You are not logged in.

#1 2019-06-13 09:32:49

sxe
Member
Registered: 2009-06-04
Posts: 101

[Solved] firefox-developer-edition blocks certain webseites

Hi,

since the update from firefox-developer-edition-68.0b8-1 to firefox-developer-edition-68.0b9-1 I can't access certain websites, like reddit.com for example.

I get a "Software is Preventing Firefox Developer Edition From Safely Connecting to This Site" (DigiCert Global Root CA) (MOZILLA_PKIX_ERROR_MITM_DETECTED) error and there is no way to add an exception.
It works again when I downgrade firefox but doing that I cannot use my normal firefox profile anymore, cause the "firefox version I am trying to use is too old, please create a new profile" which I don't want to do.

Is anyone else having this problem or any idea how to fix it?

Thanks in advance.

Cheers

Last edited by sxe (2019-06-16 15:08:29)

Offline

#2 2019-06-13 10:02:01

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 7,441

Re: [Solved] firefox-developer-edition blocks certain webseites

Are you behind some kind of https proxy ?

If not, is security.enterprise_roots.enabled set to true in nightly about:config ?
https://wiki.mozilla.org/CA:AddRootToFirefox


Multi-init booting with apg Openrc and systemd coexisting
Automounting : not needed, i prefer pmount
Aur helpers : makepkg + my own local repo === rarely need them

Offline

#3 2019-06-13 10:14:08

sxe
Member
Registered: 2009-06-04
Posts: 101

Re: [Solved] firefox-developer-edition blocks certain webseites

Hi Lone_Wolf, thx for the reply.

I am not behind a proxy, just a boring German home internet connection.

ecurity.enterprise_roots.enabled is not set to true. Did mozilla change anything with firefox with the last update so that would be necessary? As I said, the downgraded firefox version works as usual. I would try it but I am not exactly sure what the implications are exactly.

Cheers

Last edited by sxe (2019-06-13 10:14:17)

Offline

#4 2019-06-13 12:45:49

sxe
Member
Registered: 2009-06-04
Posts: 101

Re: [Solved] firefox-developer-edition blocks certain webseites

Well, not sure what exactly happened but without me doing anything it just works now.

Sorry if I have wasted your time mate.

Cheers

Offline

#5 2019-06-16 12:09:03

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 7,441

Re: [Solved] firefox-developer-edition blocks certain webseites

Not a waste, reading about that option refreshed my knowledge about the certificate system.
Please prepend [Solved] to the thread title.


Multi-init booting with apg Openrc and systemd coexisting
Automounting : not needed, i prefer pmount
Aur helpers : makepkg + my own local repo === rarely need them

Offline

#6 2019-08-12 20:05:01

leonardof
Member
Registered: 2008-09-05
Posts: 53

Re: [Solved] firefox-developer-edition blocks certain webseites

I get this error from time to time. Not sure what makes them appear. Fastmail.com and https://wiki.mozilla.org/CA:AddRootToFirefox are two afflicted sites, both with "DigiCert Global Root CA", is listed in /etc/ssl/certs/ca-certificates.crt

Offline

#7 2019-08-12 20:08:49

sxe
Member
Registered: 2009-06-04
Posts: 101

Re: [Solved] firefox-developer-edition blocks certain webseites

Yeah, it's still not gone for me either. Happens from time to time but resolve itself after a while. No idea what is happening.

Offline

#8 2019-10-24 14:38:57

Volunder
Member
Registered: 2012-12-01
Posts: 4

Re: [Solved] firefox-developer-edition blocks certain webseites

I too am seeing this on a regular basis. Chrome, OpenSSL and curl all accept the cert, and I've validated it's the same one Chrome is getting via SSLabs, so I know I'm not being MITMed. Always DigiCert, happening on two different computers.

It seems like if I restart Firefox half the time I get a session where it accepts the cert, half the time it won't, so the only solution is to keep restarting Firefox until it accepts the cert then don't close it for any reason.

If anyone has thoughts on how to troubleshoot that'd be great, because I'm stumped and it's annoying the hell out of me.

Offline

#9 2019-10-25 17:38:09

loqs
Member
Registered: 2014-03-06
Posts: 9,231

Re: [Solved] firefox-developer-edition blocks certain webseites

Volunder there is one change arch makes to p11-kit / nss that I believe is distribution unique and appears to no longer be need.

