After updating FF to 33.0 I now get: error code: sec_error_invalid_key
I visit sites that have local ssl certificates installed (self signed), typically I get the warning about this, accept, confirm, etc. All used to be good. I just now received an update to FF to 33.0, now none of these sites work. (I'm in the Beta channel) I'm getting: error code: sec_error_invalid_key
The sites in question, are all mine, and work well on other browsers.
Svi odgovori (18)
Did (does) Firefox 32 work or does that version fail as well?
You can try to rename the cert8.db file in the Firefox profile folder to see if that has effect.
I have same problem. I downgraded to FF 32, site with self-signed certificate works normally. Then I again upgraded to FF33beta, error code: sec_error_invalid_key.
Renaming cert8.db file doesn't help.
That is probably because Firefox 33 has fully switched to libPKIX that is more stricter and you can no longer disable this library and fall back to the previous NSS code.
- bug 975229 - Remove NSS-based certificate verification
Please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
So that means I need to use IE or Chrome instead? I downgraded to FF 32 and it is working again.
FF has to fix this!
I trust that you are aware that Firefox 33 is a Beta build, which won't be released until Oct 14th.
Are you using Extended Validation (EV) certificates or the Domain Validated (DV) certificates?
"I trust that you are aware that Firefox 33 is a Beta build, which won't be released until Oct 14th."
Yes, but the question is: will it be fixed? AFAICS this breaks Webmin, in general. Worse, if I try and add an exception in Options, FF says it can't get any identifying information from the site, so even that simple workaround isn't available. I'm not inclined to buy commercial SSL certificates for Webmin!
And the answer is NO it won't be fixed, 33.0 released today and this is still an issue. Must revert back to 32.x or go to some other browser.
Izmjenjeno
I had this problem with Firefox 33 and 2 of my 3 webmin sites, I checked the certificates expiration date and the ones with problems had expired.
I renewed the certificates in Webmin and Firefox asked me to add an exception for those selfsigned certificates as usual.
Izmjenjeno
I have 10th of routers with self-sign certs. I checked the cert with a still 32 FF and the cert expires in 2020. When I try to connect with FF33 I get the same sec_error_invalid_key. I removed the permanent exception cert from the local store and try to set it manually again: I get the error: ~unable to get identification status for the site~ (approx translation to english)
Here is a temporary workaround for Linux: sudo apt-get remove firefox (do not specify purge, this will keep your profile as is) sudo dpkg -i /var/cache/apt/archives/firefox then type tab key to list the available versions in your apt cache. Do the same with related packages (eg. locale language pack, desktop integration) that are already installed. Then complete the command: sudo dpkg -i /var/cache/apt/archives/firefox*32*.deb At this time you're nearly safe. Immediately launch synaptic package manager, seach firefox (32 and related) installed, select it, click Package in the menu and check the "Lock version". You are now safe. Monitor the firefox release notes to know when you can release the version lock.
Izmjenjeno
hello, i'm not sure if it applies to your situation, but support for some certificates with weak signatures has been removed in firefox 33: https://developer.mozilla.org/en-US/Firefox/Releases/33/Site_Compatibility#Security
I have the same problem with Firefox 33.0 when connecting to Webmin running on a local network Ubuntu 12.04 Server.
Hallo,
I create in Webmin a new local ssl certificate and now it is working with FF 33.
Webmin Configuration -> SSL Encryption -> Self-Signed Certificate
Kind regard PapsW
Apparently the root issue with non-Webmin certs is key length within the certificates. FF 34 beta broke out the error with a new error text of "mozilla_pkix_error_inadequate_key_size" but I'm still not finding any kind of override. 'They' need to understand we don't have any say over the key length on many of these devices, they are what they are and we need to be able to override them.
Encrypted traffic even weakly encrypted is preferable to clear text when it contains logins and passwords.
Izmjenjeno
See:
- Several cipher suites have been disabled
- RSA certificates using weak signatures less than 1024-bit are no longer accepted
I visited https://news.ycombinator.com/ with Firefox 33.0.2 on Windows 7 and it's giving me "(Error code: sec_error_unknown_issuer)" and there is no "I understand the risks" button. In this case, I'm not particularly bothered about having a secure connection but the http:// site auto redirects to the https:// one and Firefox will not let me ignore the validation error.
Whilst I understand that this behaviour is probably sensible for the typical Firefox user, it is not acceptable for developers and those who use admin control panels. Could we perhaps have an "about:config" variable such as "security.tls.allow-ignore-errors" that brings back the "I understand the risks" button?
Cheers, Ben
Izmjenjeno
Problem still exists, including Firefox 34, 35, 36.0b7 see https://support.mozilla.org/en-US/questions/1045971
important addition: I have restored https-access to my router by these tricks in about:config Modify security.tls.version.min from 1 to 0 sometimes it's necessary also to Modify security.tls.version.fallback-limit from 1 to 0 please see link above
Izmjenjeno
See also:
Phasing out Certificates with 1024-bit RSA Keys:
Phase 2: Phasing out Certificates with 1024-bit RSA Keys: