Bug 1648617 - firefox goes to "your connection is not secure" when visiting https://www.google.com
Summary: firefox goes to "your connection is not secure" when visiting https://www.goo...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Daiki Ueno
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1648615 (view as bug list)
Depends On:
Blocks: 1723561
TreeView+ depends on / blocked
 
Reported: 2018-11-11 02:03 UTC by william.garber
Modified: 2020-01-03 16:34 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1723561 (view as bug list)
Environment:
Last Closed: 2020-01-03 16:34:15 UTC
Type: Bug


Attachments (Terms of Use)
certificate presumably of https://www.google.com/ that does not get recognized. (3.03 KB, text/plain)
2018-11-11 02:05 UTC, william.garber
no flags Details
firefox security certificate settings used. (91.51 KB, image/png)
2018-11-11 04:01 UTC, william.garber
no flags Details
certificate check website fails. (588.95 KB, image/png)
2018-11-11 04:07 UTC, william.garber
no flags Details
Firefox failing to connect to DuckDuckGo (91.90 KB, image/png)
2019-11-15 20:39 UTC, Michel Alexandre Salim
no flags Details
firefox about:config page note security settings please. (457.26 KB, application/pdf)
2019-12-06 00:31 UTC, william.garber
no flags Details
P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1 (296.19 KB, text/plain)
2020-01-02 15:23 UTC, william.garber
no flags Details

Description william.garber 2018-11-11 02:03:32 UTC
Description of problem:

nine times out of ten when I open firefox it goes to a page saying "your connection is not secure" when visiting https://www.google.com/
If I hit alt-home to go to the home page (google) about ten times, on the
tenth time approximately it will load google successfully.
Then it works fine for a few times.  If I launch a separate instance
of the browser it works okay.  Then if I close firefox and
do not use it for a while it goes back to the original state of not working.

Version-Release number of selected component (if applicable):
firefox-63.0.1-5.fc29.x86_64

How reproducible:
as above.  leave the web browser not running for a while then start it up.
very frequently happens.


Steps to Reproduce:
1. start web browser, assuming home page is https://www.google.com
2. 
3.

Actual results:
Your connection is not secure

The owner of www.google.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Learn more…

Report errors like this to help Mozilla identify and block malicious sites

www.google.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

Error code: SEC_ERROR_UNKNOWN_ISSUER

clicking on SEC_ERROR_UNKNOWN_ISSUER gives the certificate shown
in the attachment.

Also firefox takes a long time to load.
Could have something to do with cookie settings.

Expected results:
prompt startup of firefox and load google homepage.

Additional info:
see attached certificate.
There are tons of error reports on the firefox website pertaining to this.
looks like jscher2000 does not think something is wrong and thinks firefox
is configured incorrectly, but lots of people were complaining about this.
Note:  I noticed that very briefly when firefox loads up, it flashes on the
screen one of those firefox home pages that you get when you first install
or upgrade firefox.  Since this is a recently upgraded fedora from 28 to 29, 
I thought maybe it was getting stuck on that page (sort of like a 
splash screen after the upgrade).

Comment 1 william.garber 2018-11-11 02:05:37 UTC
Created attachment 1504266 [details]
certificate presumably of https://www.google.com/ that does not get recognized.

Comment 2 william.garber 2018-11-11 02:24:10 UTC
I set the homepage to "firefox default" and it loads the fedora homepage.
I think normally that goes away after the first time you see it, no?

Comment 3 william.garber 2018-11-11 02:46:42 UTC
garberw@electron> lsof -i
COMMAND  PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
firefox 7657 garberw  107u  IPv6 101189      0t0  TCP electron:47954->nuq04s29-in-x04.1e100.net:https (ESTABLISHED)
firefox 7657 garberw  130u  IPv4 110195      0t0  TCP electron:55874->ec2-52-33-113-226.us-west-2.compute.amazonaws.com:https (ESTABLISHED)
firefox 7657 garberw  153u  IPv4 123044      0t0  TCP electron:53006->sfo07s13-in-f14.1e100.net:https (ESTABLISHED)
firefox 7657 garberw  155u  IPv6 134139      0t0  TCP electron:54886->sfo03s07-in-x0e.1e100.net:https (ESTABLISHED)
firefox 7657 garberw  160u  IPv6 138242      0t0  TCP electron:39680->[2606:4700:20::6819:1c69]:https (ESTABLISHED)
firefox 7657 garberw  161u  IPv4 141060      0t0  TCP electron:46154->72.21.91.29:http (ESTABLISHED)
firefox 7657 garberw  166u  IPv6 138243      0t0  TCP electron:47464->[2a04:fa87:fffe::c000:4902]:https (ESTABLISHED)
firefox 7657 garberw  167u  IPv6 135950      0t0  TCP electron:46444->sfo07s13-in-x0a.1e100.net:https (ESTABLISHED)
firefox 7657 garberw  168u  IPv6 135785      0t0  TCP electron:46432->sfo07s13-in-x0a.1e100.net:https (ESTABLISHED)
firefox 7657 garberw  171u  IPv6 135786      0t0  TCP electron:44702->[2606:4700:30::681b:be68]:https (ESTABLISHED)
firefox 7657 garberw  172u  IPv6 138252      0t0  TCP electron:55254->nuq04s29-in-x03.1e100.net:https (ESTABLISHED)
garberw@electron> 


that ipv6 address is spinasale.com.
does this mean spinasale.com has hacked me?
the only thing open was google in firefox.

Comment 4 william.garber 2018-11-11 04:01:41 UTC
Created attachment 1504280 [details]
firefox security certificate settings used.

all defaults.  NOTE:  maybe the timeout setting is not large enough?

Comment 5 william.garber 2018-11-11 04:04:00 UTC
looks like a problem on google's end?
https://certificate.revocationcheck.com/www.google.com

Comment 6 william.garber 2018-11-11 04:07:40 UTC
Created attachment 1504281 [details]
certificate check website fails.

looks like a bug on google's side?

Comment 8 william.garber 2018-11-11 04:50:19 UTC
https://www.theregister.co.uk/2018/02/07/beware_the_coming_chrome_certificate_apocalypse/


something about symantec and google fighting over google's https policy
and symantec's issuing of certificates.

Comment 9 william.garber 2019-02-03 04:09:46 UTC
when I start firefox especially after a firefox upgrade I get the above error with the "your connection is not secure" message.
Then I can either press the "Learn more" button which is described above or "Back".  
I found out that if you press the other button "Back" it takes me to https://start.fedoraproject.org; 
if I press the back button on firefox it takes me to the first web page in the "stack"
which is my home page https://www.google.com which loaded; but if I try a google search it does not work.
The only place I could find
https://start.fedoraproject.org
in any configuration files is in
/usr/lib64/firefox/browser/omni.ja
/usr/lib64/firefox/browser/defaults/preferences/firefox-redhat-default-prefs.js
/usr/lib64/firefox/browser/defaults/preferences/

The bug is that when you upgrade firefox it shows this default the first time you open firefox.
It is SUPPOSED to go back to the default homepage I set for myself, https://www.google.com
on subsequent invocations of firefox.  But it does not.  Also it gives the security error.

Can someone please comment on this?
I can not use the web browser decently.

Also the firefox website said this may be due to an incorrectly set system clock or timezone.

Comment 10 Christian Stadelmann 2019-02-17 11:08:34 UTC
*** Bug 1648615 has been marked as a duplicate of this bug. ***

Comment 11 Christian Stadelmann 2019-02-17 11:14:50 UTC
Is your system time AND DATE correct? What does `$ date` give you when executed on the command line?

It looks like someone is messing with your internet connection and/or DNS server. Some ideas:
* Have you set a DNS server? Try a different one or get back to the default.
* Is your computer part of an untrusted network? Any public wifi is an untrusted network. Try a different (preferable cabled) network.
* Is your ISP or government messing with your network? If possible, try a different one ;)

Comment 12 william.garber 2019-02-18 18:25:50 UTC
yes my system time and date are correct.
I checked that the uefi is set to UTC and 
the system time and date from "date" command
are the local time (what I would expect).
the dns server was set to defaults.
I reset it to google's dns server for ipv4 and ipv6
and the problem persists.

there are tons of people reporting this problem.

Comment 13 william.garber 2019-02-18 22:02:50 UTC
garberw@electron> date
Mon Feb 18 14:01:10 PST 2019
garberw@electron> 


this seems to be a problem with firefox based on the firefox blogs.
there are lots of questions like this one I posted:

https://support.mozilla.org/en-US/questions/1248873#answer-1193593

Comment 15 william.garber 2019-02-18 23:03:45 UTC
I removed ~/.mozilla and did
# dnf remove firefox
# dnf install firefox
change home page to "custom" https://www.google.com 
was the only customization made.

and the problem decreased.  I started and closed firefox 30 times,
with no problem, but on the 30th time the problem came back.
I am running mate desktop and the shortcut for firefox has the
command "firefox %u".  I thought maybe this should be "firefox %s"
but that did not seem to fix it.

There always appears to be the web page "https://start.fedoraproject.org"
when you hit the "back" button on the error message.
when you hit the "left" button on the wep page "https://start.fedoraproject.org"
you get back to the original home page "https://www.google.com" but there
is no green lock indicating that it was not securely loaded.

Could I have some kind of security software installed that I have
forgotten or lost?  I doubt it.  I have heard that this security software
such as antivirus can cause problems that look like man-in-middle attacks.

