Bug 1648617 - firefox goes to "your connection is not secure" when visiting https://www.google.com
firefox goes to "your connection is not secure" when visiting https://www.goo...
 Keywords: CLOSED WORKSFORME None Fedora Fedora nss --- 31 Unspecified Unspecified unspecified urgent --- Daiki Ueno Fedora Extras Quality Assurance (view as bug list) 1723561 depends on / blocked

 Reported: 2018-11-11 02:03 UTC by william.garber 2020-01-03 16:34 UTC (History) 30 users (show) 0xalen+redhat anelson anto.trande awilliam chref crypto-team dueno elio.maldonado.batiz esalvati fweimer gbcox gecko-bugs-nobody hoffmann jhorak john.j5live kdudka kengert kilian-risse lzap mbukatov michel pjasicek rhughes rstrode sandmann sgraf stransky teppot thib william.garber If docs needed, set a value (view as bug list) 2020-01-03 16:34:15 UTC Bug Ember-CSI Red Hat Enterprise Virtualization Manager Red Hat OpenStack Service Telemetry Framework

certificate presumably of https://www.google.com/ that does not get recognized. (3.03 KB, text/plain)
2018-11-11 02:05 UTC, william.garber
no flags Details
firefox security certificate settings used. (91.51 KB, image/png)
2018-11-11 04:01 UTC, william.garber
no flags Details
certificate check website fails. (588.95 KB, image/png)
2018-11-11 04:07 UTC, william.garber
no flags Details
Firefox failing to connect to DuckDuckGo (91.90 KB, image/png)
2019-11-15 20:39 UTC, Michel Alexandre Salim
no flags Details
firefox about:config page note security settings please. (457.26 KB, application/pdf)
2019-12-06 00:31 UTC, william.garber
no flags Details
P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1 (296.19 KB, text/plain)
2020-01-02 15:23 UTC, william.garber
no flags Details

 william.garber 2018-11-11 02:03:32 UTC Description of problem: nine times out of ten when I open firefox it goes to a page saying "your connection is not secure" when visiting https://www.google.com/ If I hit alt-home to go to the home page (google) about ten times, on the tenth time approximately it will load google successfully. Then it works fine for a few times. If I launch a separate instance of the browser it works okay. Then if I close firefox and do not use it for a while it goes back to the original state of not working. Version-Release number of selected component (if applicable): firefox-63.0.1-5.fc29.x86_64 How reproducible: as above. leave the web browser not running for a while then start it up. very frequently happens. Steps to Reproduce: 1. start web browser, assuming home page is https://www.google.com 2. 3. Actual results: Your connection is not secure The owner of www.google.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate. Learn more… Report errors like this to help Mozilla identify and block malicious sites www.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER clicking on SEC_ERROR_UNKNOWN_ISSUER gives the certificate shown in the attachment. Also firefox takes a long time to load. Could have something to do with cookie settings. Expected results: prompt startup of firefox and load google homepage. Additional info: see attached certificate. There are tons of error reports on the firefox website pertaining to this. looks like jscher2000 does not think something is wrong and thinks firefox is configured incorrectly, but lots of people were complaining about this. Note: I noticed that very briefly when firefox loads up, it flashes on the screen one of those firefox home pages that you get when you first install or upgrade firefox. Since this is a recently upgraded fedora from 28 to 29, I thought maybe it was getting stuck on that page (sort of like a splash screen after the upgrade). william.garber 2018-11-11 02:05:37 UTC Created certificate presumably of https://www.google.com/ that does not get recognized. william.garber 2018-11-11 02:24:10 UTC I set the homepage to "firefox default" and it loads the fedora homepage. I think normally that goes away after the first time you see it, no? william.garber 2018-11-11 02:46:42 UTC garberw@electron> lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME firefox 7657 garberw 107u IPv6 101189 0t0 TCP electron:47954->nuq04s29-in-x04.1e100.net:https (ESTABLISHED) firefox 7657 garberw 130u IPv4 110195 0t0 TCP electron:55874->ec2-52-33-113-226.us-west-2.compute.amazonaws.com:https (ESTABLISHED) firefox 7657 garberw 153u IPv4 123044 0t0 TCP electron:53006->sfo07s13-in-f14.1e100.net:https (ESTABLISHED) firefox 7657 garberw 155u IPv6 134139 0t0 TCP electron:54886->sfo03s07-in-x0e.1e100.net:https (ESTABLISHED) firefox 7657 garberw 160u IPv6 138242 0t0 TCP electron:39680->[2606:4700:20::6819:1c69]:https (ESTABLISHED) firefox 7657 garberw 161u IPv4 141060 0t0 TCP electron:46154->72.21.91.29:http (ESTABLISHED) firefox 