default ssl certificate is invalid

Lame Workaround:
In order to open a website that would give this error I downloaded the latest 2.* version from a binary (2.0.0.12 tar.gz), extracted and started Firefox 2.0.0.12. From there I was able to accept the certificate and open the website. The certificate was automatically transfer to the Beta 3.* version. Good luck! Fix this or find better workarounds!

Could you give more details as I'm not sure what you are trying.

You are using firefox 3 (on a dapper machine?) to connect to a printer remotely? What machine is the printer connected to?

I am using firefox 3 on a hardy machine to connect to a cups server running dapper. The printer is a network printer.

I can reproduce this when trying to access an IBM Hardware Management Console (an appliance to manage POWER-based machines).

Env.: Firefox 3 beta 3, up-to-date Hardy Haron.

Looks like Firefox 3 isn't accepting self-signed certificates anymore - a workaround (button to add to exception list) would be welcome here.

This is a Firefox3 issue with self-signed certificates

No it's not. Firefox (correctly) gives the error "The certificate is not trusted because it is self signed." for a self-signed cert, and allows you to add an exception (the last as of beta 3)

The problem is with one of the other attributes of the certificate which cupsys uses by default.

Alex: specifically which attribute?

I'm trying to troubleshoot a similar issue with a the self-signed cert in Sage ( http://sagemath.org ) generated by gnutls: http://trac.sagemath.org/sage_trac/ticket/1754

Perhaps Mozilla people could provide a document about how to make self-signed certs work with FF3 so that we can get our apps in shape.

Not sure. I believe it is missing one of the Certificate Key Usage attributes which firefox feels is required. The list of all certificate key usage values is here: http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html

However, I'm not sure which usage values firefox wants.

You can retrieve the details of a certificate from a server by doing: 'openssl s_client -showcerts -connect [host]:[port] | openssl x509 -text'. Looking at your examples, that would be 'openssl s_client -showcerts -connect localhost:8000 | openssl x509 -text'

As of Firefox 3 Beta 5, and possibly new updates to Firefox 2, all self-signed certs are considered invalid, and is done in such a way that you can never bypass them. I encountered this when I recently updated Hardy. I hope that the firefox developers are looking into this, as when I search around, this bug is everywhere.

I'm facing the problem with my servers on the network that are self signed. Anyway, see:

Bug 427081: Allow to override SEC_ERROR_INADEQUATE_KEY_USAGE
https://bugzilla.mozilla.org/show_bug.cgi?id=427081

and the patch to resolve this:
https://bugzilla.mozilla.org/attachment.cgi?id=313653&action=edit

Umm, that's not true. Self-signed certs can be be over-ridden. Furthermore, the error is "The certificate is not trusted because it is self signed. (Error code: sec_error_untrusted_issuer)" and not "Certificate key usage inadequate for attempted operation. (Error code: sec_error_inadequate_key_usage)"

It would be fine if the error is sec_error_untrusted_issuer for me, but I got sec_error_inadequate_key_usage for all the servers using self signed certs. Firefox 3 Beta 4 lets me add an exception, but Beta 5 just gives me a flat out error. I had to use a different browser just to use the sites I need to use. Unless there's a different way to generate self signed certs than what is documented already, I'd be stuck with this error.

Your original post mentions sec_error_inadequate_key_usage, which is why I got here in the first place. I believe your issue is a different problem than what I got, just pointing out some information that I found after a frustrating search on the net.

I am getting this issue with my ipmonitor server as well, it self signs the certificate itself, but not my PABX (switchvox) and as far as i know its signing by itself too.

This bug was last touched in 2008.
Current CUPS 1.5.0 connects via http://127.0.0.1:631 just fine
Administration page prompts for user and pass.

Closing since this is an ancient bug.