Comment 16 Christian Stadelmann 2019-02-18 23:11:40 UTC
(In reply to william.garber from comment #15)
> […]
> Could I have some kind of security software installed that I have
> forgotten or lost?  I doubt it.  I have heard that this security software
> such as antivirus can cause problems that look like man-in-middle attacks.

That's quite common on Windows but I don't know of any such kind of "security" software on Linux. You probably don't have it ;)

Have you tried a different network? Maybe your network is being messed with.

Comment 17 william.garber 2019-02-18 23:56:32 UTC
before I go updating any certificates is it possible that the certificate for
https://start.fedoraproject.org 
is incorrect?  Seems more likely than the google certificate being incorrect.
Also it looks like you are trying to force me to use https://start.fedoraproject.org
as my homepage since it keeps coming up and is always associated with the bug.

what is this all about?
garberw@electron> cd /usr/lib64/firefox/
garberw@electron> grep -R start.fedoraproject.org
browser/defaults/preferences/firefox-redhat-default-prefs.js:pref("browser.startup.homepage",            "data:text/plain,browser.startup.homepage=https://start.fedoraproject.org/");
browser/defaults/preferences/firefox-redhat-default-prefs.js:pref("browser.newtabpage.pinned",           '[{"url":"https://start.fedoraproject.org/","title":"Fedora Project - Start Page"}]');
garberw@electron>

Comment 18 william.garber 2019-02-19 03:11:39 UTC
sure there's security software available for linux.
https://www.csoonline.com/article/3238884/linux/linux-antivirus-and-anti-malware-8-top-tools.html
some of it is even open source.
I would not use the commercial ones though.

Comment 19 william.garber 2019-02-19 20:49:54 UTC
I tried downloading and installing the certificates directly from
google (https://pki.goog/roots.pem) but this did nothing.  
If these certificates are not up to date I do not know
what to do.  It still did not work.

I next downloaded firefox directly from mozilla as a binary tarball
and ran it from my home directory.  I used the same ~/.mozilla 
as I normally use (not a default configuration) so it has the
homepage https://www.google.com.
I started firefox and exited firefox 60 times successfully 
indicating it is fixed.

Since it is fixed with my original configuration ~/.mozilla, this means
(1) there must be some problem in the fedora firefox rpm,
(2) perhaps as I originally guessed you are no longer allowing people to
set their own homepage to other than https://start.fedoraproject.org
and this is the problem
(3) your certificates are not up to date (I think I ruled this out).
(4) your standard "default" options in about:config which are different from the
mozilla default options in about:config might be a problem.

I also suspected that the OCSP query might have been timing out or
not completing some of the time but not always, but removing this option
in the security settings didn't make any difference.

Comment 20 Christian Stadelmann 2019-02-19 21:45:32 UTC
(In reply to william.garber from comment #19)
> Since it is fixed with my original configuration ~/.mozilla, this means
> (1) there must be some problem in the fedora firefox rpm,

probably not as I have never heard of it from any other fedora user

> (2) perhaps as I originally guessed you are no longer allowing people to
> set their own homepage to other than https://start.fedoraproject.org
> and this is the problem

probably not as many people have different start pages

> (3) your certificates are not up to date (I think I ruled this out).

probably not as nobody else complains about this bug.

> (4) your standard "default" options in about:config which are different from
> the
> mozilla default options in about:config might be a problem.

There is not much changed from the defaults.
 
> I also suspected that the OCSP query might have been timing out or
> not completing some of the time but not always, but removing this option
> in the security settings didn't make any difference.

I have enabled security.OCSP.require=true and have not seen many issues.


All what you report here looks like there is some different (seemingly unrelated) issue.

Comment 21 Gerald Cox 2019-03-13 21:38:41 UTC
I've been getting the same thing from time to time when starting Fx and displaying the Fedora Home Page:

Your connection is not secure

The owner of start.fedoraproject.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Comment 22 Martin Stransky 2019-03-14 09:03:58 UTC
Moving to nss as it handles the certificates at Firefox.

Comment 23 Daiki Ueno 2019-05-16 15:23:55 UTC
Does anyone still see this?  For me it occasionally had happened, but I can no longer reproduce it with the latest Firefox.

I see a similar bug in upstream:
https://bugzilla.mozilla.org/show_bug.cgi?id=1530429
Adam, could you confirm?

Comment 24 Adam Williamson 2019-05-21 23:15:23 UTC
I don't think I ever saw this one myself...unless it's the same as https://bugzilla.mozilla.org/show_bug.cgi?id=1530429 , maybe? Doesn't seem like it though.

Comment 25 Daiki Ueno 2019-05-22 03:30:22 UTC
Are you still seeing https://bugzilla.mozilla.org/show_bug.cgi?id=1530429 with the recent firefox updates?