7657 garberw 166u IPv6 138243 0t0 TCP electron:47464->[2a04:fa87:fffe::c000:4902]:https (ESTABLISHED) firefox 7657 garberw 167u IPv6 135950 0t0 TCP electron:46444->sfo07s13-in-x0a.1e100.net:https (ESTABLISHED) firefox 7657 garberw 168u IPv6 135785 0t0 TCP electron:46432->sfo07s13-in-x0a.1e100.net:https (ESTABLISHED) firefox 7657 garberw 171u IPv6 135786 0t0 TCP electron:44702->[2606:4700:30::681b:be68]:https (ESTABLISHED) firefox 7657 garberw 172u IPv6 138252 0t0 TCP electron:55254->nuq04s29-in-x03.1e100.net:https (ESTABLISHED) garberw@electron> that ipv6 address is spinasale.com. does this mean spinasale.com has hacked me? the only thing open was google in firefox. william.garber 2018-11-11 04:01:41 UTC Created firefox security certificate settings used. all defaults. NOTE: maybe the timeout setting is not large enough? william.garber 2018-11-11 04:04:00 UTC looks like a problem on google's end? https://certificate.revocationcheck.com/www.google.com william.garber 2018-11-11 04:07:40 UTC Created certificate check website fails. looks like a bug on google's side? william.garber 2018-11-11 04:08:59 UTC similar complaints. https://support.mozilla.org/en-US/questions/1200716https://support.mozilla.org/en-US/questions/1200716 https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/ william.garber 2018-11-11 04:50:19 UTC https://www.theregister.co.uk/2018/02/07/beware_the_coming_chrome_certificate_apocalypse/ something about symantec and google fighting over google's https policy and symantec's issuing of certificates. william.garber 2019-02-03 04:09:46 UTC when I start firefox especially after a firefox upgrade I get the above error with the "your connection is not secure" message. Then I can either press the "Learn more" button which is described above or "Back". I found out that if you press the other button "Back" it takes me to https://start.fedoraproject.org; if I press the back button on firefox it takes me to the first web page in the "stack" which is my home page https://www.google.com which loaded; but if I try a google search it does not work. The only place I could find https://start.fedoraproject.org in any configuration files is in /usr/lib64/firefox/browser/omni.ja /usr/lib64/firefox/browser/defaults/preferences/firefox-redhat-default-prefs.js /usr/lib64/firefox/browser/defaults/preferences/ The bug is that when you upgrade firefox it shows this default the first time you open firefox. It is SUPPOSED to go back to the default homepage I set for myself, https://www.google.com on subsequent invocations of firefox. But it does not. Also it gives the security error. Can someone please comment on this? I can not use the web browser decently. Also the firefox website said this may be due to an incorrectly set system clock or timezone. Christian Stadelmann 2019-02-17 11:08:34 UTC *** Bug 1648615 has been marked as a duplicate of this bug. *** Christian Stadelmann 2019-02-17 11:14:50 UTC Is your system time AND DATE correct? What does $date give you when executed on the command line? It looks like someone is messing with your internet connection and/or DNS server. Some ideas: * Have you set a DNS server? Try a different one or get back to the default. * Is your computer part of an untrusted network? Any public wifi is an untrusted network. Try a different (preferable cabled) network. * Is your ISP or government messing with your network? If possible, try a different one ;) william.garber 2019-02-18 18:25:50 UTC yes my system time and date are correct. I checked that the uefi is set to UTC and the system time and date from "date" command are the local time (what I would expect). the dns server was set to defaults. I reset it to google's dns server for ipv4 and ipv6 and the problem persists. there are tons of people reporting this problem. william.garber 2019-02-18 22:02:50 UTC garberw@electron> date Mon Feb 18 14:01:10 PST 2019 garberw@electron> this seems to be a problem with firefox based on the firefox blogs. there are lots of questions like this one I posted: https://support.mozilla.org/en-US/questions/1248873#answer-1193593 william.garber 2019-02-18 22:28:36 UTC see there are a whole lot of people having this problem: https://www.google.com/search?source=hp&ei=MS9rXJ7tFMv4_Aa73bPYCQ&q=sec_error_unknown_issuer+firefox+google&btnK=Google+Search&oq=SEC_ERROR_UNKNOWN_ISSUER+&gs_l=psy-ab.3.2.0l10.11115.11115..16117...0.0..0.109.221.1j2......0....2j1..gws-wiz.....0.z0gKpk2U-xg william.garber 2019-02-18 23:03:45 UTC I removed ~/.mozilla and did # dnf remove firefox # dnf install firefox change home page to "custom" https://www.google.com was the only customization made. and the problem decreased. I started and closed firefox 30 times, with no problem, but on the 30th time the problem came back. I am running mate desktop and the shortcut for firefox has the command "firefox %u". I thought maybe this should be "firefox %s" but that did not seem to fix it. There always appears to be the web page "https://start.fedoraproject.org" when you hit the "back" button on the error message. when you hit the "left" button on the wep page "https://start.fedoraproject.org" you get back to the original home page "https://www.google.com" but there is no green lock indicating that it was not securely loaded. Could I have some kind of security software installed that I have forgotten or lost? I doubt it. I have heard that this security software such as antivirus can cause problems that look like man-in-middle attacks. Christian Stadelmann 2019-02-18 23:11:40 UTC (In reply to william.garber from comment #15) > […] > Could I have some kind of security software installed that I have > forgotten or lost? I doubt it. I have heard that this security software > such as antivirus can cause problems that look like man-in-middle attacks. That's quite common on Windows but I don't know of any such kind of "security" software on Linux. You probably don't have it ;) Have you tried a different network? Maybe your network is being messed with. william.garber 2019-02-18 23:56:32 UTC before I go updating any certificates is it possible that the certificate for https://start.fedoraproject.org is incorrect? Seems more likely than the google certificate being incorrect. Also it looks like you are trying to force me to use https://start.fedoraproject.org as my homepage since it keeps coming up and is always associated with the bug. what is this all about? garberw@electron> cd /usr/lib64/firefox/ garberw@electron> grep -R start.fedoraproject.org browser/defaults/preferences/firefox-redhat-default-prefs.js:pref("browser.startup.homepage", "data:text/plain,browser.startup.homepage=https://start.fedoraproject.org/"); browser/defaults/preferences/firefox-redhat-default-prefs.js:pref("browser.newtabpage.pinned", '[{"url":"https://start.fedoraproject.org/","title":"Fedora Project - Start Page"}]'); garberw@electron> william.garber 2019-02-19 03:11:39 UTC sure there's security software available for linux. https://www.csoonline.com/article/3238884/linux/linux-antivirus-and-anti-malware-8-top-tools.html some of it is even open source. I would not use the commercial ones though. william.garber 2019-02-19 20:49:54 UTC I tried downloading and installing the certificates directly from google (https://pki.goog/roots.pem) but this did nothing. If these certificates are not up to date I do not know what to do. It still did not work. I next downloaded firefox directly from mozilla as a binary tarball and ran it from my home directory. I used the same ~/.mozilla as I normally use (not a default configuration) so it has the homepage https://www.google.com. I started firefox and exited firefox 60 times successfully indicating it is fixed. Since it is fixed with my original configuration ~/.mozilla, this means (1) there must be some problem in the fedora firefox rpm, (2) perhaps as I originally guessed you are no longer allowing people to set their own homepage to other than https://start.fedoraproject.org and this is the problem (3) your certificates are not up to date (I think I ruled this out). (4) your standard "default" options in about:config which are different from the mozilla default options in about:config might be a problem. I also suspected that the OCSP query might have been timing out or not completing some of the time but not always, but removing this option in the security settings didn't make any difference. Christian Stadelmann 2019-02-19 21:45:32 UTC (In reply to william.garber from comment #19) > Since it is fixed with my original configuration ~/.mozilla, this means > (1) there must be some problem in the fedora firefox rpm, probably not as I have never heard of it from any other fedora user > (2) perhaps as I originally guessed you are no longer allowing people to > set their own homepage to other than https://start.fedoraproject.org > and this is the problem probably not as many people have different start pages > (3) your certificates are not up to date (I think I ruled this out). probably not as nobody else complains about this bug. > (4) your standard "default" options in about:config which are different from > the > mozilla default options in about:config might be a problem. There is not much changed from the defaults. > I also suspected that the OCSP query might have been timing out or > not completing some of the time but not always, but removing this option > in the security settings didn't make any difference. I have enabled security.OCSP.require=true and have not seen many issues. All what you report here looks like there is some different (seemingly unrelated) issue. Gerald Cox 2019-03-13 21:38:41 UTC I've been getting the same thing from time to time when starting Fx and displaying the Fedora Home Page: Your connection is not secure The owner of start.fedoraproject.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate. Martin Stransky 2019-03-14 09:03:58 UTC Moving to nss as it handles the certificates at Firefox. Daiki Ueno 2019-05-16 15:23:55 UTC Does anyone still see this? For me it occasionally had happened, but I can no longer reproduce it with the latest Firefox. I see a similar bug in upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1530429 Adam, could you confirm? Adam Williamson 2019-05-21 23:15:23 UTC I don't think I ever saw this one myself...unless it's the same as https://bugzilla.mozilla.org/show_bug.cgi?id=1530429 , maybe? Doesn't seem like it though. Daiki Ueno 2019-05-22 03:30:22 UTC Are you still seeing https://bugzilla.mozilla.org/show_bug.cgi?id=1530429 with the recent firefox updates? Adam Williamson 2019-05-22 15:23:25 UTC Good question! It seems like the answer is "no": the most recent occurrences I can find were on 2019-03-22 and 2019-03-20 (for F29 and F30). Doesn't seem to have happened one time since then. william.garber 2019-05-28 01:51:41 UTC The problem had completely gone away a few months ago. Strangely, as soon as you asked me "Are you still seeing this?" I started getting the same error message over and over again when I started up firefox. It seems like some kind of practical joke. The bug must have been fixed then reintroduced with a recent update to fedora's firefox. Note: I replaced fedora firefox with firefox directly from mozilla, which should be installed in your home directory. The firefox directly from mozilla had no problems of this nature. This proves that the problem is definitely with fedora's packaging of firefox, and as I suggested before it probably has something to do with fedora trying to force you to use their homepage. This is extremely annoying. Adam Williamson 2019-05-28 06:25:42 UTC It's hardly "forcing" anything, it's just a default. You can change it through the settings perfectly normally. Daiki Ueno 2019-05-28 11:09:33 UTC (In reply to william.garber from comment #27) > The problem had completely gone away a few months ago. > Strangely, as soon as you asked me "Are you still seeing this?" > I started getting the same error message over and over again > when I started up firefox. It seems like some kind of practical joke. Certainly it's not intentional; I still cannot reproduce it even after upgrading to F-30 and to the latest Firefox and NSS packages. > The bug must have been fixed then reintroduced with a recent > update to fedora's firefox. Do you have the exact version numbers of the installed packages when it happened (firefox, nss, p11-kit)? william.garber 2019-05-28 11:22:27 UTC garberw@electron> rpm -qa | grep firefox firefox-67.0-4.fc30.x86_64 firefox-debuginfo-66.0.3-1.fc30.x86_64 firefox-debugsource-66.0.3-1.fc30.x86_64 garberw@electron> rpm -qa | grep nss nss-3.44.0-2.fc30.x86_64 compat-openssl10-pkcs11-helper-1.22-8.fc30.x86_64 xmlsec1-openssl-1.2.27-2.fc30.x86_64 nss-softokn-3.44.0-2.fc30.x86_64 openssh-clients-8.0p1-2.fc30.x86_64 mod_dnssd-0.6-20.fc30.x86_64 nss-util-3.44.0-2.fc30.x86_64 openssh-server-8.0p1-2.fc30.x86_64 jansson-2.12-2.fc30.x86_64 openssh-8.0p1-2.fc30.x86_64 nss-pem-1.0.5-1.fc30.x86_64 nss-tools-3.44.0-2.fc30.x86_64 xmlsec1-nss-1.2.27-2.fc30.x86_64 nss-sysinit-3.44.0-2.fc30.x86_64 nss-mdns-0.14.1-3.fc30.x86_64 mathjax-sansserif-fonts-2.7.4-4.fc30.noarch libknet1-crypto-nss-plugin-1.9-1.fc30.x86_64 openssl-libs-1.1.1b-5.fc30.x86_64 openssl-1.1.1b-5.fc30.x86_64 compat-openssl10-1.0.2o-5.fc30.x86_64 openssl-devel-1.1.1b-5.fc30.x86_64 nss-softokn-freebl-3.44.0-2.fc30.x86_64 apr-util-openssl-1.6.1-10.fc30.x86_64 openssl-pkcs11-0.4.10-1.fc30.x86_64 libsss_nss_idmap-2.1.0-2.fc30.x86_64 garberw@electron> rpm -qa | grep pll-kit garberw@electron> Again, the symptom is that it goes to the web page that says there is a security problem, and if I press the "back" button in firefox it goes to the fedora start page. Then if I press the "back" button a second time it goes to https://www.google.com which is supposed to be my home page. That is why I think the fedora start page is being "forced" on me. william.garber 2019-05-28 11:24:02 UTC It's hardly "forcing" anything, it's just a default. You can change it through the settings perfectly normally. Yes I did set my home page to https://www.google.com long ago and it is still that. Adam Williamson 2019-05-28 15:03:25 UTC Huh...then that definitely