You are not logged in.

#26 2019-11-01 17:50:25

progandy
Member
Registered: 2012-05-17
Posts: 5,286

Re: [Solved] firefox-developer-edition blocks certain webseites

Maybe the firefox sandbox blocks access to the certificate directories?
You could try to play around with security.sandbox.content.read_path_whitelist

It is strange because I have no issues with FF70 here.

Edit: A related discussion in the clearlinux bugtracker: https://github.com/clearlinux/distribution/issues/1006

Last edited by progandy (2019-11-01 17:56:26)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#27 2019-11-01 18:18:42

dpx
Member
Registered: 2017-01-09
Posts: 48

Re: [Solved] firefox-developer-edition blocks certain webseites

progandy wrote:

It is strange because I have no issues with FF70 here.

Most annoying bit is that it is not consistent problem. Seven out of ten times it will fail on duckduckgo and reddit, other three it will work perfectly. I am programmer and such problems that fail or work sometimes, but not always, are most annoying. Related, I don't think it is sandboxing problem (or not exclusively related to sandboxing) because we would have consistent failure.

Offline

#28 2019-11-01 22:47:16

xman1
Member
Registered: 2019-04-29
Posts: 5

Re: [Solved] firefox-developer-edition blocks certain webseites

Can confirm the same problem is happening on Manjaro, Fedora, and Clearlinux.

https://forum.manjaro.org/t/digicert-in … e/109242/9

https://github.com/clearlinux/distribution/issues/1006

Offline

#29 2019-11-03 20:34:11

coolion
Member
Registered: 2019-11-02
Posts: 14

Re: [Solved] firefox-developer-edition blocks certain webseites

Hi,

I also can confirm the problem described in this thread. Firefox is complaining about the certificate of "DigiCert Global Root CA" when trying to open duckduckgo.com. Without doing anything specific, it just vanishes after a couple of minutes. It happens like one in ten or so.??

It is a bit annoying to try to search the internet for your problem when your beloved duckduckgo is not usable :-)

Is there another thread discussing this as well or why is this one tagged as "solved" ?

regards

Offline

#30 2019-11-03 20:37:17

loqs
Member
Registered: 2014-03-06
Posts: 18,633

Re: [Solved] firefox-developer-edition blocks certain webseites

@collion the topic starter sxe could no longer reproduce the issue https://bbs.archlinux.org/viewtopic.php … 8#p1850078

Offline

#31 2019-11-04 17:19:55

xman1
Member
Registered: 2019-04-29
Posts: 5

Re: [Solved] firefox-developer-edition blocks certain webseites

coolion wrote:

Hi,

I also can confirm the problem described in this thread. Firefox is complaining about the certificate of "DigiCert Global Root CA" when trying to open duckduckgo.com. Without doing anything specific, it just vanishes after a couple of minutes. It happens like one in ten or so.??

It is a bit annoying to try to search the internet for your problem when your beloved duckduckgo is not usable :-)

Is there another thread discussing this as well or why is this one tagged as "solved" ?

regards

Short term fix:
Firefox Preferences -> Security -> Certificate Manager -> DigiCert SHA2 Secure Server CA -> Edit Trust -> Enabled 'This certificate can identify websites.'

@loqs - Still a problem for me.

Last edited by xman1 (2019-11-04 17:20:38)

Offline

#32 2019-11-04 17:26:51

loqs
Member
Registered: 2014-03-06
Posts: 18,633

Re: [Solved] firefox-developer-edition blocks certain webseites

xman1 you could file a bug on the arch bug tracker against nss / p11-kit asking for the workaround for https://bugs.freedesktop.org/show_bug.cgi?id=66161 to be removed as it is no longer needed and resolves the issue
or you could file a bug on the arch bug tracker against firefox for the failing certificate detection.
Edit:
https://bugs.archlinux.org/task/64401

Last edited by loqs (2019-11-05 20:08:52)

Offline

#33 2019-11-06 22:17:13

xman1
Member
Registered: 2019-04-29
Posts: 5

Re: [Solved] firefox-developer-edition blocks certain webseites

New Firefox seems to have the problem fixed.  No need for the above workaround.

