This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How can I display self signed certificate sites in FF33? (sec_error_ca_cert_invalid)

  • 6 replies
  • 3 have this problem
  • 1 view
  • Last reply by cor-el

more options

Hello,

I am using FF33 on Win7. I've noticed that in recent versions, FF no longer allows me to view sites with self-signed certificates. In previous version, there was an option to add an exception, but now it simply states that I need to contact the owner of the website (See actual error message below). Unfortunately, many of our internal sites and equipment (routers, etc) use self signed and will never be otherwise. How can I view these sites? As I'm not willing to downgrade for fear of security vulnerabilities in older code, my only work around as of now, is to use another browser. Please advise. Thanks!

Error message: Secure Connection Failed

An error occurred during a connection to infoblox.vistaone.local. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.

Hello, I am using FF33 on Win7. I've noticed that in recent versions, FF no longer allows me to view sites with self-signed certificates. In previous version, there was an option to add an exception, but now it simply states that I need to contact the owner of the website (See actual error message below). Unfortunately, many of our internal sites and equipment (routers, etc) use self signed and will never be otherwise. How can I view these sites? As I'm not willing to downgrade for fear of security vulnerabilities in older code, my only work around as of now, is to use another browser. Please advise. Thanks! Error message: Secure Connection Failed An error occurred during a connection to infoblox.vistaone.local. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.

All Replies (6)

more options

hello, self-signed certificates are not gone for good - however there is now a stricter error handling in place. the self-signed certificates for your internal sites might have to be reissued with the proper setup, also see: https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates#Error_Codes_in_Firefox_2

more options

Thank you philipp for your reply. I understand your point, but reissuing the certificates is not going to be a practical solution. Some of our customers have hundreds of networks devices using self-signed certificates that won't meet the new security checks. I think they will simply choose another browser that allows for an override of the security checks rather than update the certificates on all of those devices. Is there no way to override the security check in FF33?

more options

There is a Firefox 33.1 version on the way that might fix this issue, so check that out is a few days.


Bug 1042889 - mozilla::pkix, cannot override sec_error_ca_cert_invalid with version 1 certificate, and other scenarios (with or without pkix)

more options

apparently the fix is already present in the current firefox 31.2.0 extended support release: https://www.mozilla.org/en-US/firefox/organizations/all/

more options

Thank you Cor-el for that info. I'll look for the 33.1 release and see if that fixes the issue. @philipp, that is good to know that the extended support release 31.2.0 has a fix. However, we are not using the ESR versions and stick to the GA releases. Also, I'm not just concerned about our company, but all of our customers who have purchase appliances from us that use self-signed certificates for management. I obviously cannot control their environments. But at least I can now recommend the ESR 31.2.0 release instead of just recommending to use another browser. Thanks for your help!

more options

It only works in Firefox 31.2.0 if SSL3 is enabled (security.tls.version.min = 0 ;default).