Bug 1648617

Created attachment 1504266 [details]
certificate presumably of https://www.google.com/ that does not get recognized.

I set the homepage to "firefox default" and it loads the fedora homepage.
I think normally that goes away after the first time you see it, no?

garberw@electron> lsof -i
COMMAND  PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
firefox 7657 garberw  107u  IPv6 101189      0t0  TCP electron:47954->nuq04s29-in-x04.1e100.net:https (ESTABLISHED)
firefox 7657 garberw  130u  IPv4 110195      0t0  TCP electron:55874->ec2-52-33-113-226.us-west-2.compute.amazonaws.com:https (ESTABLISHED)
firefox 7657 garberw  153u  IPv4 123044      0t0  TCP electron:53006->sfo07s13-in-f14.1e100.net:https (ESTABLISHED)
firefox 7657 garberw  155u  IPv6 134139      0t0  TCP electron:54886->sfo03s07-in-x0e.1e100.net:https (ESTABLISHED)
firefox 7657 garberw  160u  IPv6 138242      0t0  TCP electron:39680->[2606:4700:20::6819:1c69]:https (ESTABLISHED)
firefox 7657 garberw  161u  IPv4 141060      0t0  TCP electron:46154->72.21.91.29:http (ESTABLISHED)
firefox 7657 garberw  166u  IPv6 138243      0t0  TCP electron:47464->[2a04:fa87:fffe::c000:4902]:https (ESTABLISHED)
firefox 7657 garberw  167u  IPv6 135950      0t0  TCP electron:46444->sfo07s13-in-x0a.1e100.net:https (ESTABLISHED)
firefox 7657 garberw  168u  IPv6 135785      0t0  TCP electron:46432->sfo07s13-in-x0a.1e100.net:https (ESTABLISHED)
firefox 7657 garberw  171u  IPv6 135786      0t0  TCP electron:44702->[2606:4700:30::681b:be68]:https (ESTABLISHED)
firefox 7657 garberw  172u  IPv6 138252      0t0  TCP electron:55254->nuq04s29-in-x03.1e100.net:https (ESTABLISHED)
garberw@electron> 


that ipv6 address is spinasale.com.
does this mean spinasale.com has hacked me?
the only thing open was google in firefox.

Created attachment 1504280 [details]
firefox security certificate settings used.

all defaults.  NOTE:  maybe the timeout setting is not large enough?

looks like a problem on google's end?
https://certificate.revocationcheck.com/www.google.com

Created attachment 1504281 [details]
certificate check website fails.

looks like a bug on google's side?

similar complaints.

https://support.mozilla.org/en-US/questions/1200716https://support.mozilla.org/en-US/questions/1200716

https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/

https://www.theregister.co.uk/2018/02/07/beware_the_coming_chrome_certificate_apocalypse/


something about symantec and google fighting over google's https policy
and symantec's issuing of certificates.

when I start firefox especially after a firefox upgrade I get the above error with the "your connection is not secure" message.
Then I can either press the "Learn more" button which is described above or "Back".  
I found out that if you press the other button "Back" it takes me to https://start.fedoraproject.org; 
if I press the back button on firefox it takes me to the first web page in the "stack"
which is my home page https://www.google.com which loaded; but if I try a google search it does not work.
The only place I could find
https://start.fedoraproject.org
in any configuration files is in
/usr/lib64/firefox/browser/omni.ja
/usr/lib64/firefox/browser/defaults/preferences/firefox-redhat-default-prefs.js
/usr/lib64/firefox/browser/defaults/preferences/

The bug is that when you upgrade firefox it shows this default the first time you open firefox.
It is SUPPOSED to go back to the default homepage I set for myself, https://www.google.com
on subsequent invocations of firefox.  But it does not.  Also it gives the security error.

Can someone please comment on this?
I can not use the web browser decently.

Also the firefox website said this may be due to an incorrectly set system clock or timezone.

*** Bug 1648615 has been marked as a duplicate of this bug. ***

Is your system time AND DATE correct? What does `$ date` give you when executed on the command line?

It looks like someone is messing with your internet connection and/or DNS server. Some ideas:
* Have you set a DNS server? Try a different one or get back to the default.
* Is your computer part of an untrusted network? Any public wifi is an untrusted network. Try a different (preferable cabled) network.
* Is your ISP or government messing with your network? If possible, try a different one ;)

yes my system time and date are correct.
I checked that the uefi is set to UTC and 
the system time and date from "date" command
are the local time (what I would expect).
the dns server was set to defaults.
I reset it to google's dns server for ipv4 and ipv6
and the problem persists.

there are tons of people reporting this problem.

garberw@electron> date
Mon Feb 18 14:01:10 PST 2019
garberw@electron> 


this seems to be a problem with firefox based on the firefox blogs.
there are lots of questions like this one I posted:

https://support.mozilla.org/en-US/questions/1248873#answer-1193593

see there are a whole lot of people having this problem:

https://www.google.com/search?source=hp&ei=MS9rXJ7tFMv4_Aa73bPYCQ&q=sec_error_unknown_issuer+firefox+google&btnK=Google+Search&oq=SEC_ERROR_UNKNOWN_ISSUER+&gs_l=psy-ab.3.2.0l10.11115.11115..16117...0.0..0.109.221.1j2......0....2j1..gws-wiz.....0.z0gKpk2U-xg

I removed ~/.mozilla and did
# dnf remove firefox
# dnf install firefox
change home page to "custom" https://www.google.com 
was the only customization made.

and the problem decreased.  I started and closed firefox 30 times,
with no problem, but on the 30th time the problem came back.
I am running mate desktop and the shortcut for firefox has the
command "firefox %u".  I thought maybe this should be "firefox %s"
but that did not seem to fix it.

There always appears to be the web page "https://start.fedoraproject.org"
when you hit the "back" button on the error message.
when you hit the "left" button on the wep page "https://start.fedoraproject.org"
you get back to the original home page "https://www.google.com" but there
is no green lock indicating that it was not securely loaded.

Could I have some kind of security software installed that I have
forgotten or lost?  I doubt it.  I have heard that this security software
such as antivirus can cause problems that look like man-in-middle attacks.

(In reply to william.garber from comment #15)
> […]
> Could I have some kind of security software installed that I have
> forgotten or lost?  I doubt it.  I have heard that this security software
> such as antivirus can cause problems that look like man-in-middle attacks.

That's quite common on Windows but I don't know of any such kind of "security" software on Linux. You probably don't have it ;)

Have you tried a different network? Maybe your network is being messed with.

before I go updating any certificates is it possible that the certificate for
https://start.fedoraproject.org 
is incorrect?  Seems more likely than the google certificate being incorrect.
Also it looks like you are trying to force me to use https://start.fedoraproject.org
as my homepage since it keeps coming up and is always associated with the bug.

what is this all about?
garberw@electron> cd /usr/lib64/firefox/
garberw@electron> grep -R start.fedoraproject.org
browser/defaults/preferences/firefox-redhat-default-prefs.js:pref("browser.startup.homepage",            "data:text/plain,browser.startup.homepage=https://start.fedoraproject.org/");
browser/defaults/preferences/firefox-redhat-default-prefs.js:pref("browser.newtabpage.pinned",           '[{"url":"https://start.fedoraproject.org/","title":"Fedora Project - Start Page"}]');
garberw@electron>

sure there's security software available for linux.
https://www.csoonline.com/article/3238884/linux/linux-antivirus-and-anti-malware-8-top-tools.html
some of it is even open source.
I would not use the commercial ones though.

I tried downloading and installing the certificates directly from
google (https://pki.goog/roots.pem) but this did nothing.  
If these certificates are not up to date I do not know
what to do.  It still did not work.

I next downloaded firefox directly from mozilla as a binary tarball
and ran it from my home directory.  I used the same ~/.mozilla 
as I normally use (not a default configuration) so it has the
homepage https://www.google.com.
I started firefox and exited firefox 60 times successfully 
indicating it is fixed.

Since it is fixed with my original configuration ~/.mozilla, this means
(1) there must be some problem in the fedora firefox rpm,
(2) perhaps as I originally guessed you are no longer allowing people to
set their own homepage to other than https://start.fedoraproject.org
and this is the problem
(3) your certificates are not up to date (I think I ruled this out).
(4) your standard "default" options in about:config which are different from the
mozilla default options in about:config might be a problem.

I also suspected that the OCSP query might have been timing out or
not completing some of the time but not always, but removing this option
in the security settings didn't make any difference.

(In reply to william.garber from comment #19)
> Since it is fixed with my original configuration ~/.mozilla, this means
> (1) there must be some problem in the fedora firefox rpm,

probably not as I have never heard of it from any other fedora user

> (2) perhaps as I originally guessed you are no longer allowing people to
> set their own homepage to other than https://start.fedoraproject.org
> and this is the problem

probably not as many people have different start pages

> (3) your certificates are not up to date (I think I ruled this out).

probably not as nobody else complains about this bug.

> (4) your standard "default" options in about:config which are different from
> the
> mozilla default options in about:config might be a problem.

There is not much changed from the defaults.
 
> I also suspected that the OCSP query might have been timing out or
> not completing some of the time but not always, but removing this option
> in the security settings didn't make any difference.

I have enabled security.OCSP.require=true and have not seen many issues.


All what you report here looks like there is some different (seemingly unrelated) issue.

I've been getting the same thing from time to time when starting Fx and displaying the Fedora Home Page:

Your connection is not secure

The owner of start.fedoraproject.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Moving to nss as it handles the certificates at Firefox.

Does anyone still see this?  For me it occasionally had happened, but I can no longer reproduce it with the latest Firefox.

I see a similar bug in upstream:
https://bugzilla.mozilla.org/show_bug.cgi?id=1530429
Adam, could you confirm?

I don't think I ever saw this one myself...unless it's the same as https://bugzilla.mozilla.org/show_bug.cgi?id=1530429 , maybe? Doesn't seem like it though.

Are you still seeing https://bugzilla.mozilla.org/show_bug.cgi?id=1530429 with the recent firefox updates?

Good question! It seems like the answer is "no": the most recent occurrences I can find were on 2019-03-22 and 2019-03-20 (for F29 and F30). Doesn't seem to have happened one time since then.

The problem had completely gone away a few months ago.  
Strangely, as soon as you asked me "Are you still seeing this?"
I started getting the same error message over and over again
when I started up firefox.  It seems like some kind of practical joke.
The bug must have been fixed then reintroduced with a recent
update to fedora's firefox.
Note:  I replaced fedora firefox with firefox directly from mozilla,
which should be installed in your home directory.  
The firefox directly from mozilla had no problems of this nature.
This proves that the problem is definitely with fedora's packaging
of firefox, and as I suggested before it probably has something to
do with fedora trying to force you to use their homepage.
This is extremely annoying.

It's hardly "forcing" anything, it's just a default. You can change it through the settings perfectly normally.

(In reply to william.garber from comment #27)
> The problem had completely gone away a few months ago.  
> Strangely, as soon as you asked me "Are you still seeing this?"
> I started getting the same error message over and over again
> when I started up firefox.  It seems like some kind of practical joke.

Certainly it's not intentional; I still cannot reproduce it even after upgrading to F-30 and to the latest Firefox and NSS packages.

> The bug must have been fixed then reintroduced with a recent
> update to fedora's firefox.

Do you have the exact version numbers of the installed packages when it happened (firefox, nss, p11-kit)?

garberw@electron> rpm -qa | grep firefox
firefox-67.0-4.fc30.x86_64
firefox-debuginfo-66.0.3-1.fc30.x86_64
firefox-debugsource-66.0.3-1.fc30.x86_64
garberw@electron> rpm -qa | grep nss
nss-3.44.0-2.fc30.x86_64
compat-openssl10-pkcs11-helper-1.22-8.fc30.x86_64
xmlsec1-openssl-1.2.27-2.fc30.x86_64
nss-softokn-3.44.0-2.fc30.x86_64
openssh-clients-8.0p1-2.fc30.x86_64
mod_dnssd-0.6-20.fc30.x86_64
nss-util-3.44.0-2.fc30.x86_64
openssh-server-8.0p1-2.fc30.x86_64
jansson-2.12-2.fc30.x86_64
openssh-8.0p1-2.fc30.x86_64
nss-pem-1.0.5-1.fc30.x86_64
nss-tools-3.44.0-2.fc30.x86_64
xmlsec1-nss-1.2.27-2.fc30.x86_64
nss-sysinit-3.44.0-2.fc30.x86_64
nss-mdns-0.14.1-3.fc30.x86_64
mathjax-sansserif-fonts-2.7.4-4.fc30.noarch
libknet1-crypto-nss-plugin-1.9-1.fc30.x86_64
openssl-libs-1.1.1b-5.fc30.x86_64
openssl-1.1.1b-5.fc30.x86_64
compat-openssl10-1.0.2o-5.fc30.x86_64
openssl-devel-1.1.1b-5.fc30.x86_64
nss-softokn-freebl-3.44.0-2.fc30.x86_64
apr-util-openssl-1.6.1-10.fc30.x86_64
openssl-pkcs11-0.4.10-1.fc30.x86_64
libsss_nss_idmap-2.1.0-2.fc30.x86_64
garberw@electron> rpm -qa | grep pll-kit
garberw@electron> 

Again, the symptom is that it goes to the web page that says there is a security problem,
and if I press the "back" button in firefox it goes to the fedora start page.  Then if I
press the "back" button a second time it goes to https://www.google.com which is supposed
to be my home page.
That is why I think the fedora start page is being "forced" on me.

It's hardly "forcing" anything, it's just a default. You can change it through the settings perfectly normally.

Yes I did set my home page to https://www.google.com long ago and it is still that.

Huh...then that definitely sounds like some kind of bug.

If I do 
# dnf remove firefox
# dnf install firefox
or likewise
# dnf reinstall firefox
the problem persists.
This system was upgraded from fedora 28 through 30.
Could there be some bad lingering configuration from 
previous distro releases?

Sure - removing and reinstalling the app doesn't remove your local configuration, that is pretty standard for all apps on Linux. It would be interesting to know if the bug happens if you create a new user account and try with that, though.

Sure - removing and reinstalling the app doesn't remove your local configuration, that is pretty standard for all apps on Linux. It would be interesting to know if the bug happens if you create a new user account and try with that, though.

Yes I tried that at the time of the original bug posting.  I started with a blank ~/.mozilla and it did not help.  I have not tried it with this iteration of the bug.

If I do 
# dnf remove firefox
# dnf install firefox
or likewise
# dnf reinstall firefox
the problem persists.
This system was upgraded from fedora 28 through 30.
Could there be some bad lingering configuration from 
previous distro releases?


What I meant was any settings in /etc and other global settings.  Could these have carried over from some old distro release?

In theory, yeah, but there shouldn't really be anything there. If there is it would be in /etc/mozilla or /etc/firefox I guess.

For what it's worth, I tried to install and run firefox-66.0.5 and firefox-67.0.4, and prominent sites like google.com, fedoraproject.org and duckduckgo.com showed exactly the symptom of the OP:

"Your connection is not secure

The web site tried to negotiate an inadequate level of security.

bodhi.fedoraproject.org uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The web site administrator will need to fix the server first before you can visit the site.

Error code: NS_ERROR_NET_INADEQUATE_SECURITY"

Downgrading to firefox-62.0.3 got me back to work.

redhat.com (www.redhat.com) has this problem (with FF62/63), but not bugzilla.redhat.com.

And I tried disabling Add-ons. No change.

(In reply to Dirk Hoffmann from comment #38)
> For what it's worth, I tried to install and run firefox-66.0.5 and
> firefox-67.0.4, and prominent sites like google.com, fedoraproject.org and
> duckduckgo.com showed exactly the symptom of the OP:

It doesn't exactly look the same.  The error code in the original report is SEC_ERROR_UNKNOWN_ISSUER, while you are seeing NS_ERROR_NET_INADEQUATE_SECURITY.
Could you try again with a fresh profile or as a new user?  Also please provide the exact package versions including the Fedora release.

(In reply to Daiki Ueno from comment #41)
> It doesn't exactly look the same.  The error code in the original report is
> SEC_ERROR_UNKNOWN_ISSUER, while you are seeing
> NS_ERROR_NET_INADEQUATE_SECURITY.

You are right, I overlooked this detail.

