Bug 221767 - You have received an invalid certificate
Summary: You have received an invalid certificate
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Christopher Aillon
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-07 20:17 UTC by Dan Williams
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-01-16 15:04:23 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
alert dialog that smacks me down (17.46 KB, image/png)
2007-01-07 20:17 UTC, Dan Williams
no flags Details
openssl s_client dump of certificate (1.77 KB, text/plain)
2007-01-07 20:23 UTC, Dan Williams
no flags Details

Description Dan Williams 2007-01-07 20:17:50 UTC
Happens in both Firefox and Epiphany.  Does _not_ happen with Safari on Mac OS X
10.4.8, or IE 7 under Windows.

My Linksys WRT54G (with recent firmware, one revision before most recent) can
use HTTPS for the admin interface.  Evidently, the certificate has expired, but
that appears not to be the full problem.  Basically, I can't get to the admin
interface to configure the router and upgrade the firmware (if that upgrade even
fixes the problem, which I don't know if it does!) because I get smacked down
every time I go there with FF.

Full message:

"Your certificate contains the same serial number as another certificate issued
by the certificate authority.  Please get a new certificate containing a unique
serial number."

FF should at _least_ give me the option of saying "OK, that's fine" and
continuing on.

Comment 1 Dan Williams 2007-01-07 20:17:54 UTC
Created attachment 145009 [details]
alert dialog that smacks me down

Comment 2 Dan Williams 2007-01-07 20:23:28 UTC
Created attachment 145010 [details]
openssl s_client dump of certificate

use:

openssl x509 -text < cert.log

to get the detailed dump of the certificate information.  The serial number of
the certificate is "0", it is self-signed, and the certificate is valid through
2015.

Comment 3 Kai Engert (:kaie) (inactive account) 2007-01-15 15:07:41 UTC
Dan,

the upstream maintainers of NSS make it clear, that they use the pair {issuer
name, serial number} of a cert as the primary key within the cert database. The
specs for x.509 require each CA must ensure such a duplicate cert never gets
issued. Because NSS relies on this uniqueness, it rejects any attempt to work
with such a cert.

Now the question is, how is it possible that you have a duplicate cert?

From a post at http://www.linksysinfo.org/forums/archive/index.php?t-33210.html
it seems that the problem has to do with a firmware update.

I have a theory: Did you ever use the "accept this certificate permanently"
feature of Firefox, when you were warned about an untrusted certificate?

If you did, your Firefox profile might have an earlier certificate stored. Maybe
Linksys shipped a different server certificate in their later firmware, which
contains the same issuer/serial number pair. This is unfortunate, but you can
most likely fix the problem.

Could you please use Firefox and go to Menu Edit / Prefs / Advanced / Security /
View Certificates / Web Sites?
Do you have a cert stored that looks like a linksys server cert? Yes? Then
delete it. Now please retry connecting to the router.

If this still doesn't work, please quit Firefox, and try to create a fresh
profile, just to be really sure your profile doesn't contain such a duplicate
cert without being shown. You can create a fresh cert by starting:
firefox -ProfileManager
Do you still get the error with that fresh profile? I bet you won't.

(If you still get the same error with a fresh profile, this would mean the
Linksys router sends you two different certs in a session, while both have same
isser/serial number. This would be completely broken behaviour.)

Please let me know which step was sufficient to solve your problem, thanks!

Comment 4 Dan Williams 2007-01-16 15:04:23 UTC
I _do_ have a certificate stored for this access point, actually.  Thanks for
the tip.  I haven't tried deleting it and reconnecting to the router yet because
I could not switch to wired at the time.

It appears that the certificate I have stored in FF and the certificate that the
router provided have both a different "Subject's Public Key" and a different
"Certificate Signature Value".  All other fields are identical.  So Linksys
screwed up, and I'll delete the saved cert in FF.

Thanks!


Note You need to log in before you can comment on or make changes to this bug.