PKCS #12 Error Importing Client Certificates

Bug #198841 reported by Jan Trukenmüller on 2008-03-05
44
This bug affects 4 people
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Undecided
Unassigned
firefox-3.0 (Ubuntu)
Undecided
Unassigned
torbutton (Ubuntu)
Medium
Unassigned

Bug Description

After upgrading to Hardy I cannot import client (user) certificates any more. The error message is:

The PKCS #12 operation failed for unknown reasons.

This happens with Firefox 3, but also (after downgrading Firefox) with version 2. I don't think that this is a firefox problem.
Using client certificates which were imported before the upgrade is no problem.
Importing CA-certificates is also no problem. It applies only to user certificates (those who contain the private key).

My workaround was to import the certificates on an older system (not Hardy) and then copying the ".mozilla" directory from there to my home directory on the Hardy system. Of cause this is annoying.

Vu Ngoc San (san-vu-ngoc) wrote :

I confirm

with Firefox 3 I cannot pay my taxes anymore !
When I browse for importing a new certificate, the file.p12 is not even listed as a certificate. I can make it appear my requiring "show all files", but clicking on it does nothing.

I would set the level of this bug as critical.

On Sun, Jun 01, 2008 at 05:52:24PM -0000, Launchpad Bug Tracker wrote:
> You have been subscribed to a public bug:
>
> After upgrading to Hardy I cannot import client (user) certificates any
> more. The error message is:
>
> The PKCS #12 operation failed for unknown reasons.
>
> This happens with Firefox 3, but also (after downgrading Firefox) with version 2. I don't think that this is a firefox problem.
> Using client certificates which were imported before the upgrade is no problem.
> Importing CA-certificates is also no problem. It applies only to user certificates (those who contain the private key).

Please provide us with step by step instructions, e.g.

 1. do this
 2. do that
 3. see this
 4. but it should be like this

on how to create such a certificate and how you attempt to import it.

 affects ubuntu/firefox-3.0
 status incomplete

keeping open for ffox 3. ffox 2 wont see a fix ...

 affects ubuntu/firefox
 status wontfix

 - Alexander

Changed in firefox:
status: New → Won't Fix
chrysoberyl (lnxme1) wrote :

Same probleme here.

running Ubuntu Hardy 64

I'll try to do a step by step instructions as requiered:

opened firefox3, went to edit menu, clicked on advanced tab, encryption tab, and view certificates.

Certificate manager window opened.
clicked on import
File name to restore window opened
browse to pkcs12 file
clicked on open--> error box: "alert: Failed to restore the PKCS #12 file for unknown reasons."
the certificate doesn't show up in the certificate list

Instead it should ask for the certificate password, then import the certificate if the password typed was correct.
if the password was incorrect it shows the error box: "alert: Failed to restore the PKCS #12 file for unknown reasons."
and nothing is done, (verified on Firefox 3 under XP and Vista)

Under Ubuntu Hardy, we are not even asked the certificate password, it's like this step is missing and of course the importation is rejected.

It is indeed a serious bug.

Chrysoberyl

ChrisHannam (chrishannam) wrote :

I had this same issue. The only fix I found was to:

mv ~/.mozilla ~/.mozilla.broken

Then starting up Firefox and importing the cert worked perfectly.

This does of course trash everything you have setup in Firefox, This should be used a last resort.

cassianoleal (cassianoleal) wrote :

Same here in Debian Lenny.

I have also installed libnss3-tools and tried to run:

$ pk12util -i cert.pfx

which resulted in:

pk12util: function failed: security library: bad database.

Peter Clark (mla-forrussia) wrote :

For those of you who have the TorButton extension installed and are running into this problem, disable TorButton entirely (through Tools -> Add-Ons), restart Firefox, install the certificate, and then re-enable TorButton. This worked for me.

For other cases, http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/f83eff33951b80bf has some insights about PSM, the Firefox code that provides the GUI for the crypto stuff.

Got it.