Comment 26 Adam Williamson 2019-05-22 15:23:25 UTC
Good question! It seems like the answer is "no": the most recent occurrences I can find were on 2019-03-22 and 2019-03-20 (for F29 and F30). Doesn't seem to have happened one time since then.

Comment 27 william.garber 2019-05-28 01:51:41 UTC
The problem had completely gone away a few months ago.  
Strangely, as soon as you asked me "Are you still seeing this?"
I started getting the same error message over and over again
when I started up firefox.  It seems like some kind of practical joke.
The bug must have been fixed then reintroduced with a recent
update to fedora's firefox.
Note:  I replaced fedora firefox with firefox directly from mozilla,
which should be installed in your home directory.  
The firefox directly from mozilla had no problems of this nature.
This proves that the problem is definitely with fedora's packaging
of firefox, and as I suggested before it probably has something to
do with fedora trying to force you to use their homepage.
This is extremely annoying.

Comment 28 Adam Williamson 2019-05-28 06:25:42 UTC
It's hardly "forcing" anything, it's just a default. You can change it through the settings perfectly normally.

Comment 29 Daiki Ueno 2019-05-28 11:09:33 UTC
(In reply to william.garber from comment #27)
> The problem had completely gone away a few months ago.  
> Strangely, as soon as you asked me "Are you still seeing this?"
> I started getting the same error message over and over again
> when I started up firefox.  It seems like some kind of practical joke.

Certainly it's not intentional; I still cannot reproduce it even after upgrading to F-30 and to the latest Firefox and NSS packages.

> The bug must have been fixed then reintroduced with a recent
> update to fedora's firefox.

Do you have the exact version numbers of the installed packages when it happened (firefox, nss, p11-kit)?

Comment 30 william.garber 2019-05-28 11:22:27 UTC
garberw@electron> rpm -qa | grep firefox
firefox-67.0-4.fc30.x86_64
firefox-debuginfo-66.0.3-1.fc30.x86_64
firefox-debugsource-66.0.3-1.fc30.x86_64
garberw@electron> rpm -qa | grep nss
nss-3.44.0-2.fc30.x86_64
compat-openssl10-pkcs11-helper-1.22-8.fc30.x86_64
xmlsec1-openssl-1.2.27-2.fc30.x86_64
nss-softokn-3.44.0-2.fc30.x86_64
openssh-clients-8.0p1-2.fc30.x86_64
mod_dnssd-0.6-20.fc30.x86_64
nss-util-3.44.0-2.fc30.x86_64
openssh-server-8.0p1-2.fc30.x86_64
jansson-2.12-2.fc30.x86_64
openssh-8.0p1-2.fc30.x86_64
nss-pem-1.0.5-1.fc30.x86_64
nss-tools-3.44.0-2.fc30.x86_64
xmlsec1-nss-1.2.27-2.fc30.x86_64
nss-sysinit-3.44.0-2.fc30.x86_64
nss-mdns-0.14.1-3.fc30.x86_64
mathjax-sansserif-fonts-2.7.4-4.fc30.noarch
libknet1-crypto-nss-plugin-1.9-1.fc30.x86_64
openssl-libs-1.1.1b-5.fc30.x86_64
openssl-1.1.1b-5.fc30.x86_64
compat-openssl10-1.0.2o-5.fc30.x86_64
openssl-devel-1.1.1b-5.fc30.x86_64
nss-softokn-freebl-3.44.0-2.fc30.x86_64
apr-util-openssl-1.6.1-10.fc30.x86_64
openssl-pkcs11-0.4.10-1.fc30.x86_64
libsss_nss_idmap-2.1.0-2.fc30.x86_64
garberw@electron> rpm -qa | grep pll-kit
garberw@electron> 

Again, the symptom is that it goes to the web page that says there is a security problem,
and if I press the "back" button in firefox it goes to the fedora start page.  Then if I
press the "back" button a second time it goes to https://www.google.com which is supposed
to be my home page.
That is why I think the fedora start page is being "forced" on me.

Comment 31 william.garber 2019-05-28 11:24:02 UTC
It's hardly "forcing" anything, it's just a default. You can change it through the settings perfectly normally.

Yes I did set my home page to https://www.google.com long ago and it is still that.

Comment 32 Adam Williamson 2019-05-28 15:03:25 UTC
Huh...then that definitely sounds like some kind of bug.

Comment 33 william.garber 2019-05-28 23:05:30 UTC
If I do 
# dnf remove firefox
# dnf install firefox
or likewise
# dnf reinstall firefox
the problem persists.
This system was upgraded from fedora 28 through 30.
Could there be some bad lingering configuration from 
previous distro releases?

Comment 34 Adam Williamson 2019-05-28 23:48:17 UTC
Sure - removing and reinstalling the app doesn't remove your local configuration, that is pretty standard for all apps on Linux. It would be interesting to know if the bug happens if you create a new user account and try with that, though.

