Red Hat Bugzilla – Bug 221767
You have received an invalid certificate
Last modified: 2007-11-30 17:11:52 EST
Happens in both Firefox and Epiphany. Does _not_ happen with Safari on Mac OS X 10.4.8, or IE 7 under Windows. My Linksys WRT54G (with recent firmware, one revision before most recent) can use HTTPS for the admin interface. Evidently, the certificate has expired, but that appears not to be the full problem. Basically, I can't get to the admin interface to configure the router and upgrade the firmware (if that upgrade even fixes the problem, which I don't know if it does!) because I get smacked down every time I go there with FF. Full message: "Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number." FF should at _least_ give me the option of saying "OK, that's fine" and continuing on.
Created attachment 145009 [details] alert dialog that smacks me down
Created attachment 145010 [details] openssl s_client dump of certificate use: openssl x509 -text < cert.log to get the detailed dump of the certificate information. The serial number of the certificate is "0", it is self-signed, and the certificate is valid through 2015.
Dan, the upstream maintainers of NSS make it clear, that they use the pair {issuer name, serial number} of a cert as the primary key within the cert database. The specs for x.509 require each CA must ensure such a duplicate cert never gets issued. Because NSS relies on this uniqueness, it rejects any attempt to work with such a cert. Now the question is, how is it possible that you have a duplicate cert? From a post at http://www.linksysinfo.org/forums/archive/index.php?t-33210.html it seems that the problem has to do with a firmware update. I have a theory: Did you ever use the "accept this certificate permanently" feature of Firefox, when you were warned about an untrusted certificate? If you did, your Firefox profile might have an earlier certificate stored. Maybe Linksys shipped a different server certificate in their later firmware, which contains the same issuer/serial number pair. This is unfortunate, but you can most likely fix the problem. Could you please use Firefox and go to Menu Edit / Prefs / Advanced / Security / View Certificates / Web Sites? Do you have a cert stored that looks like a linksys server cert? Yes? Then delete it. Now please retry connecting to the router. If this still doesn't work, please quit Firefox, and try to create a fresh profile, just to be really sure your profile doesn't contain such a duplicate cert without being shown. You can create a fresh cert by starting: firefox -ProfileManager Do you still get the error with that fresh profile? I bet you won't. (If you still get the same error with a fresh profile, this would mean the Linksys router sends you two different certs in a session, while both have same isser/serial number. This would be completely broken behaviour.) Please let me know which step was sufficient to solve your problem, thanks!
I _do_ have a certificate stored for this access point, actually. Thanks for the tip. I haven't tried deleting it and reconnecting to the router yet because I could not switch to wired at the time. It appears that the certificate I have stored in FF and the certificate that the router provided have both a different "Subject's Public Key" and a different "Certificate Signature Value". All other fields are identical. So Linksys screwed up, and I'll delete the saved cert in FF. Thanks!