Offline

#34 2019-11-06 22:37:15

loqs
Member
Registered: 2014-03-06
Posts: 18,633

Re: [Solved] firefox-developer-edition blocks certain webseites

xman1 wrote:

New Firefox seems to have the problem fixed.  No need for the above workaround.

You mean firefox 70.0.1-1 which was updated 2019-10-31 15:10 UTC ?

Offline

#35 2019-11-07 19:40:31

Roken
Member
From: South Wales, UK
Registered: 2012-01-16
Posts: 1,325

Re: [Solved] firefox-developer-edition blocks certain webseites

I've had the same problem on FF 70.0.1, and as annoying as it can be, only on Netflix, but as with others, not consistently.

loq's solution doesn't fix it, but firefox-developer-edition does not do this, so for now that's what I'm using.


Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703

/ is the root of all problems.

Offline

#36 2019-11-09 18:53:46

loqs
Member
Registered: 2014-03-06
Posts: 18,633

Re: [Solved] firefox-developer-edition blocks certain webseites

Roken did my suggested solution behave identically to the official packages?
Off topic but have you abandoned https://bbs.archlinux.org/viewtopic.php?id=249520 ?

Offline

#37 2019-11-09 20:17:48

Roken
Member
From: South Wales, UK
Registered: 2012-01-16
Posts: 1,325

Re: [Solved] firefox-developer-edition blocks certain webseites

loqs wrote:

Roken did my suggested solution behave identically to the official packages?
Off topic but have you abandoned https://bbs.archlinux.org/viewtopic.php?id=249520 ?

Yes - but maybe symptomatic of my perms issues (https://bbs.archlinux.org/viewtopic.php?id=250589) since Firefox seems to be behaving now after fixes, so maybe just my own issue.

As for the offtopic, I hadn't seen your reply. My apologies - full reply over there.


Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703

/ is the root of all problems.

Offline

#38 2019-11-10 16:59:10

archibutor
Member
Registered: 2010-09-08
Posts: 7

Re: [Solved] firefox-developer-edition blocks certain webseites

Using `firefox 70.0.1-1`, `nss 3.47-1`

Experiencing this error every now-and-then. Sometimes it goes away when reloading the page, clearing Firefox's cache, or restarting Firefox.

Software is Preventing Firefox From Safely Connecting to This Site
duckduckgo.com is most likely a safe site, but a secure connection could not be established. This issue is caused by DigiCert Global Root CA, which is either software on your computer or your network.
...
Error code: MOZILLA_PKIX_ERROR_MITM_DETECTED

Took screenshots or said error and what it's certificate chain looked like: https://imgur.com/a/hG7MyTn

Clicking on the error code shows the following:

https://duckduckgo.com/?q=[snip]&t=ffab

Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate.