My Fedora release is the one indicated on top of the ticket (29) and the Firefox package(s) the latest available (66/67), as mentioned in comment #38: 
> For what it's worth, I tried to install and run firefox-66.0.5 and
> firefox-67.0.4, and prominent sites like google.com, fedoraproject.org and
> duckduckgo.com showed [...]


https://www.reddit.com/r/debian/comments/bvxqqo/debian_unstable_firefox_67_ns_error_net/ brought me to the solution: After 
 sudo dnf upgrade nss
I can browse to all sites with firefox-67 now. 

Sorry, if I hijacked this ticket. Maybe other reporters can try as well, if this recipe solves their situations (and give feedback here!).

I asked packagers on bodhi to add the appropriate dependency to the firefox packages.

I tried it with a fresh profile several times and the problem persists.

OK, thanks. And I see that you had nww-3.44 already (as reported above).

So it's a cannot-reproduce for me then.

Good luck!

(In reply to william.garber from comment #43)
> I tried it with a fresh profile several times and the problem persists.

Could you tell me the actual steps you followed to do that?  I still can't reproduce what you are saying in comment 30.

In my case:
- firefox -P
- choose "Create Profile...", enter "New Profile", and press "Finish"
- select "New Profile" and press "Start Firefox"
- open menu and select "Preferences"
- select "Home" pane
- select "Custom URLs..." for "Homepage and new windows"
- enter "https://www.google.com"
- close firefox and restart
- see https://www.google.com is successfully loaded and enter some URL on the address bar

For what it is worth, and because we are talking about Fedora 29 and Firefox 67 here.

Today morning, after changing nothing else (a reboot maybe, as opposed to the usual hibernate/sleep during the night), my firefox showed only "blank pages". It looked like the pages were loaded (progress bar, address field update), but only a blank, white window was shown, even after a reload for pages which were still nicely in the cache). 

I quickly tried "dnf upgrade firefox":
Packages Altered:
    Upgrade  firefox-67.0-4.fc29.x86_64 @updates
    Upgraded firefox-67.0-2.fc29.x86_64 @@System
and it works again!

Such a sub-minor release number seems to make all the difference. The package is obviously not in a very stable state currently.

So try "dnf upgrade firefox", @william.garber, it may change your UX.

Anyway, after consulting some colleagues with identical hardware, I will also move to Fedora30 today or tomorrow and not be able to help you here any more. Bye-bye and good luck!

I have upgraded to fedora core 30 as soon as it came out.
To test it I created a completely new account and ran firefox
from there.
Still had the problem.

(In reply to william.garber from comment #47)
> I have upgraded to fedora core 30 as soon as it came out.
> To test it I created a completely new account and ran firefox
> from there.

And did you follow the exact same steps of comment 45 after 'open menu and select "Preferences"'?
As the issue is not reproducible on my side, I need the precise information what you actually did.

See https://www.chiark.greenend.org.uk/~sgtatham/bugs.html for better bug reporting.

By new account I mean I created a new user so everything was completely from scratch.
Since you requested it I will also do this:

- firefox -P
- choose "Create Profile...", enter "Next", and press "Finish"
- Start Firefox
- open menu and select "Preferences"
- select "Home" pane
- select "Custom URLs..." for "Homepage and new windows"
- enter "https://www.google.com"
- close firefox and restart
- see https://start.fedoraproject.org
- repeat previous steps from "Start Firefox" until reset https://www.google.com as home page again
- eventually after repeating 3 times see https://www.google.com is successfully loaded
- close firefox
- open firefox and see https://www.google.com is successfully loaded
- repeat last two steps about 3 or 4 times
- error message occurs again.
- repeat last two steps ; every so often error message occurs.

I also noticed that this file had been fiddled with (when trying to fix this a long time ago) but you can see from the diff below that it is presently unchanged from the original version from fedora:

root@electron# ls
firefox-redhat-default-prefs.js  firefox-redhat-default-prefs.js.orig
root@electron# pwd
/usr/lib64/firefox/browser/defaults/preferences
root@electron# diff firefox-redhat-default-prefs.js firefox-redhat-default-prefs.js.orig 
root@electron#

I see this problem in one of my many firefox profiles with firefox-70.0-1.fc30.x86_64

I wonder if it's a variant of Bug 1752303.

