im done with this!!! For admin stuff I use IE now, even that thing is better than mozilla’s browser from hell !

  26. Mostly only IT people still use Mozilla FF – because of plug-ins. And with every next build Mozilla team does their best to help them to switch to chrome….

  27. Hmmm.. maybe google is paying some coders at mozilla to ruin firefox – conspiracy or not – but you can’t take a great product and make it crap in less than 1year without outside “help” …

    they don’t care anymore becasue someone is beeing payed not to care. – my point anyway….
    nice to have safari in place!

  28. well, just switched from FF 33 to google chrome.
    cannot use any single https webpage with FF anymore!
    bye FF, will miss your great add-ons. now f*ck off and die!

  29. 1. Tools > Options > Advanced > Certificates or Encryption > View Certificates
    2. Authorities > select your site’s certification > Edit trust
    3. “This certificate can identify websites”

    1. Laszlo,

      FF 33.0.3
      does not work.
      In Certificate Manager it shows the sever as a (not stored) certificate. I go to add the security exception. I enter the Location and tell it to get the certificate. It returns a “no information available”. This is a Plesk box at 1and1.com that is self certified and worked with approved exceptions until FF changed it to deny without exceptions. I went into View Certificates and found two references to Parallels (the makers of Plesk) and did what you said, and it still didn’t work. I went to view the page information, and under the security tab it says that the connection is not encrypted.

      So as of FF 33.0.3 the developers are still telling all Plesk users to use another browser (Chrome) to access their boxes.

      Like I said before, Google couldn’t have payed for this kind of screwup by the development team to get people who are the most technical and the people that promote one browser over another in enterprises to do more to ensure that we switched our user community from FF to Chrome.

      For years I have been responsible for making sure that every machine at a clients site was NOT running IE. FF has now ensured that when I go into a clients site I make sure that every machine that they have is running Chrome. Since one of my clients is a major aerospace company, and another that is signing contracts next week is a major health insurance company, these “recommendations by an expert” that they are paying $250/hr from carry a great deal of weight.

      I know that 1and1 is telling all the people that call and use Plesk, and can’t get into their panel’s, to move over to Chrome. Thousands of users abandoning FF, and in doing so telling others to stop using the browser. Google execs must be very pleased with this technical infighting and bad decision making on FF part. And Kai Engert knows this and has told the team to fix it (and even provided a fix) and still they release one new version of crapware after another that stops the thought leaders from being able to do their jobs in the browser.

      We told our users to stop using IE because IE doesn’t follow standards. Now we are telling our users to stop using FF because FF creates their own standards that get in the way of users doing their jobs. Software security that stops users from doing their jobs isn’t security, it crapware. Just like crapware that doesn’t follow standards and stops developers from being able to do their jobs.

      Back in the 1980’s at a DECUS conference Bill Hancock was asked if there was any way to ensure that you VAX was secure. His answer was “Unplug it from all networks, even the phone lines.” The only way to “secure” the Internet is to destroy it. Too bad the kids working on FF most likely never had the chance to listen to Bill talk, maybe they would have understood that chasing this golden goose is not going to be worth the cost in lost user base.

    1. JM Ivler: 33.1 includes the potential fix, it surprises me that it doesn’t work for you. Do you see any difference from earlier 33.0.x versions? If latest 31.x ESR works, then 33.1 should work, too.

      1. How do I enable this fix? I have 33.1 and connect to Linksys routers using self signed certifcates of DD-WRT.

  30. shut down browser.
    Installed 33.1
    Restarted browser
    went to Plesk (https://serverid.onlinehome-server.com:8443/ — “serverid” is the 1and1 server id)
    the following displayed:

    Secure Connection Failed

    An error occurred during a connection to u16396725.onlinehome-server.com:8443. Peer’s certificate has an invalid signature. (Error code: sec_error_bad_signature)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

    This is a Plesk server that I have open in a Chrome session. Thus the solution is non-functional with Plesk at this time in 33.1. I have read your comments in bugzilla, so if you need the URI for testing, please let me know and I’ll see what I can do to get it to you.

  31. Sorry with this issue, FF 33 is not practical without an override for me to connect anymore to my own server sites with self signed certificates. I will downgrade to usable FF and restart using Safari, IE and opera again. Bye bye,..

  32. I have some usefull informations for all the angry admins out there…

    If you are using Linux on your Desktop machine, you can install Epiphany Browser. It dont has problems with bad-certificates and doesnt block them, and what is important, it supports Java (IcedTea) so you can access the IPMI remote control for example on HP ILO boxes or iDRAC.

    On Windows you can simply use the internet explorer for admin work.

    btw…I can also recommend chromium (not chrome!) as a standard browser. it has all the important addons like adblock too. so no need for fat firefox anymore, you can ditch that shit like I did.

  33. Bye bye FF I’m on 34 and it still doesn’t work. I’ve been on FF since it was called Netscape. FF team has lost their way. This is plain arrogant to assume the user is that stupid that they don’t know when to accept a certificate.

  34. CAN SOMEONE EXPLAIN TO ME HOW A SELF SIGNED CERTIFICATE IS WORSE THAN NO ENCRYPTION?!
    ITS LIKE THEY’RE IN BED WITH SECURITY COMPANIES

  35. HELP PLEASE!

    Last FF (36.0.4) update and no chance to get to my mail site.
    security.use_mozillapkix_verification not existing.
    What else can I do???
    Tried with security.tls 0, which worked until now…

    Thank you so much.

  36. Use another browser. This behavior is insane from ff… we have internal sites with local domains, so I can’t get a valid cert for them… and now I cannot access them… I switch back to seamonkey now 🙁

  37. Who decided that it was a good idea to just dis-allow users to access any sites that are self-signed. No options to allow acceptions and NO FUCKING info at all.. This is what Microsoft does. Never expected this from Mozilla. Similar to the status bar .. just gone.. no options to put enable it.. what the fuck! Need new leadership there perhaps. If there was a better choice, I’d dump FF in a heart beat.

  38. It’s 2016, my FF is up to 47.0 and it still freaks out over self signed ssl certs. So effing annoying to keep having to add exceptions to my own servers. The only difference between my self signed cert and a $10 one from enom is that mine was free. *flips the bird at mozilla*

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA Image

*