Comment 35 william.garber 2019-05-29 00:46:05 UTC
Sure - removing and reinstalling the app doesn't remove your local configuration, that is pretty standard for all apps on Linux. It would be interesting to know if the bug happens if you create a new user account and try with that, though.

Yes I tried that at the time of the original bug posting.  I started with a blank ~/.mozilla and it did not help.  I have not tried it with this iteration of the bug.

Comment 36 william.garber 2019-05-29 00:48:07 UTC
If I do 
# dnf remove firefox
# dnf install firefox
or likewise
# dnf reinstall firefox
the problem persists.
This system was upgraded from fedora 28 through 30.
Could there be some bad lingering configuration from 
previous distro releases?


What I meant was any settings in /etc and other global settings.  Could these have carried over from some old distro release?

Comment 37 Adam Williamson 2019-05-29 01:04:01 UTC
In theory, yeah, but there shouldn't really be anything there. If there is it would be in /etc/mozilla or /etc/firefox I guess.

Comment 38 Dirk Hoffmann 2019-06-05 09:05:35 UTC
For what it's worth, I tried to install and run firefox-66.0.5 and firefox-67.0.4, and prominent sites like google.com, fedoraproject.org and duckduckgo.com showed exactly the symptom of the OP:

"Your connection is not secure

The web site tried to negotiate an inadequate level of security.

bodhi.fedoraproject.org uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The web site administrator will need to fix the server first before you can visit the site.

Error code: NS_ERROR_NET_INADEQUATE_SECURITY"

Downgrading to firefox-62.0.3 got me back to work.

Comment 39 Dirk Hoffmann 2019-06-05 09:06:30 UTC
redhat.com (www.redhat.com) has this problem (with FF62/63), but not bugzilla.redhat.com.

Comment 40 Dirk Hoffmann 2019-06-05 09:08:53 UTC
And I tried disabling Add-ons. No change.

Comment 41 Daiki Ueno 2019-06-05 09:33:02 UTC
(In reply to Dirk Hoffmann from comment #38)
> For what it's worth, I tried to install and run firefox-66.0.5 and
> firefox-67.0.4, and prominent sites like google.com, fedoraproject.org and
> duckduckgo.com showed exactly the symptom of the OP:

It doesn't exactly look the same.  The error code in the original report is SEC_ERROR_UNKNOWN_ISSUER, while you are seeing NS_ERROR_NET_INADEQUATE_SECURITY.
Could you try again with a fresh profile or as a new user?  Also please provide the exact package versions including the Fedora release.

Comment 42 Dirk Hoffmann 2019-06-05 09:49:22 UTC
(In reply to Daiki Ueno from comment #41)
> It doesn't exactly look the same.  The error code in the original report is
> SEC_ERROR_UNKNOWN_ISSUER, while you are seeing
> NS_ERROR_NET_INADEQUATE_SECURITY.

You are right, I overlooked this detail.

My Fedora release is the one indicated on top of the ticket (29) and the Firefox package(s) the latest available (66/67), as mentioned in comment #38: 
> For what it's worth, I tried to install and run firefox-66.0.5 and
> firefox-67.0.4, and prominent sites like google.com, fedoraproject.org and
> duckduckgo.com showed [...]


https://www.reddit.com/r/debian/comments/bvxqqo/debian_unstable_firefox_67_ns_error_net/ brought me to the solution: After 
 sudo dnf upgrade nss
I can browse to all sites with firefox-67 now. 

Sorry, if I hijacked this ticket. Maybe other reporters can try as well, if this recipe solves their situations (and give feedback here!).

I asked packagers on bodhi to add the appropriate dependency to the firefox packages.

Comment 43 william.garber 2019-06-06 20:46:24 UTC
I tried it with a fresh profile several times and the problem persists.

Comment 44 Dirk Hoffmann 2019-06-06 21:17:42 UTC
OK, thanks. And I see that you had nww-3.44 already (as reported above).

So it's a cannot-reproduce for me then.

Good luck!

Comment 45 Daiki Ueno 2019-06-07 10:00:39 UTC
(In reply to william.garber from comment #43)
> I tried it with a fresh profile several times and the problem persists.

Could you tell me the actual steps you followed to do that?  I still can't reproduce what you are saying in comment 30.

In my case:
- firefox -P
- choose "Create Profile...", enter "New Profile", and press "Finish"
- select "New Profile" and press "Start Firefox"
- open menu and select "Preferences"
- select "Home" pane
- select "Custom URLs..." for "Homepage and new windows"
- enter "https://www.google.com"
- close firefox and restart
- see https://www.google.com is successfully loaded and enter some URL on the address bar

Comment 46 Dirk Hoffmann 2019-06-07 13:27:19 UTC
For what it is worth, and because we are talking about Fedora 29 and Firefox 67 here.