sounds like some kind of bug. william.garber 2019-05-28 23:05:30 UTC If I do # dnf remove firefox # dnf install firefox or likewise # dnf reinstall firefox the problem persists. This system was upgraded from fedora 28 through 30. Could there be some bad lingering configuration from previous distro releases? Adam Williamson 2019-05-28 23:48:17 UTC Sure - removing and reinstalling the app doesn't remove your local configuration, that is pretty standard for all apps on Linux. It would be interesting to know if the bug happens if you create a new user account and try with that, though. william.garber 2019-05-29 00:46:05 UTC Sure - removing and reinstalling the app doesn't remove your local configuration, that is pretty standard for all apps on Linux. It would be interesting to know if the bug happens if you create a new user account and try with that, though. Yes I tried that at the time of the original bug posting. I started with a blank ~/.mozilla and it did not help. I have not tried it with this iteration of the bug. william.garber 2019-05-29 00:48:07 UTC If I do # dnf remove firefox # dnf install firefox or likewise # dnf reinstall firefox the problem persists. This system was upgraded from fedora 28 through 30. Could there be some bad lingering configuration from previous distro releases? What I meant was any settings in /etc and other global settings. Could these have carried over from some old distro release? Adam Williamson 2019-05-29 01:04:01 UTC In theory, yeah, but there shouldn't really be anything there. If there is it would be in /etc/mozilla or /etc/firefox I guess. Dirk Hoffmann 2019-06-05 09:05:35 UTC For what it's worth, I tried to install and run firefox-66.0.5 and firefox-67.0.4, and prominent sites like google.com, fedoraproject.org and duckduckgo.com showed exactly the symptom of the OP: "Your connection is not secure The web site tried to negotiate an inadequate level of security. bodhi.fedoraproject.org uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The web site administrator will need to fix the server first before you can visit the site. Error code: NS_ERROR_NET_INADEQUATE_SECURITY" Downgrading to firefox-62.0.3 got me back to work. Dirk Hoffmann 2019-06-05 09:06:30 UTC redhat.com (www.redhat.com) has this problem (with FF62/63), but not bugzilla.redhat.com. Dirk Hoffmann 2019-06-05 09:08:53 UTC And I tried disabling Add-ons. No change. Daiki Ueno 2019-06-05 09:33:02 UTC (In reply to Dirk Hoffmann from comment #38) > For what it's worth, I tried to install and run firefox-66.0.5 and > firefox-67.0.4, and prominent sites like google.com, fedoraproject.org and > duckduckgo.com showed exactly the symptom of the OP: It doesn't exactly look the same. The error code in the original report is SEC_ERROR_UNKNOWN_ISSUER, while you are seeing NS_ERROR_NET_INADEQUATE_SECURITY. Could you try again with a fresh profile or as a new user? Also please provide the exact package versions including the Fedora release. Dirk Hoffmann 2019-06-05 09:49:22 UTC (In reply to Daiki Ueno from comment #41) > It doesn't exactly look the same. The error code in the original report is > SEC_ERROR_UNKNOWN_ISSUER, while you are seeing > NS_ERROR_NET_INADEQUATE_SECURITY. You are right, I overlooked this detail. My Fedora release is the one indicated on top of the ticket (29) and the Firefox package(s) the latest available (66/67), as mentioned in comment #38: > For what it's worth, I tried to install and run firefox-66.0.5 and > firefox-67.0.4, and prominent sites like google.com, fedoraproject.org and > duckduckgo.com showed [...] https://www.reddit.com/r/debian/comments/bvxqqo/debian_unstable_firefox_67_ns_error_net/ brought me to the solution: After sudo dnf upgrade nss I can browse to all sites with firefox-67 now. Sorry, if I hijacked this ticket. Maybe other reporters can try as well, if this recipe solves their situations (and give feedback here!). I asked packagers on bodhi to add the appropriate dependency to the firefox packages. william.garber 2019-06-06 20:46:24 UTC I tried it with a fresh profile several times and the problem persists. Dirk Hoffmann 2019-06-06 21:17:42 UTC OK, thanks. And I see that you had nww-3.44 already (as reported above). So it's a cannot-reproduce for me then. Good luck! Daiki Ueno 2019-06-07 10:00:39 UTC (In reply to william.garber from comment #43) > I tried it with a fresh profile several times and the problem persists. Could you tell me the actual steps you followed to do that? I still can't reproduce what you are saying in comment 30. In my case: - firefox -P - choose "Create Profile...", enter "New Profile", and press "Finish" - select "New Profile" and press "Start Firefox" - open menu and select "Preferences" - select "Home" pane - select "Custom URLs..." for "Homepage and new windows" - enter "https://www.google.com" - close firefox and restart - see https://www.google.com is successfully loaded and enter some URL on the address bar Dirk Hoffmann 2019-06-07 13:27:19 UTC For what it is worth, and because we are talking about Fedora 29 and Firefox 67 here. Today morning, after changing nothing else (a reboot maybe, as opposed to the usual hibernate/sleep during the night), my firefox showed only "blank pages". It looked like the pages were loaded (progress bar, address field update), but only a blank, white window was shown, even after a reload for pages which were still nicely in the cache). I quickly tried "dnf upgrade firefox": Packages Altered: Upgrade firefox-67.0-4.fc29.x86_64 @updates Upgraded firefox-67.0-2.fc29.x86_64 @@System and it works again! Such a sub-minor release number seems to make all the difference. The package is obviously not in a very stable state currently. So try "dnf upgrade firefox", @william.garber, it may change your UX. Anyway, after consulting some colleagues with identical hardware, I will also move to Fedora30 today or tomorrow and not be able to help you here any more. Bye-bye and good luck! william.garber 2019-06-07 14:16:41 UTC I have upgraded to fedora core 30 as soon as it came out. To test it I created a completely new account and ran firefox from there. Still had the problem. Daiki Ueno 2019-06-07 16:04:44 UTC (In reply to william.garber from comment #47) > I have upgraded to fedora core 30 as soon as it came out. > To test it I created a completely new account and ran firefox > from there. And did you follow the exact same steps of comment 45 after 'open menu and select "Preferences"'? As the issue is not reproducible on my side, I need the precise information what you actually did. See https://www.chiark.greenend.org.uk/~sgtatham/bugs.html for better bug reporting. william.garber 2019-06-07 22:22:08 UTC By new account I mean I created a new user so everything was completely from scratch. Since you requested it I will also do this: - firefox -P - choose "Create Profile...", enter "Next", and press "Finish" - Start Firefox - open menu and select "Preferences" - select "Home" pane - select "Custom URLs..." for "Homepage and new windows" - enter "https://www.google.com" - close firefox and restart - see https://start.fedoraproject.org - repeat previous steps from "Start Firefox" until reset https://www.google.com as home page again - eventually after repeating 3 times see https://www.google.com is successfully loaded - close firefox - open firefox and see https://www.google.com is successfully loaded - repeat last two steps about 3 or 4 times - error message occurs again. - repeat last two steps ; every so often error message occurs. I also noticed that this file had been fiddled with (when trying to fix this a long time ago) but you can see from the diff below that it is presently unchanged from the original version from fedora: root@electron# ls firefox-redhat-default-prefs.js firefox-redhat-default-prefs.js.orig root@electron# pwd /usr/lib64/firefox/browser/defaults/preferences root@electron# diff firefox-redhat-default-prefs.js firefox-redhat-default-prefs.js.orig root@electron# Martin Bukatovic 2019-10-31 12:29:49 UTC I see this problem in one of my many firefox profiles with firefox-70.0-1.fc30.x86_64 Martin Stransky 2019-10-31 13:37:06 UTC I wonder if it's a variant of Bug 1752303. Ben Cotton 2019-10-31 18:42:33 UTC This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Dirk Hoffmann 2019-10-31 19:37:38 UTC Ben Cotton, as written above, the problem is still present in Fedora 30. Please update the version field. And I confirm Martin Bukatovic's report. When my system upgraded to FF70, I had some major site (but not all) triggering "certificate problems" (making the site totally unusable). Downgrading to FF66 seems to solve it. (There seems to be no package FF67 any more in the Fedora30 repository, at least not seen with "dnf"). The previously installed version was FF69 though. Today: Error: Unable to find a match: firefox-69.0-2.fc30.x86_64 So is the best advice one can give to users: Better install Firefox without using the Fedora repo, directly from Mozilla? https://www.mozilla.org/firefox/new/ william.garber 2019-10-31 19:58:08 UTC you could try: dnf downgrade firefox and in /etc/dnf/dnf.conf exclude=firefox only problem is you will not get any security updates. Martin Stransky 2019-10-31 22:41:03 UTC I'm going to create a test build with in-tree nss to check if that fixes this issue. Martin Stransky 2019-10-31 22:45:20 UTC (In reply to Martin Stransky from comment #55) > I'm going to create a test build with in-tree nss to check