Please try rebuilding the package with the following changes:

p11-kit PKGBUILD.diff

diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index a6aef56..ed60c6e 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -11,23 +11,11 @@ license=(BSD)
 depends=(glibc libtasn1 libffi systemd)
 makedepends=(gtk-doc git meson)
 install=p11-kit.install
-source=("git+https://github.com/p11-glue/p11-kit?signed#tag=$pkgver"
-        0001-Build-and-install-libnssckbi-p11-kit.so.patch)
-sha256sums=('SKIP'
-            'e832eece10587ac50ae42ca4515786b51e67fea0647716061e51cd94f5e058cd')
+source=("git+https://github.com/p11-glue/p11-kit?signed#tag=$pkgver")
+sha256sums=('SKIP')
 validpgpkeys=('C0F67099B808FB063E2C81117BFB1108D92765AF'  # Stef Walter
               '462225C3B46F34879FC8496CD605848ED7E69871') # Daiki Ueno
 
-prepare() {
-  cd p11-kit
-
-  # Build and install an additional library (libnssckbi-p11-kit.so) which
-  # is a copy of p11-kit-trust.so but uses the same label for root certs as
-  # libnssckbi.so ("Builtin Object Token" instead of "Default Trust")
-  # https://bugs.freedesktop.org/show_bug.cgi?id=66161
-  patch -Np1 -i ../0001-Build-and-install-libnssckbi-p11-kit.so.patch
-}
-
 build() {
   arch-meson p11-kit build \
     -D gtk_doc=true \

nss PKGBUILD.diff

diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index 58fd592..3e77b8c 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -76,9 +76,6 @@ package_nss() {
   cd ../lib
   install -Dt "$pkgdir/usr/lib" *.so
   install -Dt "$pkgdir/usr/lib" -m644 *.chk
-
-  # Replace built-in trust with p11-kit connection
-  ln -sf libnssckbi-p11-kit.so "$pkgdir/usr/lib/libnssckbi.so"
 }

Offline

#10 2019-10-25 17:56:33

dpx
Member
Registered: 2017-01-09
Posts: 25

Re: [Solved] firefox-developer-edition blocks certain webseites

This is constant problem since firefox 70.0-1 update couple of days ago. Duckduckgo doesn't work at all, reddit works on and off, I have run into several other sites that don't work or work every n-th load... Please fix this guys.

Offline

#11 2019-10-25 18:03:15

loqs
Member
Registered: 2014-03-06
Posts: 9,231

Re: [Solved] firefox-developer-edition blocks certain webseites

dpx did you try my suggestion?

Offline

#12 2019-10-25 18:07:23

dpx
Member
Registered: 2017-01-09
Posts: 25

Re: [Solved] firefox-developer-edition blocks certain webseites

loqs wrote:

dpx did you try my suggestion?

Not yet, I will if there is nothing more official in form of update that brings everything back to normal. I am trying to figure out if this is something few of us experience or everybody? I mean all of use have ff + those stock packages, right?

Edit: probably obvious, but where are arch stock package pkgbuilds located? Where do I get original p11-kit and nss pkgbuilds to be able to patch them?

Last edited by dpx (2019-10-25 18:09:52)

Offline

#13 2019-10-25 18:53:16

hwkiller
Member
Registered: 2009-07-21
Posts: 56

Re: [Solved] firefox-developer-edition blocks certain webseites

dpx wrote:

This is constant problem since firefox 70.0-1 update couple of days ago. Duckduckgo doesn't work at all, reddit works on and off, I have run into several other sites that don't work or work every n-th load... Please fix this guys.


I'm having the exact same problem.
"DigiCert Global Root CA" is tripping firefox. Several websites stop working. If I reconnect and restart firefox, it seems to work fine. But it will inevitably break again.

Offline

#14 2019-10-26 09:01:02

dpx
Member
Registered: 2017-01-09
Posts: 25

Re: [Solved] firefox-developer-edition blocks certain webseites

I have temporarily installed firefox-developer-edition (currently it is 71.0b3-1) and everything is back to normal. Which means there is problem with current ff 70.0-1, not with any other package.

Offline

#15 2019-10-26 09:13:35

Slithery
Forum Moderator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 3,489

Re: [Solved] firefox-developer-edition blocks certain webseites

dpx wrote:

probably obvious, but where are arch stock package pkgbuilds located? Where do I get original p11-kit and nss pkgbuilds to be able to patch them?

https://wiki.archlinux.org/index.php/Ar … _using_Git


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#16 2019-10-27 22:34:43

linux_too_stronk
Member
Registered: 2019-01-14
Posts: 4

Re: [Solved] firefox-developer-edition blocks certain webseites

Faced this issue today on regular firefox. duckduckgo.com and even mozilla.org both signed by DigiCert SHA2 Secure Server CA refused to open. Inconsistent things that helped:

  • about:config -> changing default security.enterprise_roots.enabled false to security.enterprise_roots.enabled true, loading the page and then setting it back to false.