Today morning, after changing nothing else (a reboot maybe, as opposed to the usual hibernate/sleep during the night), my firefox showed only "blank pages". It looked like the pages were loaded (progress bar, address field update), but only a blank, white window was shown, even after a reload for pages which were still nicely in the cache). 

I quickly tried "dnf upgrade firefox":
Packages Altered:
    Upgrade  firefox-67.0-4.fc29.x86_64 @updates
    Upgraded firefox-67.0-2.fc29.x86_64 @@System
and it works again!

Such a sub-minor release number seems to make all the difference. The package is obviously not in a very stable state currently.

So try "dnf upgrade firefox", @william.garber, it may change your UX.

Anyway, after consulting some colleagues with identical hardware, I will also move to Fedora30 today or tomorrow and not be able to help you here any more. Bye-bye and good luck!

Comment 47 william.garber 2019-06-07 14:16:41 UTC
I have upgraded to fedora core 30 as soon as it came out.
To test it I created a completely new account and ran firefox
from there.
Still had the problem.

Comment 48 Daiki Ueno 2019-06-07 16:04:44 UTC
(In reply to william.garber from comment #47)
> I have upgraded to fedora core 30 as soon as it came out.
> To test it I created a completely new account and ran firefox
> from there.

And did you follow the exact same steps of comment 45 after 'open menu and select "Preferences"'?
As the issue is not reproducible on my side, I need the precise information what you actually did.

See https://www.chiark.greenend.org.uk/~sgtatham/bugs.html for better bug reporting.

Comment 49 william.garber 2019-06-07 22:22:08 UTC
By new account I mean I created a new user so everything was completely from scratch.
Since you requested it I will also do this:

- firefox -P
- choose "Create Profile...", enter "Next", and press "Finish"
- Start Firefox
- open menu and select "Preferences"
- select "Home" pane
- select "Custom URLs..." for "Homepage and new windows"
- enter "https://www.google.com"
- close firefox and restart
- see https://start.fedoraproject.org
- repeat previous steps from "Start Firefox" until reset https://www.google.com as home page again
- eventually after repeating 3 times see https://www.google.com is successfully loaded
- close firefox
- open firefox and see https://www.google.com is successfully loaded
- repeat last two steps about 3 or 4 times
- error message occurs again.
- repeat last two steps ; every so often error message occurs.

I also noticed that this file had been fiddled with (when trying to fix this a long time ago) but you can see from the diff below that it is presently unchanged from the original version from fedora:

root@electron# ls
firefox-redhat-default-prefs.js  firefox-redhat-default-prefs.js.orig
root@electron# pwd
/usr/lib64/firefox/browser/defaults/preferences
root@electron# diff firefox-redhat-default-prefs.js firefox-redhat-default-prefs.js.orig 
root@electron#

Comment 50 Martin Bukatovic 2019-10-31 12:29:49 UTC
I see this problem in one of my many firefox profiles with firefox-70.0-1.fc30.x86_64

Comment 51 Martin Stransky 2019-10-31 13:37:06 UTC
I wonder if it's a variant of Bug 1752303.

Comment 52 Ben Cotton 2019-10-31 18:42:33 UTC
This message is a reminder that Fedora 29 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '29'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 29 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 53 Dirk Hoffmann 2019-10-31 19:37:38 UTC
Ben Cotton, as written above, the problem is still present in Fedora 30. Please update the version field.

And I confirm  Martin Bukatovic's report. When my system upgraded to FF70, I had some major site (but not all) triggering "certificate problems" (making the site totally unusable). Downgrading to FF66 seems to solve it. (There seems to be no package FF67 any more in the Fedora30 repository, at least not seen with "dnf"). The previously installed version was FF69 though. Today:
Error: Unable to find a match: firefox-69.0-2.fc30.x86_64

So is the best advice one can give to users: Better install Firefox without using the Fedora repo, directly from Mozilla? https://www.mozilla.org/firefox/new/

Comment 54 william.garber 2019-10-31 19:58:08 UTC
you could try:
dnf downgrade firefox

and in /etc/dnf/dnf.conf

exclude=firefox

only problem is you will not get any security updates.

Comment 55 Martin Stransky 2019-10-31 22:41:03 UTC
I'm going to create a test build with in-tree nss to check if that fixes this issue.

Comment 56 Martin Stransky 2019-10-31 22:45:20 UTC
(In reply to Martin Stransky from comment #55)
> I'm going to create a test build with in-tree nss to check if that fixes
> this issue.


Added to firefox-70.0-2 builds.

Comment 57 Martin Stransky 2019-11-01 10:10:11 UTC
New test builds are available here:

F30: https://koji.fedoraproject.org/koji/taskinfo?taskID=38697234
F31: https://koji.fedoraproject.org/koji/taskinfo?taskID=38697225

please check them if you see any issue. It uses in-tree nss so you loose nss system certificate integration which causes the bug we see here.
I guess you may see bug 1766340 with the builds above as it does not use system wide certs AFAIK.