if that fixes > this issue. Added to firefox-70.0-2 builds. Martin Stransky 2019-11-01 10:10:11 UTC New test builds are available here: F30: https://koji.fedoraproject.org/koji/taskinfo?taskID=38697234 F31: https://koji.fedoraproject.org/koji/taskinfo?taskID=38697225 please check them if you see any issue. It uses in-tree nss so you loose nss system certificate integration which causes the bug we see here. I guess you may see bug 1766340 with the builds above as it does not use system wide certs AFAIK. Adam Williamson 2019-11-01 15:11:59 UTC "I guess you may see bug 1766340 with the builds above as it does not use system wide certs AFAIK." That seems like a *major major* problem for a browser. I'm really not sure it'd be an improvement to do that, overall. Martin Stransky 2019-11-01 15:37:49 UTC (In reply to Adam Williamson from comment #58) > "I guess you may see bug 1766340 with the builds above as it does not use > system wide certs AFAIK." > > That seems like a *major major* problem for a browser. I'm really not sure > it'd be an improvement to do that, overall. We don't ship that yet, this is a test build only. As I'm not an nss expert please test the builds for any regression. william.garber 2019-11-04 03:04:46 UTC I am still getting this bug in fedora 31. Am I simply configuring something wrong? The bug goes away if you do "dnf downgrade firefox". Michel Alexandre Salim 2019-11-15 20:39:08 UTC I'm seeing this with DuckDuckGo today - and people at work have been reporting similar issues with other sites with DigiCert certificates (e.g. Reddit). They reported that downgrading to Firefox < 70 work. Going to try the test build and see if that helps. Michel Alexandre Salim 2019-11-15 20:39:50 UTC Created Firefox failing to connect to DuckDuckGo Michel Alexandre Salim 2019-11-15 22:59:11 UTC Tried the firefox-70.0-2.fc31 test build, it works once -- then after restarting the machine the problem reoccured (going to DDG results in the DigiCert certificate being reported as untrusted). People at work reported that starting with a fresh profile resolved the issue. For me, I tried uninstalling Firefox and reinstalling the released update (70.0-1.fc31) and... surprisingly opening DDG is fine again. Something might be wrong on the Firefox side. Lukas Zapletal 2019-11-20 15:20:04 UTC I started seeing both invalid CA error or DigiCert Global Root CA problem after upgrade to Fedora 31 over the weekend. Firefox restart helped me to survive the day however DigiCert is used for https://bluejeans.com website which is key for my work. Any workaround appreciated. Florian Weimer 2019-11-20 15:28:22 UTC FWIW, I saw this on Fedora 30 once, but it was intermittent. Not sure anymore if it was with firefox-70.0-1.fc30 or firefox-70.0.1-4.fc30, or nss-3.47.0-2.fc30 or nss-3.47.0-3.fc30. But the issue does not seem to be specific to Fedora 31. Daiki Ueno 2019-11-20 16:03:46 UTC (In reply to Lukas Zapletal from comment #64) > I started seeing both invalid CA error or DigiCert Global Root CA problem > after upgrade to Fedora 31 over the weekend. Firefox restart helped me to > survive the day however DigiCert is used for https://bluejeans.com website > which is key for my work. Any workaround appreciated. Sorry for the inconvenience. Until we figure out where is the problem, you could temporarily enable alternatives for libnssckbi.so.x86_64 with libnssckbi.so from the upstream binary release or one of the Martin's scratch builds with in-tree NSS: sudo alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 .../libnssckbi.so 10 sudo alternatives --set libnssckbi.so.x86_64 .../libnssckbi.so Christof Efkemann 2019-11-20 16:17:32 UTC I have observed this problem both on Fedora 30 and Fedora 31, with and without in-tree NSS. However, I would like to point out that I have only ever observed the problem on sites using Akamai as a CDN, i.e. sites which resolve to something like ...akamaiedge.net (as you can see for instance with the bluejeans.com site mentioned before).$ host www.bluejeans.com www.bluejeans.com is an alias for www.bluejeans.com.edgekey.net. www.bluejeans.com.edgekey.net is an alias for e7264.dscb.akamaiedge.net. e7264.dscb.akamaiedge.net has address 104.102.43.181 e7264.dscb.akamaiedge.net has IPv6 address 2a02:26f0:6b:28a::1c60 e7264.dscb.akamaiedge.net has IPv6 address 2a02:26f0:6b:2b1::1c60 william.garber 2019-11-20 17:23:31 UTC I am still seeing the original bug on fedora 31 (I am the original poster); It is present in firefox and the version of firefox you get from "yum downgrade firefox". Lukas Zapletal 2019-11-22 07:42:32 UTC Daiki, thanks for the instructions. Unfortunately Martin's scratch build has been cleaned up already. I do not understand the other alternative, can