Firefox 31 refuses webconfigurator certificate
-
With respect to those who solved the problem of FF31 and the WebConfigurator certificates by resetting the PKIX in FF31 to false, this is a workaround which will go away apparently. Mozilla has completely replaced and simplified the code that evaluates the validity of the certificates and certificate chains. The new code has been available in earlier versions of FF but was not activated by default. In FF31 they switched from the old code to the new code. You can undo that switch by setting the PKIX flag to false. On their web site Mozilla notes that as of FF33 this setting and the old certificate validation code will go away and the only code they will then use to evaluate the validity of certificates is the new PKIX code. Therefore in my view this problem will come back and there will be no workaround as of FF33.
-
Correct, but this is a bug in the PKIX verification which hopefully they will identify and fix sometime between now and then.
I haven't had a chance to try a beta/nightly build of a newer version to see if it's any better.
Worst case, you can make a new profile and import settings back into it bit by bit. Mozbackup makes that fairly simple.
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1056341
- 2 months later
-
FYI- They mentioned in that Mozilla bugzilla entry about how the default self-signed certificate is formed with generic default values, which results in many certificates using the same details and causing some interesting behavior with the verification process.
On 2.2 I just committed a change that will generate new certificates using some more varied values including a unique ID in the CN which should improve this behavior on new installs.
The core problem is still a Firefox problem, but at least over time this can help lower its impact on people.
-
@jimp - thanks for doing this. As, I think, you mentioned on the change, it would be nice to have a way to generate a new certificate after setting up a system. Then the certificate could actually reflect the host and/or other data about the real system (even though it still would not be linked back upstream to a public-verifiable certificate chain).
And then also existing users can regenerate the certificate after upgrading to 2.2, as they wish. -
That's my intention, though I'm not sure yet if it will be a GUI option, a CLI option, or what.
For now if someone wants to they can run the new function from Diagnostics > Command in the PHP execute box and then restart the GUI and that's it, so the actual backend stuff is all there, it only needs some hook into the UI in a way that can't be hit accidentally.
-
Tried to make a GUI option and failed, the browser would choke on the cert change and wanted to resubmit the form which made a new cert which then started looping through that whole process. Not sure of a good way around that one yet.
Made a CLI option,
pfSsh.php playback generateguicert
- 8 days later
-
For those on 2.1.x that hit this bug and want to patch it now, you can use the following commit ID with the System Patches package:
https://github.com/pfsense/pfsense/commit/a376c57de58765dbd469cb07ee3108da49a2657d
Apply that patch and then from the command line run
pfSsh.php playback generateguicert
The GUI will restart with a fresh certificate which you will have to accept in the browser again, but it will load in Firefox with the new certificate.
- 21 days later
-
Hi,
I had this same issue today after FF version 33.1 update.
Setting security.use_mozillapkix_verification to false did not help.THEN SUCCESS!! :)
Goto Help >> Troubleshooting Information >> Reset Firefox to its default stateThis solved all issues for me.
BTW, "security.use_mozillapkix_verification" no longer is an option. Evidently old data was hindering operation. -
Removing all of the old certs is what helped, not the full reset, but the full reset removed them. After you access a few more pfSense installs it will break again until they fix the bug.