Comment 58 Adam Williamson 2019-11-01 15:11:59 UTC
"I guess you may see bug 1766340 with the builds above as it does not use system wide certs AFAIK."

That seems like a *major major* problem for a browser. I'm really not sure it'd be an improvement to do that, overall.

Comment 59 Martin Stransky 2019-11-01 15:37:49 UTC
(In reply to Adam Williamson from comment #58)
> "I guess you may see bug 1766340 with the builds above as it does not use
> system wide certs AFAIK."
> 
> That seems like a *major major* problem for a browser. I'm really not sure
> it'd be an improvement to do that, overall.

We don't ship that yet, this is a test build only. As I'm not an nss expert please test the builds for any regression.

Comment 60 william.garber 2019-11-04 03:04:46 UTC
I am still getting this bug in fedora 31.
Am I simply configuring something wrong?
The bug goes away if you do "dnf downgrade firefox".

Comment 61 Michel Alexandre Salim 2019-11-15 20:39:08 UTC
I'm seeing this with DuckDuckGo today - and people at work have been reporting similar issues with other sites with DigiCert certificates (e.g. Reddit). They reported that downgrading to Firefox < 70 work.

Going to try the test build and see if that helps.

Comment 62 Michel Alexandre Salim 2019-11-15 20:39:50 UTC
Created attachment 1636614 [details]
Firefox failing to connect to DuckDuckGo

Comment 63 Michel Alexandre Salim 2019-11-15 22:59:11 UTC
Tried the firefox-70.0-2.fc31 test build, it works once -- then after restarting the machine the problem reoccured (going to DDG results in the DigiCert certificate being reported as untrusted).

People at work reported that starting with a fresh profile resolved the issue. For me, I tried uninstalling Firefox and reinstalling the released update (70.0-1.fc31) and... surprisingly opening DDG is fine again. Something might be wrong on the Firefox side.

Comment 64 Lukas Zapletal 2019-11-20 15:20:04 UTC
I started seeing both invalid CA error or DigiCert Global Root CA problem after upgrade to Fedora 31 over the weekend. Firefox restart helped me to survive the day however DigiCert is used for https://bluejeans.com website which is key for my work. Any workaround appreciated.

Comment 65 Florian Weimer 2019-11-20 15:28:22 UTC
FWIW, I saw this on Fedora 30 once, but it was intermittent. Not sure anymore if it was with firefox-70.0-1.fc30 or firefox-70.0.1-4.fc30, or nss-3.47.0-2.fc30 or nss-3.47.0-3.fc30. But the issue does not seem to be specific to Fedora 31.

Comment 66 Daiki Ueno 2019-11-20 16:03:46 UTC
(In reply to Lukas Zapletal from comment #64)
> I started seeing both invalid CA error or DigiCert Global Root CA problem
> after upgrade to Fedora 31 over the weekend. Firefox restart helped me to
> survive the day however DigiCert is used for https://bluejeans.com website
> which is key for my work. Any workaround appreciated.

Sorry for the inconvenience. Until we figure out where is the problem, you could temporarily enable alternatives for libnssckbi.so.x86_64 with libnssckbi.so from the upstream binary release or one of the Martin's scratch builds with in-tree NSS:
  sudo alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 .../libnssckbi.so 10
  sudo alternatives --set libnssckbi.so.x86_64 .../libnssckbi.so

Comment 67 Christof Efkemann 2019-11-20 16:17:32 UTC
I have observed this problem both on Fedora 30 and Fedora 31, with and without in-tree NSS.
However, I would like to point out that I have only ever observed the problem on sites using Akamai as a CDN, i.e. sites which resolve to something like ...akamaiedge.net (as you can see for instance with the bluejeans.com site mentioned before).

$ host www.bluejeans.com
www.bluejeans.com is an alias for www.bluejeans.com.edgekey.net.
www.bluejeans.com.edgekey.net is an alias for e7264.dscb.akamaiedge.net.
e7264.dscb.akamaiedge.net has address 104.102.43.181
e7264.dscb.akamaiedge.net has IPv6 address 2a02:26f0:6b:28a::1c60
e7264.dscb.akamaiedge.net has IPv6 address 2a02:26f0:6b:2b1::1c60

Comment 68 william.garber 2019-11-20 17:23:31 UTC
I am still seeing the original bug on fedora 31 (I am the original poster);
It is present in firefox and the version of firefox you get from
"yum downgrade firefox".

Comment 69 Lukas Zapletal 2019-11-22 07:42:32 UTC
Daiki, thanks for the instructions. Unfortunately Martin's scratch build has been cleaned up already. I do not understand the other alternative, can you give me exact instructions? What .../libnssckbi.so does suppose to mean?

Thanks a bunch

Comment 70 Daiki Ueno 2019-11-22 13:54:26 UTC
(In reply to Lukas Zapletal from comment #69)
> Daiki, thanks for the instructions. Unfortunately Martin's scratch build has
> been cleaned up already. I do not understand the other alternative, can you
> give me exact instructions? What .../libnssckbi.so does suppose to mean?

I meant to extract libnssckbi.so from the upstream release tarball, put it somewhere on the system, and run the alternatives commands.

However, this is turning out to be a timing issue, and it might not fix your problem, depending on the environment:
https://bugzilla.mozilla.org/show_bug.cgi?id=1593167
I've triggered a scratch-build with a work around (use it at your own risk):
https://koji.fedoraproject.org/koji/taskinfo?taskID=39198147

Comment 71 Fedora Update System 2019-11-29 06:14:23 UTC
FEDORA-2019-ff27bbf69a has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a

Comment 72 Fedora Update System 2019-11-30 01:19:45 UTC
nss-3.47.1-2.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a

Comment 73 Fedora Update System 2019-12-04 15:29:46 UTC
FEDORA-2019-ff27bbf69a has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a

Comment 74 Fedora Update System 2019-12-05 01:23:23 UTC
nss-3.47.1-4.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ff27bbf69a

Comment 75 Fedora Update System 2019-12-05 02:01:08 UTC
nss-3.47.1-4.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8fbc65ef9e

Comment 76 william.garber 2019-12-06 00:31:28 UTC
Created attachment 1642485 [details]
firefox about:config page note security settings please.

Comment 77 william.garber 2019-12-06 00:33:50 UTC
just added about:config web page.
can anyone see anything unusual about settings under security?
most notably ones in boldface which are the non-default settings.

I assume that may be where the problem is.
this is version 71.0 of firefox on fedora 31.
The original problem is still persisting.

Comment 78 Fedora Update System 2019-12-11 01:32:25 UTC
nss-3.47.1-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 79 Fedora Update System 2019-12-11 02:06:07 UTC
nss-3.47.1-4.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 80 Daiki Ueno 2020-01-02 14:38:47 UTC
(In reply to william.garber from comment #77)
> just added about:config web page.
> can anyone see anything unusual about settings under security?
> most notably ones in boldface which are the non-default settings.
> 
> I assume that may be where the problem is.
> this is version 71.0 of firefox on fedora 31.
> The original problem is still persisting.

I would suggest the same as:
https://bugzilla.redhat.com/show_bug.cgi?id=1752303#c72
i.e., run firefox under: P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" and attach the log here.

It might also be worthwhile to check with a fresh firefox profile (firefox -P):
https://bugzilla.redhat.com/show_bug.cgi?id=1752303#c76

Comment 81 william.garber 2020-01-02 15:23:34 UTC
Created attachment 1649214 [details]
P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1

P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1

Comment 82 william.garber 2020-01-02 15:25:17 UTC
it is working as of 
garberw@electron> firefox --version
Mozilla Firefox 71.0
garberw@electron> 

as far as I can tell.
but then this is an intermittent bug.

Comment 83 Daiki Ueno 2020-01-02 15:27:13 UTC
(In reply to william.garber from comment #81)
> Created attachment 1649214 [details]
> P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1
> 
> P11_KIT_DEBUG=trust MOZ_LOG="certverifier:5" firefox > firefox.log 2>&1

I should have been clear that I need a log *when it fails to load*. The log looks sane to me.

Comment 84 william.garber 2020-01-02 15:48:36 UTC
could this problem have been caused by either of the packages
lynis
clamav
which I recently removed???  I will try to investigate.
They were left at default configuration (no custom configuration).

Comment 85 Daiki Ueno 2020-01-02 15:51:31 UTC
(In reply to william.garber from comment #84)
> could this problem have been caused by either of the packages
> lynis
> clamav
> which I recently removed???  I will try to investigate.
> They were left at default configuration (no custom configuration).

I don't think so. Have you tried with a fresh profile as I suggested in comment 80?

Comment 86 william.garber 2020-01-03 16:25:51 UTC
Daiki Ueno:  comment 85:
It is working now, see comment 82.
firefox is current version 71.0 from repository.
I can no longer reproduce the bug, sorry, so there is no 
way of testing it.
When it was NOT working I had tried it with a fresh profile
and it did not fix it.
So far pending any future updates that break it again,
the bug is fixed.
I never figured out what was wrong.

Comment 87 Daiki Ueno 2020-01-03 16:34:15 UTC
OK, thank you for the information.  Let's close this bug for now; feel free to reopen or file a new bug if it happens again.


Note You need to log in before you can comment on or make changes to this bug.