Can't connect to SSL management interface on HP server; works with IE and Chrome after adding exception
When I try to connect to the internal (10.1.20.91) address of the web management interface (HP ILO) on an HP Integrity rx2800 server, I get the following error:
Certificate type not approved for application. (Error code: sec_error_inadequate_cert_type)
It seems that Firefox 25.0.1 will not allow this self-signed certificate.
IE and Chrome work, after allowing an exception. Previously, I was able to add an exception under Firefox.
I tried again will add-ons disabled, but it makes no difference.
Here's the full error:
Secure Connection Failed
An error occurred during a connection to 10.1.20.91. Certificate type not approved for application. (Error code: sec_error_inadequate_cert_type)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
Wszystkie odpowiedzi (4)
Hello, In this case, looks like the SSL certificate might not have been created for SSL/TLS authentication. Would it be possible for you to check the extended key usage section of the certificate for the extensions
- Certificate key usage
- Extended key usage
would give you more details. And based on whether the certificate has support for 'Server Authentication' you might have to regenerate the certificate.
Another thing to check would be to see if recently an intermediate CA was added to the certificate chain - that could be the cause of the issue you are facing.
Though I do understand your concern that this issue popped up only for Firefox 25.1. Would it be possible for you to provide the certificate (or generate another one), so that I can test this on a webserver. And also, can you please confirm the exception you created on the previous version of Firefox?
References
Hope this helps.
Did you check in the Certificate Manager if you can locate a previously exception with this certificate?
You can try to rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored.
If that helped to solve the problem then you can remove the renamed cert8.db.old file.
Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates.
Firefox will automatically store intermediate certificates when you visit websites that send such a certificate.
More info:
Renaming the cert8.db didn't change anything.
I get into these ILO interfaces fairly often and I can say that Firefox had a problem over a year ago (or so) where it would let you in once and then say (IIRC) Invalid Cookie on subsequent attempts. Maybe deleting the cert8.db would fix that. Anyway, an update fixed that issue.
I just tested with Firefox 17 and it worked fine. Here are screen shots and the .cer file I exported. This is from a different (virgin) server at .93 https://www.dropbox.com/l/gGYGz2myJnUu9uNoPwsYxd (Hope this works -- I'm new to DropBox)
IE says:
The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.
I didn't generate the certificate; the come pre-generated by HP. Anyway, I tried re-generating the certificate and I now get this error:
Secure Connection Failed
An error occurred during a connection to 10.1.20.91. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
I tried to attach the exported certificate, but I seem to only be allowed to upload graphical images.
IE Key Usage says: Certificate Signing, Off-line CRL Signing, CRL Signing (06)
BTW: I tested with Firefox 23 and 24 and they had the same problem. It's hard (impossible?) to find old versions of Firefox on the Firefox site. I think my 17 version is trying to force me to upgrade as we converse....