  • creating new firefox profile

Also, running firefox in a seperate network namespace which has a tunnel device (vpn) also helped which raises even more questions.

More info:

$ pacman -Qi ca-certificates ca-certificates-mozilla firefox p11-kit nss
Name            : ca-certificates
Version         : 20181109-1
Name            : ca-certificates-mozilla
Version         : 3.47-1
Name            : firefox
Version         : 70.0-1
Name            : p11-kit
Version         : 0.23.18.1-1
Name            : nss
Version         : 3.47-1

Offline

#17 2019-10-27 23:26:18

loqs
Member
Registered: 2014-03-06
Posts: 9,231

Re: [Solved] firefox-developer-edition blocks certain webseites

The following assumes base-devel devtools and git are installed

git clone git://git.archlinux.org/svntogit/packages.git --single-branch --branch "packages/p11-kit"
mv packages p11-kit
cd p11-kit/trunk
curl -o p11-kit.patch http://ix.io/201I
git apply p11-kit.patch
extra-x86_64-build
cd ../..
git clone git://git.archlinux.org/svntogit/packages.git --single-branch --branch "packages/nss"
mv packages nss
curl -o nss.patch http://ix.io/201K
git apply nss.patch
extra-x86_64-build -- -I ../../p11-kit/trunk/p11-kit-0.23.18.1-1-x86_64.pkg.tar.xz
cd ../..
# pacman -U p11-kit/trunk/p11-kit-0.23.18.1-1-x86_64.pkg.tar.xz nss/trunk/nss-3.47-1-x86_64.pkg.tar.xz

Offline

#18 2019-10-31 15:12:59

dpx
Member
Registered: 2017-01-09
Posts: 25

Re: [Solved] firefox-developer-edition blocks certain webseites

Update: couple of updates of firefox-developer-edition later it now happens on both regular firefox and in developer edition. What is the proper way to raise this to maintainers attention, it makes any flavor of firefox pretty impossible to use? Is it possible to be localized problem so maintainers don't see it?

Offline

#19 2019-10-31 15:16:53

loqs
Member
Registered: 2014-03-06
Posts: 9,231

Re: [Solved] firefox-developer-edition blocks certain webseites

https://wiki.archlinux.org/index.php/Bu … guidelines although I suggest rebuilding p11-kit / nss using post #17 to see if that is the cause first.

Offline

#20 2019-10-31 15:21:28

dpx
Member
Registered: 2017-01-09
Posts: 25

Re: [Solved] firefox-developer-edition blocks certain webseites

Thanks, it seems I will have to try building those two.

Offline

#21 2019-10-31 17:12:19

dpx
Member
Registered: 2017-01-09
Posts: 25

Re: [Solved] firefox-developer-edition blocks certain webseites

loqs wrote:

extra-x86_64-build

@logs: where does extra-x86_64-build come from? I have base-devel installed but can't find this command?

Offline

#22 2019-10-31 17:15:12

loqs
Member
Registered: 2014-03-06
Posts: 9,231

Re: [Solved] firefox-developer-edition blocks certain webseites

The devtools package.

Offline

#23 2019-10-31 17:16:08

Slithery
Forum Moderator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 3,489

Re: [Solved] firefox-developer-edition blocks certain webseites

slithery@red:~$ pacman -Fs extra-x86_64-build
extra/devtools 20171108-1
    usr/bin/extra-x86_64-build

No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#24 2019-10-31 19:15:40

progandy
Member
Registered: 2012-05-17
Posts: 3,594

Re: [Solved] firefox-developer-edition blocks certain webseites

There are three possible configurations for nss / p11-kit

- Symlink libnssckbi.so to libnssckbi-p11-kit.so (chosen by arch, patched version of p11-kit-trust.so)
- Symlink libnssckbi.so to pkcs11/p11-kit-trust.so (unpatched upstream)
- Use libnssckbi.so from nss. You lose the advantages of the system-wide trust store provided by p11-kit and can only rely on those compiled into the library.
https://p11-glue.github.io/p11-glue/p11 … odule.html

Firefox doesn't need the patched version anymore, though: https://bugzilla.mozilla.org/show_bug.cgi?id=880269

Last edited by progandy (2019-10-31 19:16:01)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#25 2019-11-01 16:28:51

gadget3000
Member
Registered: 2010-05-11
Posts: 23

Re: [Solved] firefox-developer-edition blocks certain webseites

Applying the changes that @loqs recommended works for me. I also tried not applying the change to nss, because @progandy suggested that would have downsides, but it caused issues for me.
I can't confirm if there are any side effects of these changes or whether it's the right solution, but it does get Firefox working again.

Offline

Board footer

Powered by FluxBB