Ubuntu

default ssl certificate is invalid

Reported by Alex Mauer on 2008-01-30
10
Affects Status Importance Assigned to Milestone
cupsys (Ubuntu)
Undecided
Unassigned

Bug Description

The default SSL certificate installed with cups is considered invalid by Firefox 3.0. The error message given when trying to access the administration view is:

Certificate key usage inadequate for attempted operation.

(Error code: sec_error_inadequate_key_usage)

This is with dapper.

crasher5 (anchakarov) wrote :

Lame Workaround:
In order to open a website that would give this error I downloaded the latest 2.* version from a binary (2.0.0.12 tar.gz), extracted and started Firefox 2.0.0.12. From there I was able to accept the certificate and open the website. The certificate was automatically transfer to the Beta 3.* version. Good luck! Fix this or find better workarounds!

Caroline Ford (secretlondon) wrote :

Could you give more details as I'm not sure what you are trying.

You are using firefox 3 (on a dapper machine?) to connect to a printer remotely? What machine is the printer connected to?

Changed in cupsys:
status: New → Incomplete
Alex Mauer (hawke) wrote :

I am using firefox 3 on a hardy machine to connect to a cups server running dapper. The printer is a network printer.

Klaus Heinrich Kiwi (klauskiwi) wrote :

I can reproduce this when trying to access an IBM Hardware Management Console (an appliance to manage POWER-based machines).

Env.: Firefox 3 beta 3, up-to-date Hardy Haron.

Looks like Firefox 3 isn't accepting self-signed certificates anymore - a workaround (button to add to exception list) would be welcome here.

Klaus Heinrich Kiwi (klauskiwi) wrote :

This is a Firefox3 issue with self-signed certificates

Changed in cupsys:
status: Incomplete → Confirmed
Alex Mauer (hawke) wrote :

No it's not. Firefox (correctly) gives the error "The certificate is not trusted because it is self signed." for a self-signed cert, and allows you to add an exception (the last as of beta 3)

The problem is with one of the other attributes of the certificate which cupsys uses by default.

Changed in firefox-3.0:
status: Confirmed → New
Eric Drechsel (ericdrex) wrote :

Alex: specifically which attribute?

I'm trying to troubleshoot a similar issue with a the self-signed cert in Sage ( http://sagemath.org ) generated by gnutls: http://trac.sagemath.org/sage_trac/ticket/1754

Perhaps Mozilla people could provide a document about how to make self-signed certs work with FF3 so that we can get our apps in shape.

Alex Mauer (hawke) wrote :

Not sure. I believe it is missing one of the Certificate Key Usage attributes which firefox feels is required. The list of all certificate key usage values is here: http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html

However, I'm not sure which usage values firefox wants.

You can retrieve the details of a certificate from a server by doing: 'openssl s_client -showcerts -connect [host]:[port] | openssl x509 -text'. Looking at your examples, that would be 'openssl s_client -showcerts -connect localhost:8000 | openssl x509 -text'

Wari Wahab (wari) wrote :

As of Firefox 3 Beta 5, and possibly new updates to Firefox 2, all self-signed certs are considered invalid, and is done in such a way that you can never bypass them. I encountered this when I recently updated Hardy. I hope that the firefox developers are looking into this, as when I search around, this bug is everywhere.

I'm facing the problem with my servers on the network that are self signed. Anyway, see:

Bug 427081: Allow to override SEC_ERROR_INADEQUATE_KEY_USAGE
https://bugzilla.mozilla.org/show_bug.cgi?id=427081

and the patch to resolve this:
https://bugzilla.mozilla.org/attachment.cgi?id=313653&action=edit

Alex Mauer (hawke) wrote :

Umm, that's not true. Self-signed certs can be be over-ridden. Furthermore, the error is "The certificate is not trusted because it is self signed. (Error code: sec_error_untrusted_issuer)" and not "Certificate key usage inadequate for attempted operation. (Error code: sec_error_inadequate_key_usage)"

Wari Wahab (wari) wrote :

It would be fine if the error is sec_error_untrusted_issuer for me, but I got sec_error_inadequate_key_usage for all the servers using self signed certs. Firefox 3 Beta 4 lets me add an exception, but Beta 5 just gives me a flat out error. I had to use a different browser just to use the sites I need to use. Unless there's a different way to generate self signed certs than what is documented already, I'd be stuck with this error.

Your original post mentions sec_error_inadequate_key_usage, which is why I got here in the first place. I believe your issue is a different problem than what I got, just pointing out some information that I found after a frustrating search on the net.

Atreidae (atreidae) wrote :

I am getting this issue with my ipmonitor server as well, it self signs the certificate itself, but not my PABX (switchvox) and as far as i know its signing by itself too.

John Jackson (taladon) wrote :

This bug was last touched in 2008.
Current CUPS 1.5.0 connects via http://127.0.0.1:631 just fine
Administration page prompts for user and pass.

Closing since this is an ancient bug.

Changed in cupsys (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.