you give me exact instructions? What .../libnssckbi.so does suppose to mean? Thanks a bunch Daiki Ueno 2019-11-22 13:54:26 UTC (In reply to Lukas Zapletal from comment #69) > Daiki, thanks for the instructions. Unfortunately Martin's scratch build has > been cleaned up already. I do not understand the other alternative, can you > give me exact instructions? What .../libnssckbi.so does suppose to mean? I meant to extract libnssckbi.so from the upstream release tarball, put it somewhere on the system, and run the alternatives commands. However, this is turning out to be a timing issue, and it might not fix your problem, depending on the environment: https://bugzilla.mozilla.org/show_bug.cgi?id=1593167 I've triggered a scratch-build with a work around (use it at your own risk): https://koji.fedoraproject.org/koji/taskinfo?taskID=39198147 Fedora Update System 2019-11-29 06:14:23 UTC FEDORA-2019-ff27bbf69a has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a Fedora Update System 2019-11-30 01:19:45 UTC nss-3.47.1-2.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a Fedora Update System 2019-12-04 15:29:46 UTC FEDORA-2019-ff27bbf69a has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a Fedora Update System 2019-12-05 01:23:23 UTC nss-3.47.1-4.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a Fedora Update System 2019-12-05 02:01:08 UTC nss-3.47.1-4.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8fbc65ef9e william.garber 2019-12-06 00:31:28 UTC Created firefox about:config page note security settings please. william.garber 2019-12-06 00:33:50 UTC just added about:config web page. can anyone see anything unusual about settings under security? most notably ones in boldface which are the non-default settings. I assume that may be where the problem is. this is version 71.0 of firefox on fedora 31. The original problem is still persisting. Fedora Update System 2019-12-11 01:32:25 UTC nss-3.47.1-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. Fedora Update System 2019-12-11 02:06:07 UTC nss-3.47.1-4.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. Daiki Ueno 2020-01-02 14:38:47 UTC (In reply to william.garber from comment #77) > just added about:config web page. > can anyone see anything unusual about settings under security? > most notably ones in boldface which are the non-default settings. > > I assume that may be where the problem is. > this is version 71.0 of firefox on fedora 31. > The original problem is still persisting. I would suggest the same as: https://bugzilla.redhat.com/show_bug.cgi?id=1752303#c72 i.e., run firefox under: P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" and attach the log here. It might also be worthwhile to check with a fresh firefox profile (firefox -P): https://bugzilla.redhat.com/show_bug.cgi?id=1752303#c76 william.garber 2020-01-02 15:23:34 UTC Created P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1 P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1 william.garber 2020-01-02 15:25:17 UTC it is working as of garberw@electron> firefox --version Mozilla Firefox 71.0 garberw@electron> as far as I can tell. but then this is an intermittent bug. Daiki Ueno 2020-01-02 15:27:13 UTC (In reply to william.garber from comment #81) > Created > P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1 > > P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1 I should have been clear that I need a log *when it fails to load*. The log looks sane to me. william.garber 2020-01-02 15:48:36 UTC could this problem have been caused by either of the packages lynis clamav which I recently removed??? I will try to investigate. They were left at default configuration (no custom configuration). Daiki Ueno 2020-01-02 15:51:31 UTC (In reply to william.garber from comment #84) > could this problem have been caused by either of the packages > lynis > clamav > which I recently removed??? I will try to investigate. > They were left at default configuration (no custom configuration). I don't think so. Have you tried with a fresh profile as I suggested in comment 80? william.garber 2020-01-03 16:25:51 UTC Daiki Ueno: comment 85: It is working now, see comment 82. firefox is current version 71.0 from repository. I can no longer reproduce the bug, sorry, so there is no way of testing it. When it was NOT working I had tried it with a fresh profile and it did not fix it. So far pending any future updates that break it again, the bug is fixed. I never figured out what was wrong. Daiki Ueno 2020-01-03 16:34:15 UTC OK, thank you for the information. Let's close this bug for now; feel free to reopen or file a new bug if it happens again.

 Note You need to log in before you can comment on or make changes to this bug.