BillMal Your Lotus Pal

ICS/Lotus (mostly), Linux, Travel, Skiing, Mixology, and Random Musing of Interest
Archives Links Lotus on Linux Vendors Linux Sites Find me here… Skype Bleedyellow via Sametime	BillMal Your Lotus Pal ssl Sometimes Firefox Dislikes Self-signed Certs Bill Malchisky September 26 2013 06:00:00 PM Apparently, Firefox (FF) can and for no obvious reason just suddenly decide that it dislikes your self-signed certificate. When it does, it can make remote access challenging. If you are short for time, using another browser or another machine/vm may provide the access you need, but, does not resolve the underlying issue. Let me describe the situation and steps I took to resolve. I have a client where each autumn I have to renew their edge server's SSL certificate to ensure proper access to sensitive information. The past seven years, I performed pretty much the same procedure to remove the old browser stored certificate authority exception and allow FF to store permanently said exception update. Sounds simple, right? It is. This year though, I received the following error: `Secure Connection Failed An error occurred during a connection to {IP_Address}. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial`) Symptoms The error's root cause (underlined) and error code do make sense, but took a little research. Upon removing the old server certificate and certificate authorities' entry from within FF, the browser did not commit the changes. Thus, when you opened the View Certificates window again, the same certificate entries were there. This can provide the perception that the targeted server has the incorrect certificate installed. Accessing from another desktop that never routed to the target server previously worked perfectly and stored the correct certificate. Thus, it is a browser issue. What the underlined prose above stated is that you are storing cert {x} which has an associated ID, but is expired; however, you are going to a server with a new cert with the same associated ID and it can not purge the existing one, so you need to remove it first. Except the browser will not allow you to remove it. Hence the problem. Resolution What worked for me was to purge the cert8.db file and restart the browser. The customer's desktop OS was Ubuntu 12.04 LTS, as was mine. This same scenario is probable on Windows and included below; Mac was not tried at this time. 0. Close FF 1. Open a terminal window 2. Go to this directory: Linux -- `$ cd ~/.mozilla/firefox/{profile-name}.default` Windows -- `C:\Documents and Settings\{userID}\Application Data\Mozilla\Firefox\Profiles\{profile-name}.default` 3. Remove or rename this file: Linux -- `$ rm cert8.db` --OR-- `$ mv cert8.db cert8.db.bak` Windows -- `del cert8.db` --OR-- `ren cert8.db cert8.db.bak` 4. Restart Firefox Note: In rare cases, you may need to also remove the cert_override.txt file as well -- located in the same directory. Comments [0] Comments 1Michael Swartz 11/20/2014 4:26:32 AM Sometimes Firefox Dislikes Self-signed Certs Thanks for the instructions. I use Windows XP and your remedy fixed my problem. Subject: Name: Email: Website: Add Comment:	About me… Email me… Bill on Follow Bill on Twitter Feeds Content Feed Comment Feed Bill elsewhere… My presentations Blogroll Alan Lepofsky Andrew Pollack Ben Poole Bruce Elgort Carl Tyler Chris Miller Collaboration Girl Darren Duke Duffbert Ed Brill Gabriella Davis Joe Litton John Roling Kevin Pettitt Marie Scott Mary Beth Raven Matt White Notes Goddess Paul Mooney

| | |

© 2010 William Malchisky.