HTTP Strict Transport Security: true
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIGNTCCBR2gAwIBAgIQAx42ydSKbld6na9pgqdX4zANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkwODA5MDAwMDAwWhcN
MjAxMDMwMTIwMDAwWjBsMQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZh
bmlhMQ4wDAYDVQQHEwVQYW9saTEbMBkGA1UEChMSRHVjayBEdWNrIEdvLCBJbmMu
MRkwFwYDVQQDDBAqLmR1Y2tkdWNrZ28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnhLg7QxkSHf5zsD69zJ2hCjACgedTlQUxsJmGR6+HuGD0nD+
8QbmAJvLK0aAd2xjAaXnMsBL2xv3UKwFaV7MwdYRps+7A9xG28IYEnSRuvNDI6BU
1HYDROkmXd5GdsVcpm7QorHuOOzQkZWeP5KZ5dNlVk0Zod5K/OCDl3foRI4LsCos
n2wWflTMTpiLEcePj2dngjR3rP4I5CDOxT7VO6FbWcmDkcVrDvOB6hlo1LLbo7D9
tVlr2s9xvsojACfngsnSt5oauKZKwJ26T5wgXujP0dHfiT511jgeu3KngBNcduSw
ztaeulkI3QNepz0oKJHCy2q+V/dQCW19HPAzewIDAQABo4IC8DCCAuwwHwYDVR0j
BBgwFoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFDZ2FTRXeBlxnbwd
3+tx/MUy9jFEMCsGA1UdEQQkMCKCECouZHVja2R1Y2tnby5jb22CDmR1Y2tkdWNr
Z28uY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29t
L3NzY2Etc2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNv
bS9zc2NhLXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYI
KwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIC
MHwGCCsGAQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNl
cnQuY29tMEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v
RGlnaUNlcnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggEF
BgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jj
d80OyA3cEAAAAWx2yZqGAAAEAwBIMEYCIQDwkGJA5Z6CWDIllP+bNPutX+FMeBCB
hdZU5OTEqGzXxgIhAO3wL/f46DTp/Jrj/qy/t5aqkK9JqNW9vSyc650JFD54AHYA
h3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFsdsma3QAABAMARzBF
AiARyWCMlZXy+hYExgrNU5STJA1uQo96jh0YjPorUYoUvAIhAPn7k5ozt5Qqcr5h
+uJVE89zFNHQBt8PYYSZBD8bMp47MA0GCSqGSIb3DQEBCwUAA4IBAQBwZ/rWYlo/
40esfCcbOlC42bs23CHjkVDhxGSz5VRcKUYcvahxLSEkcinPLnANP+UtUY+/FT82
Db3RSG80GZ/DS6k6b7mBXM3AjR7tyLoSHGd9tMcbDwqlZ14k7RKOoHH43n+U7b4d
dQd1/yK2NzSuayAWe2PFbMIzJfHxUJMEOgCWo8sF2n7DWKUHpoXqI9mNj+RZRP3O
oOw0La3XT3jhzGE9H/iyqxHU4d6EOpaihPd73iPb1a1Q/PMwDkaKnQhJvSuNOHmK
46vddp+b3deSpa9BuMN+1xNO47exzZZbIZpHiLH4J5akrFm18rDpOeMzEiPs5X/Y
zvpBRKsGo8Ss
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
-----END CERTIFICATE-----

Edit: Oh, and it's not just DuckDuckGo, other sites do this as well.

Last edited by archibutor (2019-11-10 17:00:30)

Offline

#39 2019-11-11 19:39:19

Ignotum Per Ignotius
Member
Registered: 2013-07-05
Posts: 1

Re: [Solved] firefox-developer-edition blocks certain webseites

Can confirm: same problem, same sites (DuckDuckGo & Reddit), and the problem is intermittent.

Offline

#40 2019-11-11 19:50:56

progandy
Member
Registered: 2012-05-17
Posts: 5,286

Re: [Solved] firefox-developer-edition blocks certain webseites

I wonder what are the mitm values in about:config when that error occurs?
security.certerrors.mitm*
security.pki.mitm*

Last edited by progandy (2019-11-11 19:51:08)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#41 2019-11-11 20:09:31

Roken
Member
From: South Wales, UK
Registered: 2012-01-16
Posts: 1,325

Re: [Solved] firefox-developer-edition blocks certain webseites

I don't know how likely this is, but since I fixed my file permissions in /usr/bin I've had no problems at all. It may be worth checking.


Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703

/ is the root of all problems.

Offline

#42 2019-11-14 12:26:05

loqs
Member
Registered: 2014-03-06
Posts: 18,633

Re: [Solved] firefox-developer-edition blocks certain webseites

progandy can you test with security.cert_pinning.enforcement_level=2

Offline

#43 2019-11-14 13:04:49

progandy
Member
Registered: 2012-05-17
Posts: 5,286

Re: [Solved] firefox-developer-edition blocks certain webseites

loqs wrote:

progandy can you test with security.cert_pinning.enforcement_level=2

A few days ago I tried it with level=1 and ddg as the homepage in a new profile and got no errors. I didn't use it again until now. On the first start today I got an HSTS error and accidentally reloaded without reading the complete error message. Now I can't get it to show up, even if I set the cert pinning level to 2.