This message is a reminder that Fedora 29 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '29'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 29 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Ben Cotton, as written above, the problem is still present in Fedora 30. Please update the version field.

And I confirm  Martin Bukatovic's report. When my system upgraded to FF70, I had some major site (but not all) triggering "certificate problems" (making the site totally unusable). Downgrading to FF66 seems to solve it. (There seems to be no package FF67 any more in the Fedora30 repository, at least not seen with "dnf"). The previously installed version was FF69 though. Today:
Error: Unable to find a match: firefox-69.0-2.fc30.x86_64

So is the best advice one can give to users: Better install Firefox without using the Fedora repo, directly from Mozilla? https://www.mozilla.org/firefox/new/

you could try:
dnf downgrade firefox

and in /etc/dnf/dnf.conf

exclude=firefox

only problem is you will not get any security updates.

I'm going to create a test build with in-tree nss to check if that fixes this issue.

(In reply to Martin Stransky from comment #55)
> I'm going to create a test build with in-tree nss to check if that fixes
> this issue.


Added to firefox-70.0-2 builds.

New test builds are available here:

F30: https://koji.fedoraproject.org/koji/taskinfo?taskID=38697234
F31: https://koji.fedoraproject.org/koji/taskinfo?taskID=38697225

please check them if you see any issue. It uses in-tree nss so you loose nss system certificate integration which causes the bug we see here.
I guess you may see bug 1766340 with the builds above as it does not use system wide certs AFAIK.

"I guess you may see bug 1766340 with the builds above as it does not use system wide certs AFAIK."

That seems like a *major major* problem for a browser. I'm really not sure it'd be an improvement to do that, overall.

(In reply to Adam Williamson from comment #58)
> "I guess you may see bug 1766340 with the builds above as it does not use
> system wide certs AFAIK."
> 
> That seems like a *major major* problem for a browser. I'm really not sure
> it'd be an improvement to do that, overall.

We don't ship that yet, this is a test build only. As I'm not an nss expert please test the builds for any regression.

I am still getting this bug in fedora 31.
Am I simply configuring something wrong?
The bug goes away if you do "dnf downgrade firefox".

I'm seeing this with DuckDuckGo today - and people at work have been reporting similar issues with other sites with DigiCert certificates (e.g. Reddit). They reported that downgrading to Firefox < 70 work.

Going to try the test build and see if that helps.

Created attachment 1636614 [details]
Firefox failing to connect to DuckDuckGo

Tried the firefox-70.0-2.fc31 test build, it works once -- then after restarting the machine the problem reoccured (going to DDG results in the DigiCert certificate being reported as untrusted).

People at work reported that starting with a fresh profile resolved the issue. For me, I tried uninstalling Firefox and reinstalling the released update (70.0-1.fc31) and... surprisingly opening DDG is fine again. Something might be wrong on the Firefox side.

I started seeing both invalid CA error or DigiCert Global Root CA problem after upgrade to Fedora 31 over the weekend. Firefox restart helped me to survive the day however DigiCert is used for https://bluejeans.com website which is key for my work. Any workaround appreciated.

FWIW, I saw this on Fedora 30 once, but it was intermittent. Not sure anymore if it was with firefox-70.0-1.fc30 or firefox-70.0.1-4.fc30, or nss-3.47.0-2.fc30 or nss-3.47.0-3.fc30. But the issue does not seem to be specific to Fedora 31.

(In reply to Lukas Zapletal from comment #64)
> I started seeing both invalid CA error or DigiCert Global Root CA problem
> after upgrade to Fedora 31 over the weekend. Firefox restart helped me to
> survive the day however DigiCert is used for https://bluejeans.com website
> which is key for my work. Any workaround appreciated.

Sorry for the inconvenience. Until we figure out where is the problem, you could temporarily enable alternatives for libnssckbi.so.x86_64 with libnssckbi.so from the upstream binary release or one of the Martin's scratch builds with in-tree NSS:
  sudo alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 .../libnssckbi.so 10
  sudo alternatives --set libnssckbi.so.x86_64 .../libnssckbi.so

I have observed this problem both on Fedora 30 and Fedora 31, with and without in-tree NSS.
However, I would like to point out that I have only ever observed the problem on sites using Akamai as a CDN, i.e. sites which resolve to something like ...akamaiedge.net (as you can see for instance with the bluejeans.com site mentioned before).