For those who have the same problem, try using the -d parameter for
pk12util. Point it to your firefox profile directory, like:

$ pk12util -i cert.pfx -d ~/.mozilla/firefox/randomchars.default

Worked for me, but it's quite annoying not to be able to use firefox's
(iceweasel's) UI for that.

Cheers,
Cassiano Leal

On Fri, Aug 22, 2008 at 4:10 PM, cassianoleal <email address hidden>wrote:

> Same here in Debian Lenny.
>
> I have also installed libnss3-tools and tried to run:
>
> $ pk12util -i cert.pfx
>
> which resulted in:
>
> pk12util: function failed: security library: bad database.
>
> --
> PKCS #12 Error Importing Client Certificates
> https://bugs.launchpad.net/bugs/198841
> You received this bug notification because you are a direct subscriber
> of the bug.
>

lnx (nwegener) wrote :

If you open the error console, you get the following message, when trying to import the pkcs12 file via the dialog boxes:

Fehler: [Exception... "'Out' argument must be an object arg 1 [nsICertificateDialogs.getPKCS12FilePassword]" nsresult: "0x80570002 (NS_ERROR_XPC_NEED_OUT_OBJECT)" location: "JS frame :: file:///home/norbert/.mozilla/firefox/6iimouky.default/extensions/%7Be0204bd5-9d31-402b-a99d-a6aa8ffebdca%7D/components/certDialogsOverride.js :: anonymous :: line 87" data: no]
Quelldatei: file:///home/norbert/.mozilla/firefox/6iimouky.default/extensions/%7Be0204bd5-9d31-402b-a99d-a6aa8ffebdca%7D/components/certDialogsOverride.js
Zeile: 87

Dmitrii Sernii (bogolt) wrote :

the Tor Button plugin removal worked for me as well

skandor (skandor) wrote :

Me too. And I am using Vista, not Ubuntu. Removing the Tor button solved the problem, meaning that removing the tor button allowed me to import the PKCS12 certificate with the private key.

I have no idea on the reason for this behavior.

-- Skandor.

John Vivirito (gnomefreak) wrote :

Changed package to the extension. Where did everyone get thier extension from. Use apt-cache policy torbutton-extension and please paste it here in comment

Changed in firefox-3.0:
importance: Undecided → Medium
Peter Clark (mla-forrussia) wrote :

 Using torbutton-extension 1.2.0rc6 here.

mrw (marc-waeckerlin) wrote :

Disabling Torbutton worked for me - on Ubuntu Karmic Koala (still not fixed in 09.10)

garaden (matt-the-mech01) wrote :

Confirm bug and Torbutton disabling fix (Mac OS X 10.5.8)

fabrom (fabrom-jability) wrote :

Same bug and resolution with Tor-Button 1.2.5 / Firefox 3.6.3 on Ubuntu 10.4

Johannes Hessellund (osos) wrote :

Confirmed on Lucid.

Giving troubles with the danish "Digital signatur" from DanID.

confirmed bug and tor-button workaround on 3.6.9

edmond (edmondwee) wrote :

hi guys, i have this problem. I have just installed ubuntu and just started using mozilla.

I like my setup very much but I have a problem with my cert, it's file.pfx

I don't have tor, at least can't find anything resembling in the add-on function

do I have to convert my pfx file to pkcs#12?

I'm referring to https://help.ubuntu.com/community/OpenSSL under "Converting X.509 Certificates to PKCS#12 for Client Applications"

domja (dominique-jany) wrote :

me too, i can't fix it in xubuntu 10.10 + firefox 3.6.12

does anyone have a solution for me ?

sindikat (sindikat) wrote :

I confirm this bug.

Linux Mint 10
Firefox 3.6.12
Torbutton 1.2.5

Sapan (sapan-ganguly-gmail) wrote :

Disabling the Tor button and trying again worked for me.

As I can read in the firefox package the status is "Won't fix", so I think in firefox 3 there won't be a fix either.

Changed in firefox-3.0 (Ubuntu):
status: New → Invalid
Changed in torbutton (Ubuntu):
status: Incomplete → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers