invalid security certificate 11.10

Bug #790469 reported by cpatrick08 on 2011-05-31
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Fix Released
Medium
firefox (Ubuntu)
High
Unassigned
Oneiric
High
Unassigned

Bug Description

LAST VERSIONS TESTED:
natty:
firefox 5.0~b2+build1+nobinonly-0ubuntu0.11.04.1~mfn2
xul-ext-ubufox 0.9.1-0ubuntu0.11.04.1~mfn1

oneiric:
firefox 5.0~b2+build1+nobinonly-0ubuntu2
ubufox 0.9.1-0ubuntu1

WORKAROUND (from bug 790266):
Disabling the feedback extension makes this go away: Tools>Feedback>Turn Off User Studies

-------------------------------

Binary package hint: firefox

when i load firefox in 11.10 i get a invalid security certificate error

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

"Secure Connection Failed" warning window appears upon launching FF.

Certificate expired 8/13/2011 11:27 PM. Current time is 10/18/2011

Note Date/Time in task bar has been changed to 10/18/2011.

This began 2 days ago.

Reproducible: Always

If you set your computer's clock to a date far in the future, and that date is past the expiration date of the certificate in question, then that is not a bug. You have simply mis-configured your computer.

I did not set my clock to a date far in the future. The clock was changed by an unknown agent/application. The warning window further states "This could be a problem with the server's configuration or it could be someone trying to impersonate the server."

Virus and Malware scans do not detect any threats.

I have since Removed TestPilot from the AddOns, and manually reset the clock to the correct date/time.

cpatrick08 (cpatrick08) wrote :
cpatrick08 (cpatrick08) wrote :

i dont get the eror anymore so i am marking this bug as invaild

Changed in firefox (Ubuntu):
status: New → Invalid
cpatrick08 (cpatrick08) wrote :

i switched over from ubuntu to kubuntu and getting this error again so i am marking the bug as new

Changed in firefox (Ubuntu):
status: Invalid → New
Micah Gersten (micahg) wrote :

This has been confirmed by charlie-tca on the Xubuntu images and me with a clean profile on an updated Oneiric.

Changed in firefox (Ubuntu):
assignee: nobody → Chris Coulson (chrisccoulson)
importance: Undecided → High
milestone: none → oneiric-alpha-1
status: New → Triaged
tags: added: iso-testing
Micah Gersten (micahg) on 2011-06-01
description: updated
description: updated
Micah Gersten (micahg) wrote :

There's https://bugzilla.mozilla.org/show_bug.cgi?id=658019 which shows a similar issue upstream if this is something upstream needs to fix.

tags: added: oneiric
removed: 11.10 5.0
Micah Gersten (micahg) wrote :

BTW, this is also affecting the beta in the firefox-next PPA on natty.

description: updated
Chris Coulson (chrisccoulson) wrote :

The upstream bug is a different issue (the reporters clock was wrong).

This is just happening here because the certificate for testpilot.mozillalabs.com is issued by a CA with no chain of trust to one of the roots in NSS. The issuers root is already included in newer NSS versions (it's fixed on Aurora and mozilla-central already). I'd rather not do an upload just to disable testpilot (note that we disable it automatically when we switch to the release channel anyway). I don't really think this is a blocker for alpha 1

Changed in firefox:
importance: Unknown → Medium
status: Unknown → Invalid
Chris Coulson (chrisccoulson) wrote :

Actually, my last comment is wrong. This isn't fixed in newer NSS versions - it only worked here because the GeoTrust SSL CA certificate was added to my store.

It seems that the certificate for mozillalabs.com was recently issued (26/05/11), and is signed with an intermediate CA certificate (GeoTrust SSL CA), which, according to https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 needs to be installed alongside the websites SSL cert on the server.

Navigating to https://testpilot.mozillalabs.com/ results in a "This Connection is Untrusted" warning, with the error code "sec_error_unknown_issuer" (The certificate is not trusted because no issuer chain was provided).

The test-pilot extension also triggers this, resulting in this dialog when starting Firefox: https://launchpadlibrarian.net/72701040/Screenshot.jpg

I think this only started happening recently (we suddenly got quite a few bug reports in Ubuntu in the last few days). It seems that the certificate is signed by an intermediate CA cert (GeoTrust SSL CA) which is not included with NSS. According to https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422, the intermediate CA cert should be installed on the server alongside your SSL cert (although, I'm merely speculating here, it could be a different issue entirely).

If I use the SSL checker at https://knowledge.geotrust.com/support/knowledge-base/index?page=content&actp=CROSSLINK&id=SO9557, it points me to the missing intermediate cert. If I import this cert, then the warnings go away.

I'm not sure which product this should be reported against. I looked in the Websites product first, but there doesn't appear to be a component specific to testpilot.mozillalabs.org.

Chris Coulson (chrisccoulson) wrote :

Reported upstream

Changed in firefox:
importance: Medium → Unknown
status: Invalid → Unknown
Changed in firefox:
importance: Unknown → Medium
status: Unknown → Confirmed

CC'ing some people

Alessandro Losavio (alo21) wrote :

I had the same problem in Xubuntu and Mythbuntu 11.10 alph1 amd64

Zandr updated the ssl certs for *.mozillalabs.com and might have not updated the intermediary certs.

This is a setting in Zeus, under SSL certificates -> specific cert -> Intermediary and you can upload it there and you should be fine. (if you need help finding it, ping me on IRC)

And Chris, you're probably bang on target :)

Chris- Good catch. I did update the cert and apparently didn't get the intermediate right. I'll get that sorted shortly.

Excellent, thanks!

Micah Gersten (micahg) wrote :

Not a blocker for alpha 1, moving forward

Changed in firefox (Ubuntu Oneiric):
milestone: oneiric-alpha-1 → oneiric-alpha-2

OK, this is fixed, Cert checks using the geotrust tool pass.

/me closes bug, puts brown bag over head, hides in shame. :)

Micah Gersten (micahg) wrote :

I just tested this again and it's been fixed. Since there's no fix in the code, marking invalid, unassigning, and demilestoning.

Changed in firefox (Ubuntu Oneiric):
assignee: Chris Coulson (chrisccoulson) → nobody
milestone: oneiric-alpha-2 → none
status: Triaged → Invalid
Changed in firefox:
status: Confirmed → Fix Released

Hi, this bug seems to be back with version 9 (latest version) of Firefox on Windows 7 and GeoTrust certificates. Getting a "no issuer chain was provided" message. Customers are complaining at secure checkout regarding this. Geotrust tech support has been alerted but they said this is something that has to be fixed in firefox, the server, or have the customer install in their browser. Unfortunately we have no control over customer, the server is a legacy server using unchained cert. Can you manually add the Geotrust RapidSSL intermediate certificate to the latest Firefox Windows version? Curiously it seems to work properly in the Mac version of Firefox as well as all other browsers tested on Mac and Windows. You can hit https://www.web-secured.com using Firefox 9 with Windows 7 to see the "no issuer chain provided" message.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.