Oh, by the way after I got the error,  "security.pki.mitm_canary_issuer" was set to "DigiCert SHA2 Secure Server CA" even after the ddg reloaded sucessfully. "security.pki.mitm_detected" was "false" after the reload. I restarted a few times with the canary issuer set without problems, then reset it to the empty string and everything is still working fine.

Last edited by progandy (2019-11-14 13:12:26)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#44 2019-11-14 15:25:45

loqs
Member
Registered: 2014-03-06
Posts: 18,633

Re: [Solved] firefox-developer-edition blocks certain webseites

I can not find a reliable reproducer either which makes debugging very difficult.
I believe the DigiCert SHA2 Secure Server CA is the only one affected as it used by *.mozilla.com and *.mozilla.org services.

https://bugs.archlinux.org/task/64401 is blocked by Opera's use of the old method.  Or until it can be proven it is no longer using it.

Offline

#45 2019-11-16 09:00:57

matte3560
Member
Registered: 2018-02-08
Posts: 5

Re: [Solved] firefox-developer-edition blocks certain webseites

I have been having this issue quite frequently lately. I found that deleting "DigiCert SHA2 Secure Server CA" from the Firefox certificate manager and restarting the browser consistently fixes the issue. It usually reoccurs when the browser is restarted a second time so it's not a permanent fix, but at least it does not involve manually trusting certificates or other sketchy solutions.

edit: I spoke too soon. Guess it was just a coincidence.

Last edited by matte3560 (2019-11-16 09:04:26)

Offline

#46 2019-11-16 16:25:58

john_dee
Member
Registered: 2019-11-16
Posts: 1

Re: [Solved] firefox-developer-edition blocks certain webseites

loqs wrote:

I can not find a reliable reproducer either which makes debugging very difficult.
I believe the DigiCert SHA2 Secure Server CA is the only one affected as it used by *.mozilla.com and *.mozilla.org services.

https://bugs.archlinux.org/task/64401 is blocked by Opera's use of the old method.  Or until it can be proven it is no longer using it.

loqs, I can reproduce it pretty consistently. Ten times out of ten to be precise.

1. Change home page in Firefox settings to https://duckduckgo.com.
2. Restart browser.
3. Open new tab and press home button.
4. Profit?... duckduckgo.com and reddit.com throw certificate error. Certificate chain shows only the last certificate.

Setting home page back to blank and restarting fixes the issue with home page button, but then the error still occurs randomly from time to time.

Last edited by john_dee (2019-11-16 16:28:50)

Offline

#47 2019-11-16 19:42:18

SensoRR
Member
Registered: 2019-11-14
Posts: 1

Re: [Solved] firefox-developer-edition blocks certain webseites

Happy to confirm that the issue was only caused by DigiCert SHA2 Secure Server CA on my end.
The suggestion from a thread above to edit the certificate's options and enabling "This certificate can identify websites" does stop this error from reappearing.

Offline

#48 2019-11-18 20:00:46

niingu
Member
Registered: 2019-06-22
Posts: 1

Re: [Solved] firefox-developer-edition blocks certain webseites

I successfully solved the issue by simply deleting the problematic certificate and restarting Firefox smile

Offline

#49 2019-11-21 14:10:55

Diaz
Member
From: Portugal
Registered: 2008-04-16
Posts: 366

Re: [Solved] firefox-developer-edition blocks certain webseites

I installed a new system arch + kde in the last 2 days and was getting the error randomly. Yesterday I just made sure that the timedatectl was syncronizing with ntp and after that it worked. I tried going in the certificate settings in the browser and but the flag people are talking about "enable certificate to sites" is already enabled.

Restarting the browser does not fix the issue.

So as of today this is still a problem not fixed.

I got another error today and after poking a little and looking into the manjaro forum I restarted systemd-timesyncd. Refreshed the browser and it is working ok now. But this seems pretty unstable.

Offline

#50 2019-11-21 15:17:15

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 24,812

Re: [Solved] firefox-developer-edition blocks certain webseites

Well you should setup time synchronisation regardless of whether you have this issue or not, and yes certificates can definitely be sensitive to wrong/skewed clocks here.

Offline

Board footer

Powered by FluxBB