$ host www.bluejeans.com
www.bluejeans.com is an alias for www.bluejeans.com.edgekey.net.
www.bluejeans.com.edgekey.net is an alias for e7264.dscb.akamaiedge.net.
e7264.dscb.akamaiedge.net has address 104.102.43.181
e7264.dscb.akamaiedge.net has IPv6 address 2a02:26f0:6b:28a::1c60
e7264.dscb.akamaiedge.net has IPv6 address 2a02:26f0:6b:2b1::1c60

I am still seeing the original bug on fedora 31 (I am the original poster);
It is present in firefox and the version of firefox you get from
"yum downgrade firefox".

Daiki, thanks for the instructions. Unfortunately Martin's scratch build has been cleaned up already. I do not understand the other alternative, can you give me exact instructions? What .../libnssckbi.so does suppose to mean?

Thanks a bunch

(In reply to Lukas Zapletal from comment #69)
> Daiki, thanks for the instructions. Unfortunately Martin's scratch build has
> been cleaned up already. I do not understand the other alternative, can you
> give me exact instructions? What .../libnssckbi.so does suppose to mean?

I meant to extract libnssckbi.so from the upstream release tarball, put it somewhere on the system, and run the alternatives commands.

However, this is turning out to be a timing issue, and it might not fix your problem, depending on the environment:
https://bugzilla.mozilla.org/show_bug.cgi?id=1593167
I've triggered a scratch-build with a work around (use it at your own risk):
https://koji.fedoraproject.org/koji/taskinfo?taskID=39198147

FEDORA-2019-ff27bbf69a has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a

nss-3.47.1-2.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a

FEDORA-2019-ff27bbf69a has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a

nss-3.47.1-4.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a

nss-3.47.1-4.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8fbc65ef9e

Created attachment 1642485 [details]
firefox about:config page note security settings please.

just added about:config web page.
can anyone see anything unusual about settings under security?
most notably ones in boldface which are the non-default settings.

I assume that may be where the problem is.
this is version 71.0 of firefox on fedora 31.
The original problem is still persisting.

nss-3.47.1-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

nss-3.47.1-4.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

(In reply to william.garber from comment #77)
> just added about:config web page.
> can anyone see anything unusual about settings under security?
> most notably ones in boldface which are the non-default settings.
> 
> I assume that may be where the problem is.
> this is version 71.0 of firefox on fedora 31.
> The original problem is still persisting.

I would suggest the same as:
https://bugzilla.redhat.com/show_bug.cgi?id=1752303#c72
i.e., run firefox under: P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" and attach the log here.

It might also be worthwhile to check with a fresh firefox profile (firefox -P):
https://bugzilla.redhat.com/show_bug.cgi?id=1752303#c76

Created attachment 1649214 [details]
P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1

P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1

it is working as of 
garberw@electron> firefox --version
Mozilla Firefox 71.0
garberw@electron> 

as far as I can tell.
but then this is an intermittent bug.

(In reply to william.garber from comment #81)
> Created attachment 1649214 [details]
> P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1
> 
> P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1

I should have been clear that I need a log *when it fails to load*. The log looks sane to me.

could this problem have been caused by either of the packages
lynis
clamav
which I recently removed???  I will try to investigate.
They were left at default configuration (no custom configuration).

(In reply to william.garber from comment #84)
> could this problem have been caused by either of the packages
> lynis
> clamav
> which I recently removed???  I will try to investigate.
> They were left at default configuration (no custom configuration).

I don't think so. Have you tried with a fresh profile as I suggested in comment 80?

Daiki Ueno:  comment 85:
It is working now, see comment 82.
firefox is current version 71.0 from repository.
I can no longer reproduce the bug, sorry, so there is no 
way of testing it.
When it was NOT working I had tried it with a fresh profile
and it did not fix it.
So far pending any future updates that break it again,
the bug is fixed.
I never figured out what was wrong.

OK, thank you for the information.  Let's close this bug for now; feel free to reopen or file a new bug if it happens again.