Firefox 31 refuses webconfigurator certificate



  • Hello,
    just updated firefox and I was locked out pfsense web gui.

    the reason is the new certificate check policy within firefox, web sites can't have a certificate for CA. The default "webconfigurator" certificate in pfsense in generated with that flag.

    The solution is to open an other browser and create a new certificate as "server", then set it in System -> Advanced -> SSL Certificate



  • ..updated to 31 on Windows this morning, no issue at all… :o


  • Rebel Alliance Developer Netgate

    I have several installs of FF31 and one of them gave me problems and the others are OK. It's just one profile, too. If I make a new profile on the same system, it's OK.

    I had to toggle security.use_mozillapkix_verification to false on the profile (via about:config) in question to make it work.

    I suspect it's something to do with the cert database but deleting the old certs didn't help in my case.



  • @jimp:

    I have several installs of FF31 and one of them gave me problems and the others are OK. It's just one profile, too. If I make a new profile on the same system, it's OK.

    I had to toggle security.use_mozillapkix_verification to false on the profile (via about:config) in question to make it work.

    I suspect it's something to do with the cert database but deleting the old certs didn't help in my case.

    Thanks this was happening for me as well and that worked. I noticed it was working in IE and went searching google. :)



  • @rekd0514:

    @jimp:

    I have several installs of FF31 and one of them gave me problems and the others are OK. It's just one profile, too. If I make a new profile on the same system, it's OK.

    I had to toggle security.use_mozillapkix_verification to false on the profile (via about:config) in question to make it work.

    I suspect it's something to do with the cert database but deleting the old certs didn't help in my case.

    Thanks this was happening for me as well and that worked. I noticed it was working in IE and went searching google. :)

    I am getting another error in firefox when trying to access my Unifi AP GUI. Any ideas of other security settings Mozilla might have changed?

    Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)


  • Rebel Alliance Developer Netgate

    @rekd0514:

    I am getting another error in firefox when trying to access my Unifi AP GUI. Any ideas of other security settings Mozilla might have changed?

    Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)

    That's a completely different issue, though I'm not sure if FF has a way around that one. There's an old iLO port I connect to now and then that does that, but I end up loading it in Chrome since FF refuses with no workaround.



  • @jimp:

    @rekd0514:

    I am getting another error in firefox when trying to access my Unifi AP GUI. Any ideas of other security settings Mozilla might have changed?

    Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)

    That's a completely different issue, though I'm not sure if FF has a way around that one. There's an old iLO port I connect to now and then that does that, but I end up loading it in Chrome since FF refuses with no workaround.

    It seems that if I switch back to true the Unifi GUI works again, but then pfsense isn't accessible. I guess it is one or the other. lol



  • With respect to those who solved the problem of FF31 and the WebConfigurator certificates by resetting the PKIX in FF31 to false, this is a workaround which will go away apparently. Mozilla has completely replaced and simplified the code that evaluates the validity of the certificates and certificate chains. The new code has been available in earlier versions of FF but was not activated by default. In FF31 they switched from the old code to the new code. You can undo that switch by setting the PKIX flag to false. On their web site Mozilla notes that as of FF33 this setting and the old certificate validation code will go away and the only code they will then use to evaluate the validity of certificates is the new PKIX code. Therefore in my view this problem will come back and there will be no workaround as of FF33.


  • Rebel Alliance Developer Netgate

    Correct, but this is a bug in the PKIX verification which hopefully they will identify and fix sometime between now and then.

    I haven't had a chance to try a beta/nightly build of a newer version to see if it's any better.

    Worst case, you can make a new profile and import settings back into it bit by bit. Mozbackup makes that fairly simple.




  • Rebel Alliance Developer Netgate

    FYI- They mentioned in that Mozilla bugzilla entry about how the default self-signed certificate is formed with generic default values, which results in many certificates using the same details and causing some interesting behavior with the verification process.

    On 2.2 I just committed a change that will generate new certificates using some more varied values including a unique ID in the CN which should improve this behavior on new installs.

    The core problem is still a Firefox problem, but at least over time this can help lower its impact on people.



  • @jimp - thanks for doing this. As, I think, you mentioned on the change, it would be nice to have a way to generate a new certificate after setting up a system. Then the certificate could actually reflect the host and/or other data about the real system (even though it still would not be linked back upstream to a public-verifiable certificate chain).
    And then also existing users can regenerate the certificate after upgrading to 2.2, as they wish.


  • Rebel Alliance Developer Netgate

    That's my intention, though I'm not sure yet if it will be a GUI option, a CLI option, or what.

    For now if someone wants to they can run the new function from Diagnostics > Command in the PHP execute box and then restart the GUI and that's it, so the actual backend stuff is all there, it only needs some hook into the UI in a way that can't be hit accidentally.


  • Rebel Alliance Developer Netgate

    Tried to make a GUI option and failed, the browser would choke on the cert change and wanted to resubmit the form which made a new cert which then started looping through that whole process. Not sure of a good way around that one yet.

    Made a CLI option,

    pfSsh.php playback generateguicert
    

  • Rebel Alliance Developer Netgate

    For those on 2.1.x that hit this bug and want to patch it now, you can use the following commit ID with the System Patches package:

    https://github.com/pfsense/pfsense/commit/a376c57de58765dbd469cb07ee3108da49a2657d

    Apply that patch and then from the command line run

    pfSsh.php playback generateguicert
    

    The GUI will restart with a fresh certificate which you will have to accept in the browser again, but it will load in Firefox with the new certificate.



  • Hi,
    I had this same issue today after FF version 33.1 update.
    Setting security.use_mozillapkix_verification to false did not help.

    THEN SUCCESS!! :)
    Goto Help >> Troubleshooting Information >> Reset Firefox to its default state

    This solved all issues for me.
    BTW, "security.use_mozillapkix_verification" no longer is an option. Evidently old data was hindering operation.


  • Rebel Alliance Developer Netgate

    Removing all of the old certs is what helped, not the full reset, but the full reset removed them. After you access a few more pfSense installs it will break again until they fix the bug.